Merge pull request #615 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Add-CIPPScheduledTask.ps1

@@ -185,6 +185,7 @@ function Add-CIPPScheduledTask {
                 ScheduledTime        = [string]$task.ScheduledTime
                 Recurrence           = [string]$Recurrence
                 PostExecution        = [string]$PostExecution
+                Reference            = [string]$task.Reference
                 AdditionalProperties = [string]$AdditionalProperties
                 Hidden               = [bool]$Hidden
                 Results              = 'Planned'

Modules/CIPPCore/Public/Authentication/Get-CIPPAzIdentityToken.ps1

@@ -0,0 +1,46 @@
+function Get-CIPPAzIdentityToken {
+    <#
+    .SYNOPSIS
+        Get the Azure Identity token for Managed Identity
+    .DESCRIPTION
+        This function retrieves the Azure Identity token using the Managed Identity endpoint for the specified resource
+    .PARAMETER ResourceUrl
+        The Azure resource URL to get a token for. Defaults to 'https://management.azure.com/' for Azure Resource Manager.
+
+        Common resources:
+        - https://management.azure.com/ (Azure Resource Manager - default)
+        - https://vault.azure.net (Azure Key Vault)
+        - https://api.loganalytics.io (Log Analytics / Application Insights)
+        - https://storage.azure.com/ (Azure Storage)
+    .EXAMPLE
+        Get-CIPPAzIdentityToken
+        Gets a token for Azure Resource Manager
+    .EXAMPLE
+        Get-CIPPAzIdentityToken -ResourceUrl 'https://vault.azure.net'
+        Gets a token for Azure Key Vault
+    .EXAMPLE
+        Get-CIPPAzIdentityToken -ResourceUrl 'https://api.loganalytics.io'
+        Gets a token for Log Analytics API
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $false)]
+        [string]$ResourceUrl = 'https://management.azure.com/'
+    )
+
+    $Endpoint = $env:IDENTITY_ENDPOINT
+    $Secret = $env:IDENTITY_HEADER
+
+    if (-not $Endpoint -or -not $Secret) {
+        throw 'Managed Identity environment variables (IDENTITY_ENDPOINT/IDENTITY_HEADER) not found. Is Managed Identity enabled on the Function App?'
+    }
+
+    $EncodedResource = [System.Uri]::EscapeDataString($ResourceUrl)
+    $TokenUri = "$($Endpoint)?resource=$EncodedResource&api-version=2019-08-01"
+    $Headers = @{
+        'X-IDENTITY-HEADER' = $Secret
+    }
+
+    $TokenResponse = Invoke-RestMethod -Method Get -Headers $Headers -Uri $TokenUri
+    return $TokenResponse.access_token
+}

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecScheduledCommand.ps1

@@ -280,7 +280,7 @@ function Push-ExecScheduledCommand {
             $HTML += "<div style='background-color: transparent; border-left: 4px solid #007bff; padding: 15px; margin: 15px 0;'><h4 style='margin-top: 0; color: #007bff;'>Alert Information</h4><p style='margin-bottom: 0;'>$($task.AlertComment)</p></div>"
         }
 
-        $title = "$TaskType - $Tenant - $($task.Name)"
+        $title = "$TaskType - $Tenant - $($task.Name)$(if ($task.Reference) { " - Reference: $($task.Reference)" })"
         Write-Information 'Scheduler: Sending the results to the target.'
         Write-Information "The content of results is: $Results"
         switch -wildcard ($task.PostExecution) {

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-AddUser.ps1

@@ -23,9 +23,10 @@ function Invoke-AddUser {
                 value = 'New-CIPPUserTask'
                 label = 'New-CIPPUserTask'
             }
-            Parameters    = [pscustomobject]@{ UserObj = $UserObj }
-            ScheduledTime = $UserObj.Scheduled.date
-            PostExecution = @{
+            Parameters             = [pscustomobject]@{ UserObj = $UserObj }
+            ScheduledTime          = $UserObj.Scheduled.date
+            Reference              = $UserObj.reference ?? $null
+            PostExecution          = @{
                 Webhook = [bool]$Request.Body.PostExecution.Webhook
                 Email   = [bool]$Request.Body.PostExecution.Email
                 PSA     = [bool]$Request.Body.PostExecution.PSA

