Add per-request user roles cache and improve timing logic

Introduces an AsyncLocal-based per-request cache for user roles in Test-CIPPAccessUserRole and initializes it in New-CippCoreRequest to reduce redundant lookups. Also refines stopwatch timing logic in profile.ps1 to ensure accurate measurement and avoid errors when Application Insights is not configured.

Author: JohnDuprey

Modules/CIPPCore/Public/Authentication/Test-CIPPAccessUserRole.ps1

@@ -21,59 +21,75 @@ function Test-CIPPAccessUserRole {
     )
     $Roles = @()
 
-    try {
-        $Table = Get-CippTable -TableName cacheAccessUserRoles
-        $Filter = "PartitionKey eq 'AccessUser' and RowKey eq '$($User.userDetails)' and Timestamp ge datetime'$((Get-Date).AddMinutes(-15).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ss.fffZ'))'"
-        $UserRole = Get-CIPPAzDataTableEntity @Table -Filter $Filter
-    } catch {
-        Write-Information "Could not access cached user roles table. $($_.Exception.Message)"
-        $UserRole = $null
-    }
-    if ($UserRole) {
-        Write-Information "Found cached user role for $($User.userDetails)"
-        $Roles = $UserRole.Role | ConvertFrom-Json
+    # Check AsyncLocal cache first (per-request cache)
+    if ($script:CippUserRolesStorage -and $script:CippUserRolesStorage.Value -and $script:CippUserRolesStorage.Value.ContainsKey($User.userDetails)) {
+        $Roles = $script:CippUserRolesStorage.Value[$User.userDetails]
     } else {
+        # Check table storage cache (persistent cache)
         try {
-            $uri = "https://graph.microsoft.com/beta/users/$($User.userDetails)/transitiveMemberOf"
-            $Memberships = New-GraphGetRequest -uri $uri -NoAuthCheck $true -AsApp $true | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.group' }
-            if ($Memberships) {
-                Write-Information "Found group memberships for $($User.userDetails)"
-            } else {
-                Write-Information "No group memberships found for $($User.userDetails)"
-            }
+            $Table = Get-CippTable -TableName cacheAccessUserRoles
+            $Filter = "PartitionKey eq 'AccessUser' and RowKey eq '$($User.userDetails)' and Timestamp ge datetime'$((Get-Date).AddMinutes(-15).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ss.fffZ'))'"
+            $UserRole = Get-CIPPAzDataTableEntity @Table -Filter $Filter
         } catch {
-            Write-Information "Could not get user roles for $($User.userDetails). $($_.Exception.Message)"
-            return $User
+            Write-Information "Could not access cached user roles table. $($_.Exception.Message)"
+            $UserRole = $null
         }
+        if ($UserRole) {
+            Write-Information "Found cached user role for $($User.userDetails)"
+            $Roles = $UserRole.Role | ConvertFrom-Json
+
+            # Store in AsyncLocal cache for this request
+            if ($script:CippUserRolesStorage -and $script:CippUserRolesStorage.Value) {
+                $script:CippUserRolesStorage.Value[$User.userDetails] = $Roles
+            }
+        } else {
+            try {
+                $uri = "https://graph.microsoft.com/beta/users/$($User.userDetails)/transitiveMemberOf"
+                $Memberships = New-GraphGetRequest -uri $uri -NoAuthCheck $true -AsApp $true | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.group' }
+                if ($Memberships) {
+                    Write-Information "Found group memberships for $($User.userDetails)"
+                } else {
+                    Write-Information "No group memberships found for $($User.userDetails)"
+                }
+            } catch {
+                Write-Information "Could not get user roles for $($User.userDetails). $($_.Exception.Message)"
+                return $User
+            }
 
-        $AccessGroupsTable = Get-CippTable -TableName AccessRoleGroups
-        $AccessGroups = Get-CIPPAzDataTableEntity @AccessGroupsTable -Filter "PartitionKey eq 'AccessRoleGroups'"
-        $CustomRolesTable = Get-CippTable -TableName CustomRoles
-        $CustomRoles = Get-CIPPAzDataTableEntity @CustomRolesTable -Filter "PartitionKey eq 'CustomRoles'"
-        $BaseRoles = @('superadmin', 'admin', 'editor', 'readonly')
+            $AccessGroupsTable = Get-CippTable -TableName AccessRoleGroups
+            $AccessGroups = Get-CIPPAzDataTableEntity @AccessGroupsTable -Filter "PartitionKey eq 'AccessRoleGroups'"
+            $CustomRolesTable = Get-CippTable -TableName CustomRoles
+            $CustomRoles = Get-CIPPAzDataTableEntity @CustomRolesTable -Filter "PartitionKey eq 'CustomRoles'"
+            $BaseRoles = @('superadmin', 'admin', 'editor', 'readonly')
 
