Merge pull request #396 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertLicenseAssignmentErrors.ps1

@@ -0,0 +1,91 @@
+function Get-CIPPAlertLicenseAssignmentErrors {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    Param (
+        [Parameter(Mandatory)]
+        $TenantFilter,
+        [Alias('input')]
+        $InputValue
+    )
+
+    # Define error code translations for human-readable messages
+    $ErrorTranslations = @(
+        @{
+            ErrorCode = "CountViolation"
+            Description = "Not enough licenses available - the organization has exceeded the number of available licenses for this SKU"
+        },
+        @{
+            ErrorCode = "MutuallyExclusiveViolation"
+            Description = "Conflicting licenses assigned - this license cannot be assigned alongside another license the user already has"
+        },
+        @{
+            ErrorCode = "ProhibitedInUsageLocationViolation"
+            Description = "License not available in user's location - this license cannot be assigned to users in the user's current usage location"
+        },
+        @{
+            ErrorCode = "UniquenessViolation"
+            Description = "Duplicate license assignment - this license can only be assigned once per user"
+        },
+        @{
+            ErrorCode = "Unknown"
+            Description = "Unknown license assignment error - an unspecified error occurred during license assignment"
+        }
+    )
+
+    try {
+        # Get all users with license assignment states from Graph API
+        $Users = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$select=id,userPrincipalName,displayName,licenseAssignmentStates&`$top=999" -tenantid $TenantFilter
+
+        # Filter users who have license assignment violations
+        $UsersWithViolations = $Users | Where-Object {
+            $_.licenseAssignmentStates -and
+            ($_.licenseAssignmentStates | Where-Object {
+                $_.error -and (
+                    $_.error -like "*CountViolation*" -or
+                    $_.error -like "*MutuallyExclusiveViolation*" -or
+                    $_.error -like "*ProhibitedInUsageLocationViolation*" -or
+                    $_.error -like "*UniquenessViolation*" -or
+                    $_.error -like "*Unknown*"
+                )
+            })
+        }
+
+        # Build alert messages for users with violations
+        $LicenseAssignmentErrors = foreach ($User in $UsersWithViolations) {
+            $ViolationErrors = $User.licenseAssignmentStates | Where-Object {
+                $_.error -and (
+                    $_.error -like "*CountViolation*" -or
+                    $_.error -like "*MutuallyExclusiveViolation*" -or
+                    $_.error -like "*ProhibitedInUsageLocationViolation*" -or
+                    $_.error -like "*UniquenessViolation*" -or
+                    $_.error -like "*Unknown*"
+                )
+            }
+
+            foreach ($Violation in $ViolationErrors) {
+                # Find matching error translation
+                $ErrorTranslation = $ErrorTranslations | Where-Object { $Violation.error -like "*$($_.ErrorCode)*" } | Select-Object -First 1
+                $HumanReadableError = if ($ErrorTranslation) {
+                    $ErrorTranslation.Description
+                } else {
+                    "Unknown license assignment error: $($Violation.error)"
+                }
+
+                $PrettyName = Convert-SKUname -skuID $Violation.skuId
+
+                "$($User.userPrincipalName): $HumanReadableError (License: $PrettyName)"
+            }
+        }
+
+        # If errors are found, write alert
+        if ($LicenseAssignmentErrors) {
+            Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $LicenseAssignmentErrors
+        }
+
+    } catch {
+        Write-LogMessage -message "Failed to check license assignment errors: $($_.exception.message)" -API 'License Assignment Alerts' -tenant $TenantFilter -sev Error
+    }
+}

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Standards/Push-CIPPDriftManagement.ps1