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecOffboardUser.ps1

@@ -35,6 +35,7 @@ function Invoke-ExecOffboardUser {
                         Email   = [bool]$Request.Body.PostExecution.email
                         PSA     = [bool]$Request.Body.PostExecution.psa
                     }
+                    Reference     = $Request.Body.reference
                 }
                 Add-CIPPScheduledTask -Task $taskObject -hidden $false -Headers $Headers
             } else {

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Conditional/Invoke-ExecCAExclusion.ps1

@@ -84,6 +84,8 @@ function Invoke-ExecCAExclusion {
                 }
                 Parameters    = [pscustomobject]$Parameters
                 ScheduledTime = $StartDate
+                PostExecution = $Request.Body.postExecution
+                Reference     = $Request.Body.reference
             }
 
             Write-Information ($TaskBody | ConvertTo-Json -Depth 10)
@@ -117,6 +119,7 @@ function Invoke-ExecCAExclusion {
                     Command       = @{ value = 'Set-CIPPAuditLogUserExclusion'; label = 'Set-CIPPAuditLogUserExclusion' }
                     Parameters    = [pscustomobject]@{ Users = $AuditUsers; Action = 'Remove'; Type = 'Location' }
                     ScheduledTime = $EndDate
+                    Reference     = $Request.Body.reference
                 }
                 Add-CIPPScheduledTask -Task $AuditRemoveTask -hidden $true
             }

Modules/CIPPCore/Public/Standards/Get-CIPPStandards.ps1

@@ -23,16 +23,16 @@ function Get-CIPPStandards {
     $Table = Get-CippTable -tablename 'templates'
     $Filter = "PartitionKey eq 'StandardsTemplateV2'"
     $Templates = (Get-CIPPAzDataTableEntity @Table -Filter $Filter | Sort-Object TimeStamp).JSON |
-        ForEach-Object {
-            try {
-                # Fix old "Action" => "action"
-                $JSON = $_ -replace '"Action":', '"action":' -replace '"permissionlevel":', '"permissionLevel":'
-                ConvertFrom-Json -InputObject $JSON -ErrorAction SilentlyContinue
-            } catch {}
-        } |
-        Where-Object {
-            $_.GUID -like $TemplateId -and $_.runManually -eq $runManually
-        }
+    ForEach-Object {
+        try {
+            # Fix old "Action" => "action"
+            $JSON = $_ -replace '"Action":', '"action":' -replace '"permissionlevel":', '"permissionLevel":'
+            ConvertFrom-Json -InputObject $JSON -ErrorAction SilentlyContinue
+        } catch {}
+    } |
+    Where-Object {
+        $_.GUID -like $TemplateId -and $_.runManually -eq $runManually
+    }
 
     # 1.5. Expand templates that contain TemplateList-Tags into multiple standards
     $ExpandedTemplates = foreach ($Template in $Templates) {
@@ -243,12 +243,17 @@ function Get-CIPPStandards {
                 }
             }
 
-            # Separate AllTenants vs TenantSpecific templates
+            # Separate templates into three tiers: AllTenants (lowest precedence), Group (middle), Tenant-Specific (highest)
             $AllTenantTemplatesSet = $ApplicableTemplates | Where-Object {
                 $_.tenantFilter.value -contains 'AllTenants'
             }
+            $GroupTemplatesSet = $ApplicableTemplates | Where-Object {
+                ($_.tenantFilter.value -notcontains 'AllTenants') -and
+                ($_.tenantFilter | Where-Object { $_.type -eq 'Group' })
+            }
             $TenantSpecificTemplatesSet = $ApplicableTemplates | Where-Object {
-                $_.tenantFilter.value -notcontains 'AllTenants'
+                ($_.tenantFilter.value -notcontains 'AllTenants') -and
+                -not ($_.tenantFilter | Where-Object { $_.type -eq 'Group' })
             }
 
             # Build merged standards keyed by (StandardName, TemplateList.value)
@@ -323,7 +328,86 @@ function Get-CIPPStandards {
                 }
             }
 