-        $Roles = foreach ($AccessGroup in $AccessGroups) {
-            if ($Memberships.id -contains $AccessGroup.GroupId -and ($CustomRoles.RowKey -contains $AccessGroup.RowKey -or $BaseRoles -contains $AccessGroup.RowKey)) {
-                $AccessGroup.RowKey
+            $Roles = foreach ($AccessGroup in $AccessGroups) {
+                if ($Memberships.id -contains $AccessGroup.GroupId -and ($CustomRoles.RowKey -contains $AccessGroup.RowKey -or $BaseRoles -contains $AccessGroup.RowKey)) {
+                    $AccessGroup.RowKey
+                }
             }
-        }
 
-        $Roles = @($Roles) + @($User.userRoles)
+            $Roles = @($Roles) + @($User.userRoles)
 
-        if ($Roles) {
-            Write-Information "Roles determined for $($User.userDetails): $($Roles -join ', ')"
-        }
+            if ($Roles) {
+                Write-Information "Roles determined for $($User.userDetails): $($Roles -join ', ')"
+            }
 
-        if (($Roles | Measure-Object).Count -gt 2) {
-            try {
-                $UserRole = [PSCustomObject]@{
-                    PartitionKey = 'AccessUser'
-                    RowKey       = [string]$User.userDetails
-                    Role         = [string](ConvertTo-Json -Compress -InputObject $Roles)
+            if (($Roles | Measure-Object).Count -gt 2) {
+                try {
+                    $UserRole = [PSCustomObject]@{
+                        PartitionKey = 'AccessUser'
+                        RowKey       = [string]$User.userDetails
+                        Role         = [string](ConvertTo-Json -Compress -InputObject $Roles)
+                    }
+                    Add-CIPPAzDataTableEntity @Table -Entity $UserRole -Force
+                } catch {
+                    Write-Information "Could not cache user roles for $($User.userDetails). $($_.Exception.Message)"
                 }
-                Add-CIPPAzDataTableEntity @Table -Entity $UserRole -Force
-            } catch {
-                Write-Information "Could not cache user roles for $($User.userDetails). $($_.Exception.Message)"
+            }
+
+            # Store in AsyncLocal cache for this request
+            if ($script:CippUserRolesStorage -and $script:CippUserRolesStorage.Value) {
+                $script:CippUserRolesStorage.Value[$User.userDetails] = $Roles
             }
         }
     }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/New-CippCoreRequest.ps1

@@ -22,6 +22,14 @@ function New-CippCoreRequest {
     if (-not $script:CippAllowedGroupsStorage) {
         $script:CippAllowedGroupsStorage = [System.Threading.AsyncLocal[object]]::new()
     }
+    if (-not $script:CippUserRolesStorage) {
+        $script:CippUserRolesStorage = [System.Threading.AsyncLocal[hashtable]]::new()
+    }
+    
+    # Initialize user roles cache for this request
+    if (-not $script:CippUserRolesStorage.Value) {
+        $script:CippUserRolesStorage.Value = @{}
+    }
 
     # Set InvocationId in AsyncLocal storage for console logging correlation
     if ($global:TelemetryClient -and $TriggerMetadata.InvocationId) {

profile.ps1

@@ -17,12 +17,9 @@ if ($hasAppInsights) {
     } catch {
         Write-Warning "Failed to load Application Insights SDK: $($_.Exception.Message)"
     }
+    $SwAppInsights.Stop()
+    $Timings['AppInsightsSDK'] = $SwAppInsights.Elapsed.TotalMilliseconds
 }
-if (!$hasAppInsights) {
-    Write-Information 'Application Insights not configured; skipping SDK load'
-}
-$SwAppInsights.Stop()
-$Timings['AppInsightsSDK'] = $SwAppInsights.Elapsed.TotalMilliseconds
 
 # Import modules
 $SwModules = [System.Diagnostics.Stopwatch]::StartNew()
@@ -66,9 +63,9 @@ if ($hasAppInsights -and -not $global:TelemetryClient) {
     } catch {
         Write-Warning "Failed to initialize TelemetryClient: $($_.Exception.Message)"
     }
+    $SwTelemetry.Stop()
+    $Timings['TelemetryClient'] = $SwTelemetry.Elapsed.TotalMilliseconds
 }
-$SwTelemetry.Stop()
-$Timings['TelemetryClient'] = $SwTelemetry.Elapsed.TotalMilliseconds
 
 $SwDurableSDK = [System.Diagnostics.Stopwatch]::StartNew()
 if ($env:ExternalDurablePowerShellSDK -eq $true) {