@@ -31,7 +31,8 @@ function Push-CippDriftManagement {
                     Status           = $_.status
                 }
             }
-            $GenerateEmail = New-CIPPAlertTemplate -format 'html' -data $Data -CIPPURL $CIPPURL -Tenant $Item.tenant -InputObject 'driftStandard'
+
+            $GenerateEmail = New-CIPPAlertTemplate -format 'html' -data $Data -CIPPURL $CIPPURL -Tenant $Item.Tenant -InputObject 'driftStandard' -AuditLogLink $drift.standardId
             $CIPPAlert = @{
                 Type         = 'email'
                 Title        = $GenerateEmail.title
@@ -51,7 +52,7 @@ function Push-CippDriftManagement {
                 Type         = 'webhook'
                 Title        = $GenerateEmail.title
                 JSONContent  = $WebhookData
-                TenantFilter = $Item.tenant
+                TenantFilter = $Item.Tenant
             }
             Write-Host 'Sending Webhook Content'
             Send-CIPPAlert @CippAlert -altWebhook $webhook
@@ -60,7 +61,7 @@ function Push-CippDriftManagement {
                 Type         = 'psa'
                 Title        = $GenerateEmail.title
                 HTMLContent  = $GenerateEmail.htmlcontent
-                TenantFilter = $TenantFilter
+                TenantFilter = $Item.Tenant
             }
             Send-CIPPAlert @CIPPAlert
             return $true

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-ExecUpdateDriftDeviation.ps1

@@ -72,20 +72,19 @@ function Invoke-ExecUpdateDriftDeviation {
                         Write-LogMessage -tenant $TenantFilter -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Scheduled drift remediation task for $Setting" -Sev 'Info'
                     }
                     if ($Deviation.status -eq 'deniedDelete') {
-                        if ($Deviation.standardName -like 'ConditionalAccessTemplate*') {
-                            $ID = $Deviation.standardName -replace 'ConditionalAccessTemplates.', ''
-                            Write-Host "Going to delete CA Policy with ID $ID. Deviation Name is $($Deviation.standardName)"
-                            $null = New-GraphPostRequest -uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/$($ID)" -type DELETE -tenant $TenantFilter -asapp $true
-                            "Deleted CA Policy $($ID)"
-                            Write-LogMessage -tenant $TenantFilter -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Deleted Conditional Access Policy with ID $($ID)" -Sev 'Info'
+                        $Policy = $Deviation.receivedValue | ConvertFrom-Json -ErrorAction SilentlyContinue
+                        Write-Host "Policy is $($Policy)"
+                        $URLName = Get-CIPPURLName -Template $Policy
+                        if ($Policy -and $URLName) {
+                            Write-Host "Going to delete Policy with ID $($policy.ID) Deviation Name is $($Deviation.standardName)"
+                            $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/$($URLName)/$($policy.id)" -type DELETE -tenant $TenantFilter
+                            "Deleted Policy $($ID)"
+                            Write-LogMessage -tenant $TenantFilter -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Deleted Policy with ID $($ID)" -Sev 'Info'
+                        } else {
+                            "could not find policy with ID $($ID)"
+                            Write-LogMessage -tenant $TenantFilter -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Could not find Policy with ID $($ID) to delete for remediation" -Sev 'Warning'
                         }
 
-                        if ($Deviation.standardName -like 'IntuneTemplates*') {
-                            New-GraphPostRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$($UrlName)('$($PolicyId)')" -type DELETE -tenant $TenantFilter
-                            "Deleted Intune Policy $($ID)"
-                            Write-LogMessage -tenant $TenantFilter -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Deleted Intune Policy with ID $($ID)" -Sev 'Info'
-
-                        }
 