-            # Process TenantSpecific templates, merging with AllTenants base
+            # Process Group templates, merging with AllTenants base
+            foreach ($Template in $GroupTemplatesSet) {
+                $Standards = $Template.standards
+
+                foreach ($StandardName in $Standards.PSObject.Properties.Name) {
+                    $Value = $Standards.$StandardName
+                    $IsArray = $Value -is [System.Collections.IEnumerable] -and -not ($Value -is [string])
+
+                    if ($IsArray) {
+                        foreach ($Item in $Value) {
+                            $CurrentStandard = $Item.PSObject.Copy()
+                            $CurrentStandard | Add-Member -NotePropertyName 'TemplateId' -NotePropertyValue $Template.GUID -Force
+
+                            # Add Remediate if autoRemediate is true
+                            if ($CurrentStandard.autoRemediate -eq $true -and -not ($CurrentStandard.action.value -contains 'Remediate')) {
+                                $CurrentStandard.action = @($CurrentStandard.action) + [pscustomobject]@{
+                                    label = 'Remediate'
+                                    value = 'Remediate'
+                                }
+                            }
+
+                            # Add Report if Remediate present but Report missing
+                            if ($CurrentStandard.action.value -contains 'Remediate' -and -not ($CurrentStandard.action.value -contains 'Report')) {
+                                $CurrentStandard.action = @($CurrentStandard.action) + [pscustomobject]@{
+                                    label = 'Report'
+                                    value = 'Report'
+                                }
+                            }
+
+                            $Actions = $CurrentStandard.action.value
+                            if ($Actions -contains 'Remediate' -or $Actions -contains 'warn' -or $Actions -contains 'Report') {
+                                $TemplateKey = if ($CurrentStandard.TemplateList.value) { $CurrentStandard.TemplateList.value } else { '' }
+                                $Key = "$StandardName|$TemplateKey"
+
+                                if ($ComputedStandards.ContainsKey($Key)) {
+                                    # Merge group-based over AllTenants base
+                                    $MergedStandard = Merge-CippStandards -Existing $ComputedStandards[$Key] -New $CurrentStandard -StandardName $StandardName
+                                    $ComputedStandards[$Key] = $MergedStandard
+                                } else {
+                                    $ComputedStandards[$Key] = $CurrentStandard
+                                }
+                            }
+                        }
+                    } else {
+                        $CurrentStandard = $Value.PSObject.Copy()
+                        $CurrentStandard | Add-Member -NotePropertyName 'TemplateId' -NotePropertyValue $Template.GUID -Force
+
+                        # Add Remediate if autoRemediate is true
+                        if ($CurrentStandard.autoRemediate -eq $true -and -not ($CurrentStandard.action.value -contains 'Remediate')) {
+                            $CurrentStandard.action = @($CurrentStandard.action) + [pscustomobject]@{
+                                label = 'Remediate'
+                                value = 'Remediate'
+                            }
+                        }
+
+                        # Add Report if Remediate present but Report missing
+                        if ($CurrentStandard.action.value -contains 'Remediate' -and -not ($CurrentStandard.action.value -contains 'Report')) {
+                            $CurrentStandard.action = @($CurrentStandard.action) + [pscustomobject]@{
+                                label = 'Report'
+                                value = 'Report'
+                            }
+                        }
+
+                        $Actions = $CurrentStandard.action.value
+                        if ($Actions -contains 'Remediate' -or $Actions -contains 'warn' -or $Actions -contains 'Report') {
+                            $TemplateKey = if ($CurrentStandard.TemplateList.value) { $CurrentStandard.TemplateList.value } else { '' }
+                            $Key = "$StandardName|$TemplateKey"
+
+                            if ($ComputedStandards.ContainsKey($Key)) {
+                                $MergedStandard = Merge-CippStandards -Existing $ComputedStandards[$Key] -New $CurrentStandard -StandardName $StandardName
+                                $ComputedStandards[$Key] = $MergedStandard
+                            } else {
+                                $ComputedStandards[$Key] = $CurrentStandard
+                            }
+                        }
+                    }
+                }
+            }
+
+            # Process TenantSpecific templates, merging with Group and AllTenants base
             foreach ($Template in $TenantSpecificTemplatesSet) {
                 $Standards = $Template.standards
 
@@ -358,7 +442,7 @@ function Get-CIPPStandards {
                                 $Key = "$StandardName|$TemplateKey"
 
