Improve tenant filtering in audit log rules

Zacgoose · Zacgoose · commit 41d606b9d88f · 2025-11-28T19:23:53.000+08:00
Refactored configuration processing to expand tenant groups and ensure TenantFilter matches actual tenants or 'AllTenants'. Added error handling for missing or invalid tenant data.
This should fix issues where audit logs were not getting matched against searches when tenant groups were used.
diff --git a/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1 b/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1
@@ -126,13 +126,25 @@ function Test-CIPPAuditLogRules {
         $TrustedIPTable = Get-CIPPTable -TableName 'trustedIps'
         $ConfigTable = Get-CIPPTable -TableName 'WebhookRules'
         $ConfigEntries = Get-CIPPAzDataTableEntity @ConfigTable
-        $Configuration = $ConfigEntries | Where-Object { ($_.Tenants -match $TenantFilter -or $_.Tenants -match 'AllTenants') } | ForEach-Object {
-            [pscustomobject]@{
-                Tenants    = ($_.Tenants | ConvertFrom-Json)
-                Excluded   = ($_.excludedTenants | ConvertFrom-Json -ErrorAction SilentlyContinue)
-                Conditions = $_.Conditions
-                Actions    = $_.Actions
-                LogType    = $_.Type
+        $Configuration = foreach ($ConfigEntry in $ConfigEntries) {
+            if ([string]::IsNullOrEmpty($ConfigEntry.Tenants)) {
+                continue
+            }
+            $Tenants = $ConfigEntry.Tenants | ConvertFrom-Json -ErrorAction SilentlyContinue
+            if ($null -eq $Tenants) {
+                continue
+            }
+            # Expand tenant groups to get actual tenant list
+            $ExpandedTenants = Expand-CIPPTenantGroups -TenantFilter $Tenants
+            # Check if the TenantFilter matches any tenant in the expanded list or AllTenants
+            if ($ExpandedTenants.value -contains $TenantFilter -or $ExpandedTenants.value -contains 'AllTenants') {
+                [pscustomobject]@{
+                    Tenants    = $Tenants
+                    Excluded   = ($ConfigEntry.excludedTenants | ConvertFrom-Json -ErrorAction SilentlyContinue)
+                    Conditions = $ConfigEntry.Conditions
+                    Actions    = $ConfigEntry.Actions
+                    LogType    = $ConfigEntry.Type
+                }
             }
         }
 
