Merge pull request #608 from KelvinTegelaar/dev

pull[bot] · web-flow · commit 1798eebca612 · 2025-12-13T00:41:21.000Z
[pull] dev from KelvinTegelaar:dev
diff --git a/Modules/CIPPCore/Public/Authentication/Get-CippApiAuth.ps1 b/Modules/CIPPCore/Public/Authentication/Get-CippApiAuth.ps1
@@ -4,25 +4,31 @@ function Get-CippApiAuth {
         [string]$FunctionAppName
     )
 
-    if ($env:MSI_SECRET) {
-        Disable-AzContextAutosave -Scope Process | Out-Null
-        $null = Connect-AzAccount -Identity
-        $SubscriptionId = $env:WEBSITE_OWNER_NAME -split '\+' | Select-Object -First 1
-        $Context = Set-AzContext -SubscriptionId $SubscriptionId
-    } else {
-        $Context = Get-AzContext
-        $SubscriptionId = $Context.Subscription.Id
+    if ($env:WEBSITE_AUTH_V2_CONFIG_JSON) {
+        $AuthSettings = $env:WEBSITE_AUTH_V2_CONFIG_JSON | ConvertFrom-Json -ErrorAction SilentlyContinue
     }
 
-    # Get auth settings
-    $AuthSettings = Invoke-AzRestMethod -Uri "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$RGName/providers/Microsoft.Web/sites/$($FunctionAppName)/config/authsettingsV2/list?api-version=2020-06-01" -ErrorAction Stop | Select-Object -ExpandProperty Content | ConvertFrom-Json
+    if (-not $AuthSettings) {
+        if ($env:MSI_SECRET) {
+            Disable-AzContextAutosave -Scope Process | Out-Null
+            $null = Connect-AzAccount -Identity
+            $SubscriptionId = $env:WEBSITE_OWNER_NAME -split '\+' | Select-Object -First 1
+            $Context = Set-AzContext -SubscriptionId $SubscriptionId
+        } else {
+            $Context = Get-AzContext
+            $SubscriptionId = $Context.Subscription.Id
+        }
+
+        # Get auth settings
+        $AuthSettings = (Invoke-AzRestMethod -Uri "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$RGName/providers/Microsoft.Web/sites/$($FunctionAppName)/config/authsettingsV2/list?api-version=2020-06-01" -ErrorAction Stop | Select-Object -ExpandProperty Content | ConvertFrom-Json).properties
+    }
 
-    if ($AuthSettings.properties) {
+    if ($AuthSettings) {
         [PSCustomObject]@{
             ApiUrl    = "https://$($env:WEBSITE_HOSTNAME)"
-            TenantID  = $AuthSettings.properties.identityProviders.azureActiveDirectory.registration.openIdIssuer -replace 'https://sts.windows.net/', '' -replace '/v2.0', ''
-            ClientIDs = $AuthSettings.properties.identityProviders.azureActiveDirectory.validation.defaultAuthorizationPolicy.allowedApplications
-            Enabled   = $AuthSettings.properties.identityProviders.azureActiveDirectory.enabled
+            TenantID  = $AuthSettings.identityProviders.azureActiveDirectory.registration.openIdIssuer -replace 'https://sts.windows.net/', '' -replace '/v2.0', ''
+            ClientIDs = $AuthSettings.identityProviders.azureActiveDirectory.validation.defaultAuthorizationPolicy.allowedApplications
+            Enabled   = $AuthSettings.identityProviders.azureActiveDirectory.enabled
         }
     } else {
         throw 'No auth settings found'
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-CIPPStandardsRun.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-CIPPStandardsRun.ps1
@@ -49,8 +49,9 @@ function Invoke-CIPPStandardsRun {
         Write-Information 'Classic Standards Run'
 
         $GetStandardParams = @{
-            TenantFilter = $TenantFilter
-            runManually  = $runManually
+            TenantFilter  = $TenantFilter
+            runManually   = $runManually
+            LicenseChecks = $true
         }
 
