[pull] master from KelvinTegelaar:master#42
Open
pull[bot] wants to merge 8433 commits intoMikeYEG:masterfrom
Open
[pull] master from KelvinTegelaar:master#42pull[bot] wants to merge 8433 commits intoMikeYEG:masterfrom
pull[bot] wants to merge 8433 commits intoMikeYEG:masterfrom
Conversation
Replace per-user Graph queries with Graph Bulk requests when listing JIT admin states and role memberships. Both entrypoints now build a bulk GET for users (with $count, $select, $filter and $top=999), parse the bulk response to get users, then construct and submit bulk membership requests. Added explicit initialization/clearing of the BulkRequests list and a guard to ensure non-empty requests before sending. Updated metadata to indicate Method='BulkRequest'. This reduces the number of individual Graph calls and improves performance and reliability when enumerating users and their directory roles.
Build a BaseSelect property list of user fields (identity, contact, org, licenses, on-prem sync, etc.) and detect if the tenant supports signInActivity via Test-CIPPStandardLicense. If signInActivity is available, include signInActivity in the $select and use $top=500; otherwise use the full BaseSelect and $top=999. Update the Graph request to use the dynamic $select and $top parameters and include $count, streaming results into Add-CIPPDbItem. This ensures required fields for tests, UI and integrations are cached while handling the signInActivity limitation.
Remove the $select projection from the Graph managedDevices request so the full device objects are cached. In the NinjaOne tenant sync, avoid re-evaluating the device pipeline by introducing $DevicesToProcess, normalize serial numbers (strip spaces) for more reliable serial matching, fall back to deviceName for name matching, and wrap the PATCH update in a try/catch that logs error details. Also remove/comment noisy Write-Information lines and the debug Ninja body log to reduce log spam.
Introduce orchestration-driven offboarding and improve scheduled task handling. Added Push-CIPPOffboardingTask and Push-CIPPOffboardingComplete entrypoints and refactored Invoke-CIPPOffboardingJob to build a task batch and start a durable orchestration. Updated Push-ExecScheduledCommand to recognize orchestrator-based commands (skip post-exec alerts/state updates and attach TaskInfo for offboarding). Enhanced Clear-CIPPImmutableId to schedule immutable ID clears when users are synced from on-premises and to log/restore as needed. Added Send-CIPPScheduledTaskAlert utility and wired it into task flows. Made Set-CIPPMailboxAccess and Set-CIPPSharePointPerms handle arrays and return per-user results; ensure scheduled tasks avoid duplicate names in Remove-CIPPLicense. Minor fix in CippEntrypoints to capture invoked function output.
Filter selected tenants using Test-CIPPAccess and restrict processing to allowed tenants; add AnyTenant to functionality tags. This change updates Invoke-AddChocoApp, Invoke-AddMSPApp, Invoke-AddOfficeApp and Invoke-AddStoreApp to call Test-CIPPAccess -TenantList, compute $AllowedTenants, and only iterate over tenants present in that list (or 'AllTenants'). Minor doc updates mark these entrypoints as AnyTenant and ensure AllTenants handling remains supported.
Add a servicePrincipalLockConfiguration entry to Modules/CIPPCore/lib/data/SAMManifest.json with isEnabled: true and allProperties: true. This updates the SAM manifest to include service principal lock settings so the service principal's properties are locked according to the manifest configuration.
Security group creation change (allow blank username), allow deploying groups to auth policies
feat: Enhance SendFromAlias standard to allow disabling
Update Start-UpdateTokensTimer.ps1 to include servicePrincipalLockConfiguration in the Graph GET response, rename variables for clarity. Check servicePrincipalLockConfiguration; if it's not enabled, enable it via a PATCH request and write an informational log entry.
Introduce Update-AppManagementPolicy.ps1 which queries tenant default and app management policies via bulk Graph requests, detects credential creation restrictions, and creates/updates/assigns a "CIPP-SAM Exemption Policy" to allow the CIPP-SAM app to manage credentials. The function returns a PSCustomObject with policy state and a PolicyAction message and handles errors gracefully. Also update Invoke-ExecCreateSAMApp.ps1 and Start-UpdateTokensTimer.ps1 to call Update-AppManagementPolicy and log the resulting PolicyAction before proceeding with password/key operations.
