Merge pull request #547 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Maintenance/Push-TableCleanupTask.ps1

@@ -25,6 +25,7 @@ function Push-TableCleanupTask {
                     Write-Information "Table $Table not found"
                 }
             }
+            Write-Information "#### $($Type) task complete for $($Item.TableName)"
         } elseif ($Type -eq 'CleanupRule') {
             if ($Item.Where) {
                 $Where = [scriptblock]::Create($Item.Where)
@@ -35,6 +36,8 @@ function Push-TableCleanupTask {
             $DataTableProps = $Item.DataTableProps | ConvertTo-Json | ConvertFrom-Json -AsHashtable
             $Table = Get-CIPPTable -tablename $Item.TableName
             $CleanupCompleted = $false
+
+            $RowsRemoved = 0
             do {
                 Write-Information "Fetching entities from $($Item.TableName) with filter: $($DataTableProps.Filter)"
                 try {
@@ -43,6 +46,7 @@ function Push-TableCleanupTask {
                         Write-Information "Removing $($Entities.Count) entities from $($Item.TableName)"
                         try {
                             Remove-AzDataTableEntity @Table -Entity $Entities -Force
+                            $RowsRemoved += $Entities.Count
                             if ($DataTableProps.First -and $Entities.Count -lt $DataTableProps.First) {
                                 $CleanupCompleted = $true
                             }
@@ -59,9 +63,10 @@ function Push-TableCleanupTask {
                     $CleanupCompleted = $true
                 }
             } while (!$CleanupCompleted)
+            Write-Information "#### $($Type) task complete for $($Item.TableName). Rows removed: $RowsRemoved"
         } else {
             Write-Warning "Unknown task type: $Type"
         }
     }
-    Write-Information "#### $($Type) task complete"
+
 }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Administration/Contacts/Invoke-ListContacts.ps1

@@ -1,7 +1,7 @@
 using namespace System.Collections.Generic
 using namespace System.Text.RegularExpressions
 
-Function Invoke-ListContacts {
+function Invoke-ListContacts {
     <#
     .FUNCTIONALITY
         Entrypoint
@@ -18,10 +18,9 @@ Function Invoke-ListContacts {
     # Early validation and exit
     if (-not $TenantFilter) {
         return ([HttpResponseContext]@{
-            StatusCode = [HttpStatusCode]::BadRequest
-            Body       = 'tenantFilter is required'
-        })
-        return
+                StatusCode = [HttpStatusCode]::BadRequest
+                Body       = 'tenantFilter is required'
+            })
     }
 
     # Pre-compiled regex for MailTip cleaning
@@ -52,35 +51,35 @@ Function Invoke-ListContacts {
         $phones = if ($phoneCapacity -gt 0) {
             $phoneList = [List[hashtable]]::new($phoneCapacity)
             if ($Contact.Phone) {
-                $phoneList.Add(@{ type = "business"; number = $Contact.Phone })
+                $phoneList.Add(@{ type = 'business'; number = $Contact.Phone })
             }
             if ($Contact.MobilePhone) {
-                $phoneList.Add(@{ type = "mobile"; number = $Contact.MobilePhone })
+                $phoneList.Add(@{ type = 'mobile'; number = $Contact.MobilePhone })
             }
             $phoneList.ToArray()
         } else { @() }
 