         if ($TemplateID) {
diff --git a/Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-AuditLogProcessingOrchestrator.ps1 b/Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-AuditLogProcessingOrchestrator.ps1
@@ -28,9 +28,9 @@ function Start-AuditLogProcessingOrchestrator {
             $ProcessBatch = foreach ($TenantGroup in $TenantGroups) {
                 $TenantFilter = $TenantGroup.Name
                 $RowIds = @($TenantGroup.Group.RowKey)
-                for ($i = 0; $i -lt $RowIds.Count; $i += 1000) {
-                    Write-Host "Processing $TenantFilter with $($RowIds.Count) row IDs. We're processing id $($RowIds[$i]) to $($RowIds[[Math]::Min($i + 999, $RowIds.Count - 1)])"
-                    $BatchRowIds = $RowIds[$i..([Math]::Min($i + 999, $RowIds.Count - 1))]
+                for ($i = 0; $i -lt $RowIds.Count; $i += 500) {
+                    Write-Host "Processing $TenantFilter with $($RowIds.Count) row IDs. We're processing id $($RowIds[$i]) to $($RowIds[[Math]::Min($i + 499, $RowIds.Count - 1)])"
+                    $BatchRowIds = $RowIds[$i..([Math]::Min($i + 499, $RowIds.Count - 1))]
                     [PSCustomObject]@{
                         TenantFilter = $TenantFilter
                         RowIds       = $BatchRowIds
diff --git a/Modules/CIPPCore/Public/Standards/Get-CIPPStandards.ps1 b/Modules/CIPPCore/Public/Standards/Get-CIPPStandards.ps1
@@ -415,11 +415,107 @@ function Get-CIPPStandards {
                     }
                     Write-Host "We're removing Intune templates as the correct license is not present for this standard. We do this to not run unneeded cycles. If you're reading this don't touch."
                     foreach ($Key in $IntuneKeys) { [void]$ComputedStandards.Remove($Key) }
-                    #After the license check we're now going to do a compare for the remaining standards.
-                    #This compare works by bulk requesting the top=1 entries for intune policies inside of the tenant.
-                    #if the 'lastModified' timestamp is the same we skip processing this standard too, there's no need because the tenant hasn't changed anything.
-                    #However, we also check the timestamp of our standardTemplate, if that is newer than the cached lastModified timestamp we also process the standard again, because the template has changed.
-                    #If our cache for this tenant is blank, we also process the standard.
+                } else {
+                    # Bulk check policy timestamps per type
+                    $TypeMap = @{ Device = 'deviceManagement/deviceConfigurations'; Catalog = 'deviceManagement/configurationPolicies'; Admin = 'deviceManagement/groupPolicyConfigurations'; deviceCompliancePolicies = 'deviceManagement/deviceCompliancePolicies'; AppProtection_Android = 'deviceAppManagement/androidManagedAppProtections'; AppProtection_iOS = 'deviceAppManagement/iosManagedAppProtections' }
+                    $BulkRequests = $TypeMap.GetEnumerator() | ForEach-Object {
+                        @{ id = $_.Key; url = "$($_.Value)?`$orderby=lastModifiedDateTime desc&`$select=id,lastModifiedDateTime&`$top=999"; method = 'GET' }
+                    }
+                    try {
+                        $TrackingTable = Get-CippTable -tablename 'IntunePolicyTypeTracking'
+                        $BulkResults = New-GraphBulkRequest -Requests $BulkRequests -tenantid $TenantName -NoPaginateIds @($BulkRequests.id)
+                        $PolicyTimestamps = @{}
+
+                        foreach ($Result in $BulkResults) {
+                            $GraphTime = $Result.body.value[0].lastModifiedDateTime
+                            $GraphId = $Result.body.value[0].id
+                            $GraphCount = ($Result.body.value | Measure-Object).Count
+                            $Cached = Get-CIPPAzDataTableEntity @TrackingTable -Filter "PartitionKey eq '$TenantName' and RowKey eq '$($Result.id)'"
+
+                            # Check if count changed (indicates addition/deletion)
+                            $CountChanged = $false
+                            if ($Cached -and $Cached.PolicyCount -ne $null) {
+                                $CountChanged = ($GraphCount -ne $Cached.PolicyCount)
+                                if ($CountChanged) {
+                                    Write-Host "Policy count changed for $($Result.id): $($Cached.PolicyCount) -> $GraphCount"
+                                }
+                            }
+
+                            # Check if ID changed (different policy is now most recent)
+                            $IdChanged = $false
+                            if ($GraphId -and $Cached -and $Cached.LatestPolicyId) {
+                                $IdChanged = ($GraphId -ne $Cached.LatestPolicyId)
+                                if ($IdChanged) {
+                                    Write-Host "Policy ID changed for $($Result.id): $($Cached.LatestPolicyId) -> $GraphId"
