@@ -210,6 +210,7 @@ function Get-CIPPDrift {
210210 }
211211
212212 # Perform full policy collection
213+ $TenantIntunePolicies = @ ()
213214 if ($IntuneCapable ) {
214215 $TenantIntunePolicies = Measure-CippTask - TaskName ' CollectIntunePolicies' - EventName ' CIPP.GetDriftProfile' - Metadata @ {
215216 Tenant = $TenantFilter
@@ -287,6 +288,7 @@ function Get-CIPPDrift {
287288 }
288289 }
289290 # Get Conditional Access policies
291+ $TenantCAPolicies = @ ()
290292 if ($ConditionalAccessCapable ) {
291293 $TenantCAPolicies = Measure-CippTask - TaskName ' CollectCAPolicies' - EventName ' CIPP.GetDriftProfile' - Metadata @ {
292294 Tenant = $TenantFilter
@@ -351,41 +353,45 @@ function Get-CIPPDrift {
351353 }
352354
353355 # Check for extra Intune policies not in template
354- $IntunePolicyDeviations = Measure-CippTask - TaskName ' DetectIntuneDrift' - EventName ' CIPP.GetDriftProfile' - Metadata @ {
355- Tenant = $TenantFilter
356- Command = ' Get-CIPPDrift'
357- Section = ' PolicyDriftDetection'
358- } - Script {
359- $Deviations = [System.Collections.Generic.List [object ]]::new()
360- foreach ($TenantPolicy in $TenantIntunePolicies ) {
361- $tenantPolicy.policy | Add-Member - MemberType NoteProperty - Name ' URLName' - Value $TenantPolicy.Type - Force
362- $TenantPolicyName = if ($TenantPolicy.Policy.displayName ) { $TenantPolicy.Policy.displayName } else { $TenantPolicy.Policy.name }
363-
364- # Use hashtable lookup instead of nested loop - check for null to avoid ContainsKey errors
365- $PolicyFound = ($TenantPolicy.Policy.displayName -and $TemplatePolicyLookup.ContainsKey ($TenantPolicy.Policy.displayName )) -or
366- ($TenantPolicy.Policy.name -and $TemplatePolicyLookup.ContainsKey ($TenantPolicy.Policy.name ))
367-
368- if (-not $PolicyFound ) {
369- $PolicyKey = " IntuneTemplates.$ ( $TenantPolicy.Policy.id ) "
370- $Status = if ($ExistingDriftStates.ContainsKey ($PolicyKey )) {
371- $ExistingDriftStates [$PolicyKey ].Status
372- } else {
373- ' New'
374- }
375- $PolicyDeviation = [PSCustomObject ]@ {
376- standardName = $PolicyKey
377- standardDisplayName = " Intune - $TenantPolicyName "
378- expectedValue = ' This policy only exists in the tenant, not in the template.'
379- receivedValue = $TenantPolicy.Policy
380- state = ' current'
381- Status = $Status
356+ if ($IntuneCapable -and $TenantIntunePolicies.Count -gt 0 ) {
357+ $IntunePolicyDeviations = Measure-CippTask - TaskName ' DetectIntuneDrift' - EventName ' CIPP.GetDriftProfile' - Metadata @ {
358+ Tenant = $TenantFilter
359+ Command = ' Get-CIPPDrift'
360+ Section = ' PolicyDriftDetection'
361+ } - Script {
362+ $Deviations = [System.Collections.Generic.List [object ]]::new()
363+ foreach ($TenantPolicy in $TenantIntunePolicies ) {
364+ $tenantPolicy.policy | Add-Member - MemberType NoteProperty - Name ' URLName' - Value $TenantPolicy.Type - Force
365+ $TenantPolicyName = if ($TenantPolicy.Policy.displayName ) { $TenantPolicy.Policy.displayName } else { $TenantPolicy.Policy.name }
366+
367+ # Use hashtable lookup instead of nested loop - check for null to avoid ContainsKey errors
368+ $PolicyFound = ($TenantPolicy.Policy.displayName -and $TemplatePolicyLookup.ContainsKey ($TenantPolicy.Policy.displayName )) -or
369+ ($TenantPolicy.Policy.name -and $TemplatePolicyLookup.ContainsKey ($TenantPolicy.Policy.name ))
370+
371+ if (-not $PolicyFound ) {
372+ $PolicyKey = " IntuneTemplates.$ ( $TenantPolicy.Policy.id ) "
373+ $Status = if ($ExistingDriftStates.ContainsKey ($PolicyKey )) {
374+ $ExistingDriftStates [$PolicyKey ].Status
375+ } else {
376+ ' New'
377+ }
378+ $PolicyDeviation = [PSCustomObject ]@ {
379+ standardName = $PolicyKey
380+ standardDisplayName = " Intune - $TenantPolicyName "
381+ expectedValue = ' This policy only exists in the tenant, not in the template.'