                     }
                 } catch {

Modules/CIPPCore/Public/Functions/Get-CIPPURLName.ps1

@@ -0,0 +1,155 @@
+function Get-CIPPURLName {
+    <#
+    .SYNOPSIS
+        Gets the correct Microsoft Graph URL based on the OData type of a template
+    .DESCRIPTION
+        This function examines the @odata.type property of a JSON template object and returns
+        the appropriate full Microsoft Graph API URL for that resource type.
+    .PARAMETER Template
+        The template object containing the @odata.type property to analyze
+    .FUNCTIONALITY
+        Internal
+    .EXAMPLE
+        Get-CIPPURLName -Template $MyTemplate
+    .EXAMPLE
+        $Template | Get-CIPPURLName
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]
+        [PSCustomObject]$Template
+    )
+
+    # Extract the OData type from the template
+    $ODataType = $Template.'@odata.type'
+    if ($Template.urlName) { return $Template.urlName }
+
+    if (-not $ODataType) {
+        Write-Warning 'No @odata.type property found in template'
+        return $null
+    }
+
+    # Determine the full Microsoft Graph URL based on the OData type
+    $URLName = switch -wildcard ($ODataType) {
+        # Device Compliance Policies
+        '*CompliancePolicy' {
+            'deviceManagement/deviceCompliancePolicies'
+        }
+        '*deviceCompliancePolicy' {
+            'deviceManagement/deviceCompliancePolicies'
+        }
+
+        # Managed App Policies (App Protection)
+        '*ManagedAppProtection' {
+            'deviceAppManagement/managedAppPolicies'
+        }
+        '*managedAppPolicies' {
+            'deviceAppManagement/managedAppPolicies'
+        }
+        '*managedAppPolicy' {
+            'deviceAppManagement/managedAppPolicies'
+        }
+        '*appProtectionPolicy' {
+            'deviceAppManagement/managedAppPolicies'
+        }
+
+        # Configuration Policies (Settings Catalog)
+        '*configurationPolicies' {
+            'deviceManagement/configurationPolicies'
+        }
+        '*deviceManagementConfigurationPolicy' {
+            'deviceManagement/configurationPolicies'
+        }
+
+        # Windows Driver Update Profiles
+        '*windowsDriverUpdateProfiles' {
+            'deviceManagement/windowsDriverUpdateProfiles'
+        }
+        '*windowsDriverUpdateProfile' {
+            'deviceManagement/windowsDriverUpdateProfiles'
+        }
+
+        # Device Configurations
+        '*deviceConfigurations' {
+            'deviceManagement/deviceConfigurations'
+        }
+        '*deviceConfiguration' {
+            'deviceManagement/deviceConfigurations'
+        }
+
+        # Group Policy Configurations (Administrative Templates)
+        '*groupPolicyConfigurations' {
+            'deviceManagement/groupPolicyConfigurations'
+        }
+        '*groupPolicyConfiguration' {
+            'deviceManagement/groupPolicyConfigurations'
+        }
+
+        # Conditional Access Policies
+        '*conditionalAccessPolicy' {
+            'identity/conditionalAccess/policies'
+        }
+
+        # Device Enrollment Configurations
+        '*deviceEnrollmentConfiguration' {
+            'deviceManagement/deviceEnrollmentConfigurations'
+        }
+        '*enrollmentConfiguration' {
+            'deviceManagement/deviceEnrollmentConfigurations'
+        }
+
+        # Mobile App Configurations
+        '*mobileAppConfiguration' {
+            'deviceAppManagement/mobileAppConfigurations'
+        }
+        '*appConfiguration' {
+            'deviceAppManagement/mobileAppConfigurations'
+        }
+
+        # Windows Feature Update Profiles
+        '*windowsFeatureUpdateProfile' {
+            'deviceManagement/windowsFeatureUpdateProfiles'
+        }
+
+        # Device Health Scripts (Remediation Scripts)
+        '*deviceHealthScript' {
+            'deviceManagement/deviceHealthScripts'
+        }
+
+        # Device Management Scripts (PowerShell Scripts)
+        '*deviceManagementScript' {
+            'deviceManagement/deviceManagementScripts'
+        }
+
+        # Mobile Applications
+        '*mobileApp' {
+            'deviceAppManagement/mobileApps'
+        }
+        '*winGetApp' {
+            'deviceAppManagement/mobileApps'
+        }
+        '*officeSuiteApp' {
+            'deviceAppManagement/mobileApps'
+        }
+
+        # Named Locations
+        '*namedLocation' {
+            'identity/conditionalAccess/namedLocations'
+        }
+        '*ipNamedLocation' {
+            'identity/conditionalAccess/namedLocations'
+        }
+        '*countryNamedLocation' {
+            'identity/conditionalAccess/namedLocations'
+        }
+
+        # Default fallback
+        default {
+            Write-Warning "Unknown OData type: $ODataType"
+            $null
+        }
+    }
+
+    return $URLName
+}
+