+                                }
+                            }
+
+                            # Convert both to UTC DateTime for consistent comparison
+                            if ($GraphTime) {
+                                $GraphTimeUtc = ([DateTime]$GraphTime).ToUniversalTime()
+                                if ($Cached -and $Cached.LatestPolicyModified -and -not $IdChanged -and -not $CountChanged) {
+                                    $CachedTimeUtc = ([DateTimeOffset]$Cached.LatestPolicyModified).UtcDateTime
+                                    $TimeDiff = [Math]::Abs(($GraphTimeUtc - $CachedTimeUtc).TotalSeconds)
+                                    $Changed = ($TimeDiff -gt 60)  # Changed if difference > 1 minute
+                                } else {
+                                    $Changed = $true  # No cache, ID changed, count changed, or treat as changed
+                                }
+                                Add-CIPPAzDataTableEntity @TrackingTable -Entity @{ PartitionKey = $TenantName; RowKey = $Result.id; LatestPolicyModified = $GraphTime; LatestPolicyId = $GraphId; PolicyCount = $GraphCount } -Force | Out-Null
+                            } else {
+                                $Changed = $true  # No Graph data means policies deleted or not yet created - always treat as changed
+                            }
+
+                            $PolicyTimestamps[$Result.id] = $Changed
+                        }
+                        # Remove templates whose specific policy type hasn't changed
+                        $TemplateTable = Get-CippTable -tablename 'templates'
+                        $StandardTemplateTable = Get-CippTable -tablename 'templates'
+                        $IntuneKeys = @($ComputedStandards.Keys | Where-Object { $_ -like '*IntuneTemplate*' })
+                        foreach ($Key in $IntuneKeys) {
+                            $Template = $ComputedStandards[$Key]
+                            $TemplateEntity = Get-CIPPAzDataTableEntity @TemplateTable -Filter "PartitionKey eq 'IntuneTemplate' and RowKey eq '$($Template.TemplateList.value)'"
+
+                            if (-not $TemplateEntity) { continue }
+
+                            # Parse JSON to get Type property
+                            $ParsedTemplate = $TemplateEntity.JSON | ConvertFrom-Json
+                            if (-not $ParsedTemplate.Type) { continue }
+
+                            $PolicyType = $ParsedTemplate.Type
+                            $PolicyChanged = if ($PolicyType -eq 'AppProtection') {
+                                [bool]($PolicyTimestamps['AppProtection_Android'] -or $PolicyTimestamps['AppProtection_iOS'])
+                            } else {
+                                [bool]$PolicyTimestamps[$PolicyType]
+                            }
+
+                            # Check if StandardTemplate changed
+                            $StandardTemplate = Get-CIPPAzDataTableEntity @StandardTemplateTable -Filter "PartitionKey eq 'StandardsTemplateV2' and RowKey eq '$($Template.TemplateId)'"
+                            $StandardTemplateChanged = $false
+                            if ($StandardTemplate) {
+                                $StandardTimeUtc = ([DateTimeOffset]$StandardTemplate.Timestamp).UtcDateTime
+                                $CachedStandardTemplate = Get-CIPPAzDataTableEntity @TrackingTable -Filter "PartitionKey eq '$TenantName' and RowKey eq 'StandardTemplate_$($Template.TemplateId)'"
+
+                                if ($CachedStandardTemplate -and $CachedStandardTemplate.CachedTimestamp) {
+                                    $CachedStandardTimeUtc = ([DateTimeOffset]$CachedStandardTemplate.CachedTimestamp).UtcDateTime
+                                    $TimeDiff = [Math]::Abs(($StandardTimeUtc - $CachedStandardTimeUtc).TotalSeconds)
+                                    $StandardTemplateChanged = ($TimeDiff -gt 60)  # Changed if difference > 1 minute
+                                } else {
+                                    $StandardTemplateChanged = $true  # No cache, treat as changed
+                                }
+
+                                Add-CIPPAzDataTableEntity @TrackingTable -Entity @{ PartitionKey = $TenantName; RowKey = "StandardTemplate_$($Template.TemplateId)"; CachedTimestamp = $StandardTemplate.Timestamp } -Force | Out-Null
+                            }
+
+                            # Remove if BOTH policy unchanged AND StandardTemplate unchanged
+                            if (-not $PolicyChanged -and -not $StandardTemplateChanged) {
+                                [void]$ComputedStandards.Remove($Key)
+                            } else {
+
+                            }
+                        }
+                    } catch {
+                        Write-Host "Timestamp check failed for $TenantName`: $($_.Exception.Message)"
+                    }
                 }
             }
 