         return @{
-            id = $Contact.Id
-            displayName = $Contact.DisplayName
-            givenName = $Contact.FirstName
-            surname = $Contact.LastName
-            mail = $mailAddress
-            companyName = $Contact.Company
-            jobTitle = $Contact.Title
-            website = $Contact.WebPage
-            notes = $Contact.Notes
-            hidefromGAL = $MailContact.HiddenFromAddressListsEnabled
-            mailTip = $cleanMailTip
+            id                    = $Contact.Id
+            displayName           = $Contact.DisplayName
+            givenName             = $Contact.FirstName
+            surname               = $Contact.LastName
+            mail                  = $mailAddress
+            companyName           = $Contact.Company
+            jobTitle              = $Contact.Title
+            website               = $Contact.WebPage
+            notes                 = $Contact.Notes
+            hidefromGAL           = $MailContact.HiddenFromAddressListsEnabled
+            mailTip               = $cleanMailTip
             onPremisesSyncEnabled = $Contact.IsDirSynced
-            addresses = @(@{
-                street = $Contact.StreetAddress
-                city = $Contact.City
-                state = $Contact.StateOrProvince
-                countryOrRegion = $Contact.CountryOrRegion
-                postalCode = $Contact.PostalCode
-            })
-            phones = $phones
+            addresses             = @(@{
+                    street          = $Contact.StreetAddress
+                    city            = $Contact.City
+                    state           = $Contact.StateOrProvince
+                    countryOrRegion = $Contact.CountryOrRegion
+                    postalCode      = $Contact.PostalCode
+                })
+            phones                = $phones
         }
     }
 
@@ -98,20 +97,29 @@ Function Invoke-ListContacts {
             }
 
             if (!$Contact -or !$MailContact) {
-                throw "Contact not found or insufficient permissions"
+                throw 'Contact not found or insufficient permissions'
             }
 
             $ContactResponse = ConvertTo-ContactObject -Contact $Contact -MailContact $MailContact
 
         } else {
             # Get all contacts - simplified approach
-            Write-Host "Getting all contacts"
+            Write-Host 'Getting all contacts'
 
             $ContactResponse = New-EXORequest -tenantid $TenantFilter -cmdlet 'Get-Contact' -cmdParams @{
-                Filter = "RecipientTypeDetails -eq 'MailContact'"
+                Filter     = "RecipientTypeDetails -eq 'MailContact'"
                 ResultSize = 'Unlimited'
             } | Select-Object -Property City, Company, Department, DisplayName, FirstName, LastName, IsDirSynced, Guid, WindowsEmailAddress
 
+            # Add Graph ID to each contact based on email match
+            $GraphContacts = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/contacts' -tenantid $TenantFilter
+            foreach ($contact in $ContactResponse) {
+                $GraphMatch = $GraphContacts | Where-Object { $_.mail -eq $contact.WindowsEmailAddress }
+                if ($GraphMatch) {
+                    $contact | Add-Member -MemberType NoteProperty -Name 'graphId' -Value $GraphMatch.id -Force
+                }
+            }
+
             # Return empty array if no contacts found
             if (!$ContactResponse) {
                 $ContactResponse = @()
@@ -128,7 +136,7 @@ Function Invoke-ListContacts {
     }
 
     return ([HttpResponseContext]@{
-        StatusCode = $StatusCode
-        Body       = $ContactResponse
-    })
+            StatusCode = $StatusCode
+            Body       = $ContactResponse
+        })
 }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Invoke-ExecSetCloudManaged.ps1

@@ -0,0 +1,43 @@
+function Invoke-ExecSetCloudManaged {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    .ROLE
+        Identity.DirSync.ReadWrite
+    .DESCRIPTION
+        Sets the cloud-managed status of a user, group, or contact.
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $APIName = $Request.Params.CIPPEndpoint
+    $Headers = $Request.Headers
+
+    # Interact with query parameters or the body of the request.
+    $TenantFilter = $Request.Body.tenantFilter
+    $GroupID = $Request.Body.ID
+    $DisplayName = $Request.Body.displayName
+    $Type = $Request.Body.type
+    $IsCloudManaged = [System.Convert]::ToBoolean($Request.Body.isCloudManaged)
+
+    try {
+        $Params = @{
+            Id             = $GroupID
+            TenantFilter   = $TenantFilter
+            DisplayName    = $DisplayName
+            Type           = $Type
+            IsCloudManaged = $IsCloudManaged
+            APIName        = $APIName
+            Headers        = $Headers
+        }
+        $Result = Set-CIPPCloudManaged @Params
+        $StatusCode = [HttpStatusCode]::OK
+    } catch {
+        $Result = "$($_.Exception.Message)"
+        $StatusCode = [HttpStatusCode]::InternalServerError
+    }
+    return ([HttpResponseContext]@{
+            StatusCode = $StatusCode
+            Body       = @{'Results' = $Result }
+        })
+}