382+ receivedValue = $TenantPolicy.Policy
383+ state = ' current'
384+ Status = $Status
385+ }
386+ $Deviations.Add ($PolicyDeviation )
382387 }
383- $Deviations.Add ($PolicyDeviation )
384388 }
389+ $Deviations
390+ }
391+ if ($IntunePolicyDeviations ) {
392+ $PolicyDeviations.AddRange ($IntunePolicyDeviations )
385393 }
386- $Deviations
387394 }
388- $PolicyDeviations.AddRange ($IntunePolicyDeviations )
389395
390396 # Build hashtable lookup for template CA policies
391397 $TemplateCALookup = @ {}
@@ -396,37 +402,41 @@ function Get-CIPPDrift {
396402 }
397403
398404 # Check for extra Conditional Access policies not in template
399- $CAPolicyDeviations = Measure-CippTask - TaskName ' DetectCADrift' - EventName ' CIPP.GetDriftProfile' - Metadata @ {
400- Tenant = $TenantFilter
401- Command = ' Get-CIPPDrift'
402- Section = ' PolicyDriftDetection'
403- } - Script {
404- $Deviations = [System.Collections.Generic.List [object ]]::new()
405- foreach ($TenantCAPolicy in $TenantCAPolicies ) {
406- # Use hashtable lookup instead of nested loop
407- $PolicyFound = $TemplateCALookup.ContainsKey ($TenantCAPolicy.displayName )
408-
409- if (-not $PolicyFound ) {
410- $PolicyKey = " ConditionalAccessTemplates.$ ( $TenantCAPolicy.id ) "
411- $Status = if ($ExistingDriftStates.ContainsKey ($PolicyKey )) {
412- $ExistingDriftStates [$PolicyKey ].Status
413- } else {
414- ' New'
415- }
416- $PolicyDeviation = [PSCustomObject ]@ {
417- standardName = $PolicyKey
418- standardDisplayName = " Conditional Access - $ ( $TenantCAPolicy.displayName ) "
419- expectedValue = ' This policy only exists in the tenant, not in the template.'
420- receivedValue = $TenantCAPolicy | Out-String
421- state = ' current'
422- Status = $Status
405+ if ($ConditionalAccessCapable -and $TenantCAPolicies.Count -gt 0 ) {
406+ $CAPolicyDeviations = Measure-CippTask - TaskName ' DetectCADrift' - EventName ' CIPP.GetDriftProfile' - Metadata @ {
407+ Tenant = $TenantFilter
408+ Command = ' Get-CIPPDrift'
409+ Section = ' PolicyDriftDetection'
410+ } - Script {
411+ $Deviations = [System.Collections.Generic.List [object ]]::new()
412+ foreach ($TenantCAPolicy in $TenantCAPolicies ) {
413+ # Use hashtable lookup instead of nested loop
414+ $PolicyFound = $TemplateCALookup.ContainsKey ($TenantCAPolicy.displayName )
415+
416+ if (-not $PolicyFound ) {
417+ $PolicyKey = " ConditionalAccessTemplates.$ ( $TenantCAPolicy.id ) "
418+ $Status = if ($ExistingDriftStates.ContainsKey ($PolicyKey )) {
419+ $ExistingDriftStates [$PolicyKey ].Status
420+ } else {
421+ ' New'
422+ }
423+ $PolicyDeviation = [PSCustomObject ]@ {
424+ standardName = $PolicyKey
425+ standardDisplayName = " Conditional Access - $ ( $TenantCAPolicy.displayName ) "
426+ expectedValue = ' This policy only exists in the tenant, not in the template.'
427+ receivedValue = $TenantCAPolicy | Out-String
428+ state = ' current'
429+ Status = $Status
430+ }
431+ $Deviations.Add ($PolicyDeviation )
423432 }
424- $Deviations.Add ($PolicyDeviation )
425433 }
434+ $Deviations
435+ }
436+ if ($CAPolicyDeviations ) {
437+ $PolicyDeviations.AddRange ($CAPolicyDeviations )
426438 }
427- $Deviations
428439 }
429- $PolicyDeviations.AddRange ($CAPolicyDeviations )
430440
431441 # Combine all deviations and filter by status
432442 $DeviationGroups = Measure-CippTask - TaskName ' GroupDeviations' - EventName ' CIPP.GetDriftProfile' - Metadata @ {
0 commit comments