@@ -442,4 +538,3 @@ function Get-CIPPStandards {
         }
     }
 }
-
diff --git a/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1 b/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1
@@ -148,39 +148,76 @@ function Test-CIPPAuditLogRules {
             }
         }
 
-        # Collect bulk data for users/groups/devices/applications
-        $Requests = @(
-            @{
-                id     = 'users'
-                url    = '/users?$select=id,displayName,userPrincipalName,accountEnabled&$top=999'
-                method = 'GET'
-            }
-            @{
-                id     = 'groups'
-                url    = '/groups?$select=id,displayName,mailEnabled,securityEnabled&$top=999'
-                method = 'GET'
-            }
-            @{
-                id     = 'devices'
-                url    = '/devices?$select=id,displayName,deviceId&$top=999'
-                method = 'GET'
-            }
-            @{
-                id     = 'servicePrincipals'
-                url    = '/servicePrincipals?$select=id,displayName&$top=999'
-                method = 'GET'
-            }
-        )
-        $Response = New-GraphBulkRequest -TenantId $TenantFilter -Requests $Requests
+        $Table = Get-CIPPTable -tablename 'cacheauditloglookups'
+        $1dayago = (Get-Date).AddDays(-1).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')
+        $Lookups = Get-CIPPAzDataTableEntity @Table -Filter "PartitionKey eq '$TenantFilter' and Timestamp gt datetime'$1dayago'"
+        if (!$Lookups) {
+            # Collect bulk data for users/groups/devices/applications
+            $Requests = @(
+                @{
+                    id     = 'users'
+                    url    = '/users?$select=id,displayName,userPrincipalName,accountEnabled&$top=999'
+                    method = 'GET'
+                }
+                @{
+                    id     = 'groups'
+                    url    = '/groups?$select=id,displayName,mailEnabled,securityEnabled&$top=999'
+                    method = 'GET'
+                }
+                @{
+                    id     = 'devices'
+                    url    = '/devices?$select=id,displayName,deviceId&$top=999'
+                    method = 'GET'
+                }
+                @{
+                    id     = 'servicePrincipals'
+                    url    = '/servicePrincipals?$select=id,displayName&$top=999'
+                    method = 'GET'
+                }
+            )
+            $Response = New-GraphBulkRequest -TenantId $TenantFilter -Requests $Requests
+            $Users = ($Response | Where-Object { $_.id -eq 'users' }).body.value
+            $Groups = ($Response | Where-Object { $_.id -eq 'groups' }).body.value ?? @()
+            $Devices = ($Response | Where-Object { $_.id -eq 'devices' }).body.value ?? @()
+            $ServicePrincipals = ($Response | Where-Object { $_.id -eq 'servicePrincipals' }).body.value
+            # Cache the lookups for 1 day
+            $Entities = @(
+                @{
+                    PartitionKey = $TenantFilter
+                    RowKey       = 'users'
+                    Data         = [string]($Users | ConvertTo-Json -Compress)
+                }
+                @{
+                    PartitionKey = $TenantFilter
+                    RowKey       = 'groups'
+                    Data         = [string]($Groups | ConvertTo-Json -Compress)
+                }
+                @{
+                    PartitionKey = $TenantFilter
+                    RowKey       = 'devices'
+                    Data         = [string]($Devices | ConvertTo-Json -Compress)
+                }
+                @{
+                    PartitionKey = $TenantFilter
+                    RowKey       = 'servicePrincipals'
+                    Data         = [string]($ServicePrincipals | ConvertTo-Json -Compress)
+                }
+            )
+            # Save the cached lookups
+            Add-CIPPAzDataTableEntity @Table -Entity $Entities -Force
+            Write-Information "Cached directory lookups for tenant $TenantFilter"
+        } else {
+            # Use cached lookups
+            $Users = ($Lookups | Where-Object { $_.RowKey -eq 'users' }).Data | ConvertFrom-Json
+            $Groups = ($Lookups | Where-Object { $_.RowKey -eq 'groups' }).Data | ConvertFrom-Json
+            $Devices = ($Lookups | Where-Object { $_.RowKey -eq 'devices' }).Data | ConvertFrom-Json
+            $ServicePrincipals = ($Lookups | Where-Object { $_.RowKey -eq 'servicePrincipals' }).Data | ConvertFrom-Json
+            Write-Information "Using cached directory lookups for tenant $TenantFilter"
+        }
 
         # partner users
         $PartnerUsers = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$select=id,displayName,userPrincipalName,accountEnabled&`$top=999" -AsApp $true -NoAuthCheck $true
 
-        $Users = ($Response | Where-Object { $_.id -eq 'users' }).body.value
-        $Groups = ($Response | Where-Object { $_.id -eq 'groups' }).body.value ?? @()
-        $Devices = ($Response | Where-Object { $_.id -eq 'devices' }).body.value ?? @()
-        $ServicePrincipals = ($Response | Where-Object { $_.id -eq 'servicePrincipals' }).body.value
-
         Write-Warning '## Audit Log Configuration ##'
         Write-Information ($Configuration | ConvertTo-Json -Depth 10)
 
diff --git a/Modules/CippEntrypoints/CippEntrypoints.psm1 b/Modules/CippEntrypoints/CippEntrypoints.psm1
@@ -228,7 +228,7 @@ function Receive-CippOrchestrationTrigger {
                 if (($Output | Measure-Object).Count -gt 0) {
                     Write-Information "Waiting for ($($Output.Count)) activity functions to complete..."
                     foreach ($Task in $Output) {
-                        Write-Information ($Task | ConvertTo-Json -Depth 10 -Compress)
+                        #Write-Information ($Task | ConvertTo-Json -Depth 10 -Compress)
                         try {
                             $Results = Wait-ActivityFunction -Task $Task
                         } catch {}