Modules/CIPPCore/Public/Remove-CIPPGroups.ps1

@@ -11,43 +11,127 @@ function Remove-CIPPGroups {
     if (-not $userid) {
         $UserID = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($Username)" -tenantid $TenantFilter).id
     }
-    $AllGroups = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/groups/?`$select=displayName,mailEnabled,id,groupTypes,assignedLicenses&`$top=999" -tenantid $TenantFilter)
+    $AllGroups = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/groups/?`$select=displayName,mailEnabled,id,groupTypes,assignedLicenses,onPremisesSyncEnabled,membershipRule&`$top=999" -tenantid $TenantFilter)
 
-    $Returnval = (New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$($UserID)/GetMemberGroups" -tenantid $TenantFilter -type POST -body '{"securityEnabledOnly": false}').value | ForEach-Object -Parallel {
-        Import-Module '.\Modules\AzBobbyTables'
-        Import-Module '.\Modules\CIPPCore'
-        $Group = $_
+    # Get user's groups
+    $UserGroups = (New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$($UserID)/GetMemberGroups" -tenantid $TenantFilter -type POST -body '{"securityEnabledOnly": false}').value
 
-        try {
-            $GroupName = ($using:AllGroups | Where-Object -Property id -EQ $Group).displayName
-            $IsMailEnabled = ($using:AllGroups | Where-Object -Property id -EQ $Group).mailEnabled
-            $IsM365Group = $null -ne ($using:AllGroups | Where-Object { $_.id -eq $Group -and $_.groupTypes -contains 'Unified' })
-            $IsLicensed = ($using:AllGroups | Where-Object -Property id -EQ $Group).assignedLicenses.Count -gt 0
-
-            if ($IsLicensed) {
-                "Could not remove $($using:Username) from $GroupName. This is because the group has licenses assigned to it."
-            } else {
-                if ($IsM365Group) {
-                    $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$_/members/$($using:UserID)/`$ref" -tenantid $using:TenantFilter -type DELETE -body '' -Verbose
-                } elseif (-not $IsMailEnabled) {
-                    $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$_/members/$($using:UserID)/`$ref" -tenantid $using:TenantFilter -type DELETE -body '' -Verbose
-                } elseif ($IsMailEnabled) {
-                    $Params = @{ Identity = $GroupName; Member = $using:UserID ; BypassSecurityGroupManagerCheck = $true }
-                    New-ExoRequest -tenantid $using:tenantFilter -cmdlet 'Remove-DistributionGroupMember' -cmdParams $params -UseSystemMailbox $true
+    if (-not $UserGroups) {
+        $Returnval = "$($Username) is not a member of any groups."
+        Write-LogMessage -headers $Headers -API $APIName -message "$($Username) is not a member of any groups" -Sev 'Info' -tenant $TenantFilter
+        return $Returnval
+    }
+
+    # Initialize bulk request arrays and results
+    $BulkRequests = [System.Collections.Generic.List[object]]::new()
+    $ExoBulkRequests = [System.Collections.Generic.List[object]]::new()
+    $GraphLogs = [System.Collections.Generic.List[object]]::new()
+    $ExoLogs = [System.Collections.Generic.List[object]]::new()
+    $Results = [System.Collections.Generic.List[string]]::new()