                                 if ($ComputedStandards.ContainsKey($Key)) {
-                                    # Merge tenant-specific over AllTenants base
+                                    # Merge tenant-specific over Group/AllTenants base
                                     $MergedStandard = Merge-CippStandards -Existing $ComputedStandards[$Key] -New $CurrentStandard -StandardName $StandardName
                                     $ComputedStandards[$Key] = $MergedStandard
                                 } else {

profile.ps1

@@ -4,24 +4,21 @@ Write-Information '#### CIPP-API Start ####'
 Set-Location -Path $PSScriptRoot
 try {
     $AppInsightsDllPath = Join-Path $PSScriptRoot 'Shared\AppInsights\Microsoft.ApplicationInsights.dll'
-    if (Test-Path $AppInsightsDllPath) {
-        [Reflection.Assembly]::LoadFile($AppInsightsDllPath) | Out-Null
-        Write-Information 'Application Insights SDK loaded successfully'
-    } else {
-        Write-Warning "Application Insights DLL not found at: $AppInsightsDllPath"
-    }
+    $null = [Reflection.Assembly]::LoadFile($AppInsightsDllPath)
+    Write-Information 'Application Insights SDK loaded successfully'
 } catch {
     Write-Warning "Failed to load Application Insights SDK: $($_.Exception.Message)"
 }
 
 # Import modules
-@('CIPPCore', 'CippExtensions', 'Az.KeyVault', 'Az.Accounts', 'AzBobbyTables') | ForEach-Object {
+$ModulesPath = Join-Path $PSScriptRoot 'Modules'
+$Modules = @('CIPPCore', 'CippExtensions', 'Az.Accounts', 'Az.KeyVault', 'AzBobbyTables')
+foreach ($Module in $Modules) {
     try {
-        $Module = $_
-        Import-Module -Name $_ -ErrorAction Stop
+        Import-Module -Name (Join-Path $ModulesPath $Module) -ErrorAction Stop
     } catch {
         Write-LogMessage -message "Failed to import module - $Module" -LogData (Get-CippException -Exception $_) -Sev 'debug'
-        $_.Exception.Message
+        Write-Error $_.Exception.Message
     }
 }
 
@@ -61,7 +58,7 @@ if ($env:ExternalDurablePowerShellSDK -eq $true) {
 }
 
 try {
-    Disable-AzContextAutosave -Scope Process | Out-Null
+    $null = Disable-AzContextAutosave -Scope Process
 } catch {}
 
 try {
@@ -73,8 +70,7 @@ try {
     Write-LogMessage -message 'Could not retrieve keys from Keyvault' -LogData (Get-CippException -Exception $_) -Sev 'debug'
 }
 
-Set-Location -Path $PSScriptRoot
-$CurrentVersion = (Get-Content .\version_latest.txt).trim()
+$CurrentVersion = (Get-Content -Path (Join-Path $PSScriptRoot 'version_latest.txt') -Raw).Trim()
 $Table = Get-CippTable -tablename 'Version'
 Write-Information "Function App: $($env:WEBSITE_SITE_NAME) | API Version: $CurrentVersion | PS Version: $($PSVersionTable.PSVersion)"
 $global:CippVersion = $CurrentVersion
@@ -84,7 +80,7 @@ if (!$LastStartup -or $CurrentVersion -ne $LastStartup.Version) {
     Write-Information "Version has changed from $($LastStartup.Version ?? 'None') to $CurrentVersion"
     if ($LastStartup) {
         $LastStartup.Version = $CurrentVersion
-        $LastStartup | Add-Member -MemberType NoteProperty -Name 'PSVersion' -Value $PSVersionTable.PSVersion.ToString() -Force
+        Add-Member -InputObject $LastStartup -MemberType NoteProperty -Name 'PSVersion' -Value $PSVersionTable.PSVersion.ToString() -Force
     } else {
         $LastStartup = [PSCustomObject]@{
             PartitionKey = 'Version'

requirements.psd1

@@ -1,10 +1,6 @@
 # This file enables modules to be automatically managed by the Functions service.
 # See https://aka.ms/functionsmanageddependency for additional information.
 #
-@{
-    # For latest supported version, go to 'https://www.powershellgallery.com/packages/Az'. 
-    # To use the Az module in your function app, please uncomment the line below.
-    'Az.accounts'   = '2.*'
-    'Az.Keyvault'   = '3.*'
-    'AzBobbyTables' = '2.*'
-}
+# CIPP bundles all modules locally in the Modules folder and imports them explicitly.
+# managedDependency is disabled in host.json - this file is intentionally empty.
+@{}