Modules/CIPPCore/Public/Get-CIPPDrift.ps1

@@ -84,47 +84,47 @@ function Get-CIPPDrift {
             # Always get live data when not in AllTenants mode
             $IntuneRequests = @(
                 @{
-                    id     = 'deviceAppManagement'
+                    id     = 'deviceAppManagement/managedAppPolicies'
                     url    = 'deviceAppManagement/managedAppPolicies'
                     method = 'GET'
                 }
                 @{
-                    id     = 'deviceCompliancePolicies'
+                    id     = 'deviceManagement/deviceCompliancePolicies'
                     url    = 'deviceManagement/deviceCompliancePolicies'
                     method = 'GET'
                 }
                 @{
-                    id     = 'groupPolicyConfigurations'
+                    id     = 'deviceManagement/groupPolicyConfigurations'
                     url    = 'deviceManagement/groupPolicyConfigurations'
                     method = 'GET'
                 }
                 @{
-                    id     = 'deviceConfigurations'
+                    id     = 'deviceManagement/deviceConfigurations'
                     url    = 'deviceManagement/deviceConfigurations'
                     method = 'GET'
                 }
                 @{
-                    id     = 'configurationPolicies'
+                    id     = 'deviceManagement/configurationPolicies'
                     url    = 'deviceManagement/configurationPolicies'
                     method = 'GET'
                 }
                 @{
-                    id     = 'windowsDriverUpdateProfiles'
+                    id     = 'deviceManagement/windowsDriverUpdateProfiles'
                     url    = 'deviceManagement/windowsDriverUpdateProfiles'
                     method = 'GET'
                 }
                 @{
-                    id     = 'windowsFeatureUpdateProfiles'
+                    id     = 'deviceManagement/windowsFeatureUpdateProfiles'
                     url    = 'deviceManagement/windowsFeatureUpdateProfiles'
                     method = 'GET'
                 }
                 @{
-                    id     = 'windowsQualityUpdatePolicies'
+                    id     = 'deviceManagement/windowsQualityUpdatePolicies'
                     url    = 'deviceManagement/windowsQualityUpdatePolicies'
                     method = 'GET'
                 }
                 @{
-                    id     = 'windowsQualityUpdateProfiles'
+                    id     = 'deviceManagement/windowsQualityUpdateProfiles'
                     url    = 'deviceManagement/windowsQualityUpdateProfiles'
                     method = 'GET'
                 }
@@ -220,6 +220,7 @@ function Get-CIPPDrift {
             # Check for extra Intune policies not in template
             foreach ($TenantPolicy in $TenantIntunePolicies) {
                 $PolicyFound = $false
+                $tenantPolicy.policy | Add-Member -MemberType NoteProperty -Name 'URLName' -Value $TenantPolicy.Type -Force
                 $TenantPolicyName = if ($TenantPolicy.Policy.displayName) { $TenantPolicy.Policy.displayName } else { $TenantPolicy.Policy.name }
 
                 foreach ($TemplatePolicy in $TemplateIntuneTemplates) {

Modules/CIPPCore/Public/New-CIPPAlertTemplate.ps1

@@ -31,7 +31,7 @@ function New-CIPPAlertTemplate {
         $Title = "CIPP Alert - Standard Drift Detected for $($Tenant)"
         $DataHTML = ($Data | ConvertTo-Html | Out-String).Replace('<table>', ' <table class="table-modern">')
         $IntroText = "<p>You've setup your instance to receive alerts when a tenant is drifting away from your standard. This seems to have happened! We've found the following deviations. </p>$dataHTML"
-        $ButtonUrl = "$CIPPURL/cipp/logs"
+        $ButtonUrl = "$CIPPURL/tenant/standards/manage-drift?tenantFilter=$($Tenant)&templateId=$($AuditLogLink)"
         $ButtonText = 'Investigate and remediate deviations'
         $AfterButtonText = 'Click the button above to go to the logbook and investigate the deviations. You can also use the standards page to remediate the deviations.'
     }