+
+    # Process each group and prepare bulk requests
+    foreach ($Group in $UserGroups) {
+        $GroupInfo = $AllGroups | Where-Object -Property id -EQ $Group
+        $GroupName = $GroupInfo.displayName
+        $IsMailEnabled = $GroupInfo.mailEnabled
+        $IsM365Group = $null -ne ($AllGroups | Where-Object { $_.id -eq $Group -and $_.groupTypes -contains 'Unified' })
+        $IsLicensed = $GroupInfo.assignedLicenses.Count -gt 0
+        $IsDynamic = -not [string]::IsNullOrWhiteSpace($GroupInfo.membershipRule)
+
+        if ($IsLicensed) {
+            $Results.Add("Could not remove $Username from group '$GroupName' because it has assigned licenses. These groups are removed during the license removal step.")
+            Write-LogMessage -headers $Headers -API $APIName -message "Could not remove $Username from group '$GroupName' because it has assigned licenses. These groups are removed during the license removal step." -Sev 'Warning' -tenant $TenantFilter
+        } elseif ($IsDynamic) {
+            $Results.Add("Error: Could not remove $Username from group '$GroupName' because it is a Dynamic Group.")
+            Write-LogMessage -headers $Headers -API $APIName -message "Could not remove $Username from group '$GroupName' because it is a Dynamic Group." -Sev 'Warning' -tenant $TenantFilter
+        } elseif ($GroupInfo.onPremisesSyncEnabled) {
+            $Results.Add("Error: Could not remove $Username from group '$GroupName' because it is synced with Active Directory.")
+            Write-LogMessage -headers $Headers -API $APIName -message "Could not remove $Username from group '$GroupName' because it is synced with Active Directory." -Sev 'Warning' -tenant $TenantFilter
+        } else {
+            if ($IsM365Group -or (-not $IsMailEnabled)) {
+                # Use Graph API for M365 Groups and Security Groups
+                $BulkRequests.Add(@{
+                        id     = "removeFromGroup-$Group"
+                        method = 'DELETE'
+                        url    = "groups/$Group/members/$UserID/`$ref"
+                    })
+                $GraphLogs.Add(@{
+                        message   = "Removed $Username from $GroupName"
+                        id        = "removeFromGroup-$Group"
+                        groupName = $GroupName
+                    })
+            } elseif ($IsMailEnabled) {
+                # Use Exchange Online for Distribution Lists
+                $Params = @{
+                    Identity                        = $GroupName
+                    Member                          = $UserID
+                    BypassSecurityGroupManagerCheck = $true
                 }
+                $ExoBulkRequests.Add(@{
+                        CmdletInput = @{
+                            CmdletName = 'Remove-DistributionGroupMember'
+                            Parameters = $Params
+                        }
+                    })
+                $ExoLogs.Add(@{
+                        message   = "Removed $Username from $GroupName"
+                        target    = $UserID
+                        groupName = $GroupName
+                    })
+            }
+        }
+    }
 