Wrap calls to Update-AppManagementPolicy in try/catch in two entrypoints to avoid unhandled exceptions and improve diagnostics. Files changed: Invoke-ExecCreateSAMApp.ps1 and Start-UpdateTokensTimer.ps1. On success the original PolicyAction is still written; on failure a warning with the exception message is logged and the invocation position info is emitted to aid troubleshooting.
Call Update-AppManagementPolicy after creating apps/SPs and make the policy helper tenant- and app-aware. - New-CIPPAPIConfig.ps1 & Invoke-ExecSendPush.ps1: add try/catch calls to Update-AppManagementPolicy immediately after creating the application/service principal and log the result or failure. - Update-AppManagementPolicy.ps1: add parameters (TenantFilter, ApplicationId) instead of relying on environment variables; pass tenantid into Graph requests; check the provided ApplicationId when evaluating policy targets; rename exemption policy displayName/description from "CIPP-SAM Exemption Policy" to "CIPP Exemption Policy" and adjust related logic; ensure updates/assignments use the tenant scope. These changes ensure newly created apps get an exemption when tenant defaults block credential creation and allow the helper to operate across explicit tenants and application IDs.
Wraps the Autopilot profile assignment in a try/catch to handle errors, moves the success info log into the try block, and logs failures with Get-CippException details. Also tightens message interpolation for AssignTo and TenantFilter to produce clearer logs and a consistent success string.
When multiple policies share the same displayName, choose the most recently modified one. Added Sort-Object -Property lastModifiedDateTime -Descending | Select-Object -First 1 to displayName/Name lookups across Get-CIPPIntunePolicy.ps1 (including Android/iOS bulk results and various template branches) so the function returns the latest matching policy instead of an arbitrary/older one or duplicates.
Only assign $Settings.days to the LitigationHoldDuration parameter if it is a positive integer or the string 'Unlimited'. Adds a TryParse check and conditional logic to avoid passing invalid/non-numeric values to the cmdlet, preventing erroneous requests.
Move PIM-related cache entries into the Azure AD Premium P2 cache list and update the section heading. Removed RoleEligibilitySchedules, RoleManagementPolicies and RoleAssignmentScheduleInstances from the earlier list and added RoleEligibilitySchedules, RoleAssignmentSchedules and RoleManagementPolicies to the P2 cache functions. Also updated the region comment to "Identity Protection/PIM features" to reflect the grouping.
…-report Feature/mailbox forwarding report
also add env var backup table
Dev to hotfix
…state Two bugs caused scheduled offboarding tasks to silently disappear: 1. In Push-ExecScheduledCommand, if Invoke-CIPPOffboardingJob threw an exception the inner catch set $State='Failed', but the outer state update unconditionally set TaskState='Processing' for all orchestrator- based commands, ignoring the failure. The task was then stuck in 'Processing' showing "Orchestration in progress" with no way to recover. Fixed by checking $State before deciding between 'Processing' and 'Failed'. 2. In Start-UserTasksOrchestrator the recovery filter included stuck 'Pending' (>24h) and 'Running' (>4h) tasks but omitted 'Processing'. Any task stuck in 'Processing' (from bug #1 or from an orchestration where the post-execution handler itself failed) would never be retried. Fixed by adding 'Processing' to the recovery filter with the same 4-hour timeout used for 'Running'. https://claude.ai/code/session_019TANRi9wms5e5W1nJgZWQm
… binding Start-CIPPOrchestrator was called without -CallerIsQueueTrigger from inside CIPPActivityFunction, causing it to fall through to Add-CippQueueMessage which uses Push-OutputBinding with a QueueItem binding that doesn't exist in activity function context. The queue message silently failed, leaving the GUID orphaned in table storage with the actual offboarding orchestration never starting. Passing -CallerIsQueueTrigger routes directly to Start-NewOrchestration which is available in the activity function context, allowing all 12 offboarding tasks to actually execute. https://claude.ai/code/session_019TANRi9wms5e5W1nJgZWQm
fix: Exclude 'On-Premises Directory Synchronization Service Account' from MFA reports
Fix: Update litigation hold standard to use more service plans
…-activity Bug/scheduled offboarding activity
…oken for CippLogs table
Dev to hotfix
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )