Merge pull request #557 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Conditional/Invoke-ExecCAExclusion.ps1

@@ -18,6 +18,7 @@ function Invoke-ExecCAExclusion {
         $EndDate = $Request.Body.EndDate
         $PolicyId = $Request.Body.PolicyId
         $ExclusionType = $Request.Body.ExclusionType
+        $ExcludeLocationAuditAlerts = $Request.Body.excludeLocationAuditAlerts
 
         if ($Users) {
             $UserID = $Users.value
@@ -61,6 +62,12 @@ function Invoke-ExecCAExclusion {
         if ($Request.Body.vacation -eq 'true') {
             $StartDate = $Request.Body.StartDate
             $EndDate = $Request.Body.EndDate
+            # Detect if policy targets specific named locations (GUIDs) and user requested audit log exclusion
+            $GuidRegex = '^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$'
+            $LocationIds = @()
+            if ($Policy.conditions.locations.includeLocations) { $LocationIds += $Policy.conditions.locations.includeLocations }
+            if ($Policy.conditions.locations.excludeLocations) { $LocationIds += $Policy.conditions.locations.excludeLocations }
+            $PolicyHasGuidLocations = $LocationIds | Where-Object { $_ -match $GuidRegex }
 
             $Parameters = [PSCustomObject]@{
                 GroupType = 'Security'
@@ -82,6 +89,18 @@ function Invoke-ExecCAExclusion {
             Write-Information ($TaskBody | ConvertTo-Json -Depth 10)
 
             Add-CIPPScheduledTask -Task $TaskBody -hidden $false
+            # Optional: schedule audit log exclusion add task if requested and policy has location GUIDs
+            if ($ExcludeLocationAuditAlerts -and $PolicyHasGuidLocations) {
+                $AuditUsers = $Users.addedFields.userPrincipalName ?? $Users.value ?? $Users ?? $UserID
+                $AuditAddTask = [pscustomobject]@{
+                    TenantFilter  = $TenantFilter
+                    Name          = "Add Audit Log Location Exclusion: $PolicyName"
+                    Command       = @{ value = 'Set-CIPPAuditLogUserExclusion'; label = 'Set-CIPPAuditLogUserExclusion' }
+                    Parameters    = [pscustomobject]@{ Users = $AuditUsers; Action = 'Add'; Type = 'Location' }
+                    ScheduledTime = $StartDate
+                }
+                Add-CIPPScheduledTask -Task $AuditAddTask -hidden $true
+            }
             #Removal of the exclusion
             $TaskBody.Command = @{
                 label = 'Remove-CIPPGroupMember'
@@ -90,6 +109,17 @@ function Invoke-ExecCAExclusion {
             $TaskBody.Name = "Remove CA Exclusion Vacation Mode: $PolicyName"
             $TaskBody.ScheduledTime = $EndDate
             Add-CIPPScheduledTask -Task $TaskBody -hidden $false
+            if ($ExcludeLocationAuditAlerts -and $PolicyHasGuidLocations) {
+                $AuditUsers = $Users.addedFields.userPrincipalName ?? $Users.value ?? $Users ?? $UserID
+                $AuditRemoveTask = [pscustomobject]@{
+                    TenantFilter  = $TenantFilter
+                    Name          = "Remove Audit Log Location Exclusion: $PolicyName"
+                    Command       = @{ value = 'Set-CIPPAuditLogUserExclusion'; label = 'Set-CIPPAuditLogUserExclusion' }
+                    Parameters    = [pscustomobject]@{ Users = $AuditUsers; Action = 'Remove'; Type = 'Location' }
+                    ScheduledTime = $EndDate
+                }
+                Add-CIPPScheduledTask -Task $AuditRemoveTask -hidden $true
+            }
             $body = @{ Results = "Successfully added vacation mode schedule for $Username." }
         } else {
             $Parameters = @{

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-ExecUpdateDriftDeviation.ps1

@@ -44,15 +44,15 @@ function Invoke-ExecUpdateDriftDeviation {
                         $StandardTemplate = Get-CIPPTenantAlignment -TenantFilter $TenantFilter | Where-Object -Property standardType -EQ 'drift'
                         if ($Setting -like '*IntuneTemplate*') {
                             $Setting = 'IntuneTemplate'
-                            $TemplateId = $Deviation.standardName.split('.') | Select-Object -Last 1
-                            $StandardTemplate = $StandardTemplate.standardSettings.IntuneTemplate | Where-Object { $_.TemplateList.value -eq $TemplateId }
+                            $TemplateId = $Deviation.standardName.split('.') | Select-Object -Index 2
+                            $StandardTemplate = $StandardTemplate.standardSettings.IntuneTemplate | Where-Object { $_.TemplateList.value -like "*$TemplateId*" }
                             $StandardTemplate | Add-Member -MemberType NoteProperty -Name 'remediate' -Value $true -Force
                             $StandardTemplate | Add-Member -MemberType NoteProperty -Name 'report' -Value $true -Force
                             $Settings = $StandardTemplate
                         } elseif ($Setting -like '*ConditionalAccessTemplate*') {
                             $Setting = 'ConditionalAccessTemplate'
-                            $TemplateId = $Deviation.standardName.split('.') | Select-Object -Last 1
-                            $StandardTemplate = $StandardTemplate.standardSettings.ConditionalAccessTemplate | Where-Object { $_.TemplateList.value -eq $TemplateId }
+                            $TemplateId = $Deviation.standardName.split('.') | Select-Object -Index 2
+                            $StandardTemplate = $StandardTemplate.standardSettings.ConditionalAccessTemplate | Where-Object { $_.TemplateList.value -like "*$TemplateId*" }
                             $StandardTemplate | Add-Member -MemberType NoteProperty -Name 'remediate' -Value $true -Force
                             $StandardTemplate | Add-Member -MemberType NoteProperty -Name 'report' -Value $true -Force
                             $Settings = $StandardTemplate

Modules/CIPPCore/Public/Get-CIPPDrift.ps1

@@ -47,6 +47,19 @@ function Get-CIPPDrift {
         }
     } | Sort-Object -Property displayName
 
+    # Load all CA templates
+    $CAFilter = "PartitionKey eq 'CATemplate'"
+    $RawCATemplates = (Get-CIPPAzDataTableEntity @IntuneTable -Filter $CAFilter)
+    $AllCATemplates = $RawCATemplates | ForEach-Object {
+        try {
+            $data = $_.JSON | ConvertFrom-Json -Depth 100 -ErrorAction SilentlyContinue
+            $data | Add-Member -NotePropertyName 'GUID' -NotePropertyValue $_.RowKey -Force
+            $data
+        } catch {
+            # Skip invalid templates
+        }
+    } | Sort-Object -Property displayName
+
     try {
         $AlignmentData = Get-CIPPTenantAlignment -TenantFilter $TenantFilter -TemplateId $TemplateId | Where-Object -Property standardType -EQ 'drift'
         if (-not $AlignmentData) {
@@ -82,18 +95,35 @@ function Get-CIPPDrift {
                         } else {
                             'New'
                         }
+                        # Reset displayName and description for each deviation to prevent carryover from previous iterations
+                        $displayName = $null
+                        $standardDescription = $null
                         #if the $ComparisonItem.StandardName contains *intuneTemplate*, then it's an Intune policy deviation, and we need to grab the correct displayname from the template table
                         if ($ComparisonItem.StandardName -like '*intuneTemplate*') {
                             $CompareGuid = $ComparisonItem.StandardName.Split('.') | Select-Object -Index 2
                             Write-Host "Extracted GUID: $CompareGuid"
                             $Template = $AllIntuneTemplates | Where-Object { $_.GUID -like "*$CompareGuid*" }
-                            if ($Template) { $displayName = $Template.displayName }
+                            if ($Template) {
+                                $displayName = $Template.displayName
+                                $standardDescription = $Template.description
+                            }
+                        }
+                        # Handle Conditional Access templates
+                        if ($ComparisonItem.StandardName -like '*ConditionalAccessTemplate*') {
+                            $CompareGuid = $ComparisonItem.StandardName.Split('.') | Select-Object -Index 2
+                            Write-Host "Extracted CA GUID: $CompareGuid"
+                            $Template = $AllCATemplates | Where-Object { $_.GUID -like "*$CompareGuid*" }
+                            if ($Template) {
+                                $displayName = $Template.displayName
+                                $standardDescription = $Template.description
+                            }
                         }
                         $reason = if ($ExistingDriftStates.ContainsKey($ComparisonItem.StandardName)) { $ExistingDriftStates[$ComparisonItem.StandardName].Reason }
                         $User = if ($ExistingDriftStates.ContainsKey($ComparisonItem.StandardName)) { $ExistingDriftStates[$ComparisonItem.StandardName].User }
                         $StandardsDeviations.Add([PSCustomObject]@{
                                 standardName        = $ComparisonItem.StandardName
                                 standardDisplayName = $displayName
+                                standardDescription = $standardDescription
                                 expectedValue       = 'Compliant'
                                 receivedValue       = $ComparisonItem.StandardValue
                                 state               = 'current'
@@ -203,14 +233,6 @@ function Get-CIPPDrift {
             # Get actual CA templates from templates table
             if ($CATemplateIds.Count -gt 0) {
                 try {
-                    $CATable = Get-CippTable -tablename 'templates'
-                    $CAFilter = "PartitionKey eq 'CATemplate'"
-                    $AllCATemplates = (Get-CIPPAzDataTableEntity @CATable -Filter $CAFilter) | ForEach-Object {
-                        $data = $_.JSON | ConvertFrom-Json -Depth 100
-                        $data | Add-Member -NotePropertyName 'GUID' -NotePropertyValue $_.GUID -Force
-                        $data
-                    } | Sort-Object -Property displayName
-
                     $TemplateCATemplates = $AllCATemplates | Where-Object { $_.GUID -in $CATemplateIds }
                 } catch {
                     Write-Warning "Failed to get CA templates: $($_.Exception.Message)"

Modules/CIPPCore/Public/Set-CIPPAuditLogUserExclusion.ps1

@@ -0,0 +1,66 @@
+function Set-CIPPAuditLogUserExclusion {
+    <#
+    .SYNOPSIS
+        Sets user exclusions for Audit Log alerting.
+    .DESCRIPTION
+        This function allows you to add or remove user exclusions for Audit Log alerting in a specified tenant
+        by updating the AuditLogUserExclusions CIPP table.
+    .PARAMETER TenantFilter
+        The tenant identifier for which to set the user exclusions.
+    .PARAMETER Users
+        An array of user identifiers (GUIDs or UPNs) to be added or removed from the exclusion list.
+    .PARAMETER Action
+        The action to perform: 'Add' to add users to the exclusion list, 'Remove' to remove users from the exclusion list.
+    .PARAMETER Headers
+        The headers to include in the request, typically containing authentication tokens. This is supplied automatically by the API.
+    #>
+    [CmdletBinding(SupportsShouldProcess = $true)]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter,
+        [Parameter(Mandatory = $true)]
+        [string[]]$Users,
+        [ValidateSet('Add', 'Remove')]
+        [string]$Action = 'Add',
+        [ValidateSet('Location')]
+        [string]$Type = 'Location',
+        $Headers
+    )
+
+    $AuditLogExclusionsTable = Get-CIPPTable -tablename 'AuditLogUserExclusions'
+    $ExistingEntries = Get-CIPPAzDataTableEntity @AuditLogExclusionsTable -Filter "PartitionKey eq '$TenantFilter'"
+
+    $Results = foreach ($User in $Users) {
+        if ($Action -eq 'Add') {
+            $ExistingUser = $ExistingEntries | Where-Object { $_.RowKey -eq $User -and $_.PartitionKey -eq $TenantFilter -and $_.Type -eq $Type }
+            if (!$ExistingUser) {
+                $NewEntry = [PSCustomObject]@{
+                    PartitionKey = $TenantFilter
+                    RowKey       = $User
+                    ExcludedOn   = (Get-Date).ToString('o')
+                    Type         = $Type
+                }
+                if ($PSCmdlet.ShouldProcess("Adding exclusion for user: $User")) {
+                    Add-CIPPAzDataTableEntity @AuditLogExclusionsTable -Entity $NewEntry
+                    "Added audit log exclusion for user: $User"
+                    Write-LogMessage -headers $Headers -API 'Set-CIPPAuditLogUserExclusion' -message "Added audit log exclusion for user: $User" -Sev 'Info' -tenant $TenantFilter -LogData $NewEntry
+                }
+            } else {
+                "User $User is already excluded."
+            }
+        } elseif ($Action -eq 'Remove') {
+            if ($ExistingEntries.RowKey -contains $User) {
+                if ($PSCmdlet.ShouldProcess("Removing exclusion for user: $User")) {
+                    $Entity = $ExistingEntries | Where-Object { $_.RowKey -eq $User -and $_.PartitionKey -eq $TenantFilter -and $_.Type -eq $Type }
+                    Remove-AzDataTableEntity @AuditLogExclusionsTable -Entity $Entity
+                    Write-LogMessage -headers $Headers -API 'Set-CIPPAuditLogUserExclusion' -message "Removed audit log exclusion for user: $User" -Sev 'Info' -tenant $TenantFilter -LogData $Entity
+                    "Removed audit log exclusion for user: $User"
+                }
+            } else {
+                "User $User is not in the exclusion list."
+            }
+        }
+    }
+    return @($Results)
+}
+