-                Write-LogMessage -headers $using:Headers -API $($using:APIName) -message "Removed $($using:Username) from $GroupName" -Sev 'Info' -tenant $using:TenantFilter
-                "Successfully removed $($using:Username) from group $GroupName"
+    # Execute Graph bulk requests
+    if ($BulkRequests.Count -gt 0) {
+        try {
+            $RawGraphRequest = New-GraphBulkRequest -tenantid $TenantFilter -scope 'https://graph.microsoft.com/.default' -Requests @($BulkRequests) -asapp $true
+
+            foreach ($GraphLog in $GraphLogs) {
+                $GraphError = $RawGraphRequest | Where-Object { $_.id -eq $GraphLog.id -and $_.status -notmatch '^2[0-9]+' }
+                if ($GraphError) {
+                    $Message = Get-NormalizedError -message $GraphError.body.error
+                    $Results.Add("Could not remove $Username from group '$($GraphLog.groupName)': $Message. This is likely because it's a Dynamic Group or synced with Active Directory")
+                    Write-LogMessage -headers $Headers -API $APIName -message "Could not remove $Username from group '$($GraphLog.groupName)': $Message" -Sev 'Error' -tenant $TenantFilter
+                } else {
+                    $Results.Add("Successfully removed $Username from group '$($GraphLog.groupName)'")
+                    Write-LogMessage -headers $Headers -API $APIName -message $GraphLog.message -Sev 'Info' -tenant $TenantFilter
+                }
             }
         } catch {
             $ErrorMessage = Get-CippException -Exception $_
-            Write-LogMessage -headers $using:Headers -API $($using:APIName) -message "Could not remove $($using:Username) from group $GroupName : $($ErrorMessage.NormalizedError)" -Sev 'Error' -tenant $using:TenantFilter -LogData $ErrorMessage
-            "Could not remove $($using:Username) from group $($GroupName): $($ErrorMessage.NormalizedError). This is likely because its a Dynamic Group or synched with active directory"
+            Write-LogMessage -headers $Headers -API $APIName -message "Error executing Graph bulk requests: $($ErrorMessage.NormalizedError)" -Sev 'Error' -tenant $TenantFilter -LogData $ErrorMessage
+            $Results.Add("Error executing bulk removal requests: $($ErrorMessage.NormalizedError)")
         }
     }
-    if (-not $Returnval) {
-        $Returnval = "$($Username) is not a member of any groups."
-        Write-LogMessage -headers $Headers -API $APIName -message "$($Username) is not a member of any groups" -Sev 'Info' -tenant $TenantFilter
+
+    # Execute Exchange Online bulk requests
+    if ($ExoBulkRequests.Count -gt 0) {
+        try {
+            $RawExoRequest = New-ExoBulkRequest -tenantid $TenantFilter -cmdletArray @($ExoBulkRequests)
+            $LastError = $RawExoRequest | Select-Object -Last 1
+
+            foreach ($ExoError in $LastError.error) {
+                $Results.Add("Error - $ExoError")
+                Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $ExoError -Sev 'Error'
+            }
+
+            foreach ($ExoLog in $ExoLogs) {
+                $ExoError = $LastError | Where-Object { $ExoLog.target -in $_.target -and $_.error }
+                if (!$LastError -or ($LastError.error -and $LastError.target -notcontains $ExoLog.target)) {
+                    $Results.Add("Successfully removed $Username from group $($ExoLog.groupName)")
+                    Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $ExoLog.message -Sev 'Info'
+                } else {
+                    $Results.Add("Could not remove $Username from $($ExoLog.groupName). This is likely because its a Dynamic Group or synched with active directory")
+                    Write-LogMessage -headers $Headers -API $APIName -message "Could not remove $Username from $($ExoLog.groupName)" -Sev 'Error' -tenant $TenantFilter
+                }
+            }
+        } catch {
+            $ErrorMessage = Get-CippException -Exception $_
+            Write-LogMessage -headers $Headers -API $APIName -message "Error executing Exchange bulk requests: $($ErrorMessage.NormalizedError)" -Sev 'Error' -tenant $TenantFilter -LogData $ErrorMessage
+            $Results.Add("Error executing bulk Exchange requests: $($ErrorMessage.NormalizedError)")
+        }
     }
-    return $Returnval
+
+    return $Results
 }

Modules/CIPPCore/Public/SAMManifest.json

@@ -538,6 +538,18 @@
         {
           "id": "0a42382f-155c-4eb1-9bdc-21548ccaa387",
           "type": "Role"
+        },
+        {
+          "id": "2d9bd318-b883-40be-9df7-63ec4fcdc424",
+          "type": "Role"
+        },
+        {
+          "id": "c8948c23-e66b-42db-83fd-770b71ab78d2",
+          "type": "Role"
+        },
+        {
+          "id": "a94a502d-0281-4d15-8cd2-682ac9362c4c",
+          "type": "Role"
         }
       ]
     },