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccessTemplate.ps1

@@ -76,6 +76,7 @@ function Invoke-CIPPStandardConditionalAccessTemplate {
     if ($Settings.report -eq $true -or $Settings.remediate -eq $true) {
         $Filter = "PartitionKey eq 'CATemplate'"
         $Policies = (Get-CippAzDataTableEntity @Table -Filter $Filter | Where-Object RowKey -In $Settings.TemplateList.value).JSON | ConvertFrom-Json -Depth 10
+        $AllCAPolicies = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/policies?$top=999' -tenantid $Tenant -asApp $true
         #check if all groups.displayName are in the existingGroups, if not $fieldvalue should contain all missing groups, else it should be true.
         $MissingPolicies = foreach ($Setting in $Settings.TemplateList) {
             $policy = $Policies | Where-Object { $_.displayName -eq $Setting.label }

Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1

@@ -185,6 +185,9 @@ function Test-CIPPAuditLogRules {
             throw $_
         }
 
+        $AuditLogUserExclusions = Get-CIPPTable -TableName 'AuditLogUserExclusions'
+        $ExcludedUsers = Get-CIPPAzDataTableEntity @AuditLogUserExclusions -Filter "PartitionKey eq '$TenantFilter'"
+
         if ($LogCount -gt 0) {
             $LocationTable = Get-CIPPTable -TableName 'knownlocationdbv2'
             $ProcessedData = foreach ($AuditRecord in $SearchResults) {
@@ -341,6 +344,13 @@ function Test-CIPPAuditLogRules {
                         if ($condition.Property.label -eq 'CIPPGeoLocation' -and !$AddedLocationCondition) {
                             $conditionStrings.Add("`$_.HasLocationData -eq `$true")
                             $CIPPClause.Add('HasLocationData is true')
+                            $ExcludedUsers = $ExcludedUsers | Where-Object { $_.Type -eq 'Location' }
+                            # Build single -notin condition against all excluded user keys
+                            $ExcludedUserKeys = @($ExcludedUsers.RowKey)
+                            if ($ExcludedUserKeys.Count -gt 0) {
+                                $conditionStrings.Add("`$(`$_.CIPPUserKey) -notin @('$($ExcludedUserKeys -join "', '")')")
+                                $CIPPClause.Add("CIPPUserKey not in [$($ExcludedUserKeys -join ', ')]")
+                            }
                             $AddedLocationCondition = $true
                         }
                         $value = if ($condition.Input.value -is [array]) {