Refactor standards orchestration to batch activities

JohnDuprey · JohnDuprey · commit b6c5c749dda5 · 2025-12-13T01:05:06.000-05:00
Introduces Push-CIPPStandardsApplyBatch and Push-CIPPStandardsList entrypoints to support distributed, per-tenant standards listing and aggregation. Refactors Invoke-CIPPStandardsRun to build and orchestrate tenant batches, and moves license and policy timestamp filtering logic from Get-CIPPStandards to Push-CIPPStandardsList for improved scalability and separation of concerns.
diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Standards/Push-CIPPStandardsApplyBatch.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Standards/Push-CIPPStandardsApplyBatch.ps1
@@ -0,0 +1,35 @@
+function Push-CIPPStandardsApplyBatch {
+    <#
+    .FUNCTIONALITY
+    Entrypoint
+    #>
+    param($Item)
+
+    try {
+        # Aggregate all standards from all tenants
+        $AllStandards = @($Item.Results | Where-Object { $_ -and $_.FunctionName -eq 'CIPPStandard' })
+
+        if ($AllStandards.Count -eq 0) {
+            Write-Information 'No standards to apply across all tenants'
+            return
+        }
+
+        Write-Information "Aggregated $($AllStandards.Count) standards from all tenants"
+
+        # Start orchestrator to apply standards
+        $InputObject = [PSCustomObject]@{
+            OrchestratorName = 'StandardsApply'
+            Batch            = @($AllStandards)
+            SkipLog          = $true
+        }
+
+        $InstanceId = Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress)
+        Write-Information "Started standards apply orchestrator with ID = '$InstanceId'"
+
+    } catch {
+        Write-Warning "Error in standards apply batch aggregation: $($_.Exception.Message)"
+    }
+    return @{
+        Success = $true
+    }
+}
diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Standards/Push-CIPPStandardsList.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Standards/Push-CIPPStandardsList.ps1
@@ -0,0 +1,197 @@
+function Push-CIPPStandardsList {
+    <#
+    .FUNCTIONALITY
+    Entrypoint
+    #>
+    param($Item)
+
+    $TenantFilter = $Item.TenantFilter
+    $runManually = $Item.runManually
+    $TemplateId = $Item.TemplateId
+
+    try {
+        # Get standards for this tenant
+        $GetStandardParams = @{
+            TenantFilter = $TenantFilter
+            runManually  = $runManually
+        }
+        if ($TemplateId) {
+            $GetStandardParams['TemplateId'] = $TemplateId
+        }
+
+        $AllStandards = Get-CIPPStandards @GetStandardParams
+
+        if ($AllStandards.Count -eq 0) {
+            Write-Information "No standards found for tenant $TenantFilter"
+            return @()
+        }
+
+        # Build hashtable for efficient lookup
+        $ComputedStandards = @{}
+        foreach ($Standard in $AllStandards) {
+            $Key = "$($Standard.Standard)|$($Standard.Settings.TemplateList.value)"
+            $ComputedStandards[$Key] = $Standard
+        }
+
+        # Check if IntuneTemplate standards are present
+        $IntuneTemplateFound = ($ComputedStandards.Keys.Where({ $_ -like '*IntuneTemplate*' }, 'First').Count -gt 0)
+
+        if ($IntuneTemplateFound) {
+            # Perform license check
+            $TestResult = Test-CIPPStandardLicense -StandardName 'IntuneTemplate_general' -TenantFilter $TenantFilter -RequiredCapabilities @('INTUNE_A', 'MDM_Services', 'EMS', 'SCCM', 'MICROSOFTINTUNEPLAN1')
+
+            if (-not $TestResult) {
+                # Remove IntuneTemplate standards and set compare fields
+                $IntuneKeys = @($ComputedStandards.Keys | Where-Object { $_ -like '*IntuneTemplate*' })
+                $BulkFields = [System.Collections.Generic.List[object]]::new()
+
+                foreach ($Key in $IntuneKeys) {
+                    $TemplateKey = ($Key -split '\|', 2)[1]
+                    if ($TemplateKey) {
+                        $BulkFields.Add([PSCustomObject]@{
+                                FieldName  = "standards.IntuneTemplate.$TemplateKey"
+                                FieldValue = 'This tenant does not have the required license for this standard.'
+                            })
+                    }
+                    [void]$ComputedStandards.Remove($Key)
+                }
+
+                if ($BulkFields.Count -gt 0) {
+                    Set-CIPPStandardsCompareField -TenantFilter $TenantFilter -BulkFields $BulkFields
+                }
+
+                Write-Information "Removed IntuneTemplate standards for $TenantFilter - missing required license"
+            } else {
+                # License valid - check policy timestamps to filter unchanged templates
+                $TypeMap = @{
+                    Device                   = 'deviceManagement/deviceConfigurations'
+                    Catalog                  = 'deviceManagement/configurationPolicies'
+                    Admin                    = 'deviceManagement/groupPolicyConfigurations'
+                    deviceCompliancePolicies = 'deviceManagement/deviceCompliancePolicies'
+                    AppProtection_Android    = 'deviceAppManagement/androidManagedAppProtections'
+                    AppProtection_iOS        = 'deviceAppManagement/iosManagedAppProtections'
+                }
+
+                $BulkRequests = $TypeMap.GetEnumerator() | ForEach-Object {
+                    @{
+                        id     = $_.Key
+                        url    = "$($_.Value)?`$orderby=lastModifiedDateTime desc&`$select=id,lastModifiedDateTime&`$top=999"
+                        method = 'GET'
+                    }
+                }
+
+                try {
+                    $TrackingTable = Get-CippTable -tablename 'IntunePolicyTypeTracking'
+                    $BulkResults = New-GraphBulkRequest -Requests $BulkRequests -tenantid $TenantFilter -NoPaginateIds @($BulkRequests.id)
+                    $PolicyTimestamps = @{}
+
+                    foreach ($Result in $BulkResults) {
+                        $GraphTime = $Result.body.value[0].lastModifiedDateTime
+                        $GraphId = $Result.body.value[0].id
+                        $GraphCount = ($Result.body.value | Measure-Object).Count
+                        $Cached = Get-CIPPAzDataTableEntity @TrackingTable -Filter "PartitionKey eq '$TenantFilter' and RowKey eq '$($Result.id)'"
+
+                        $CountChanged = $false
+                        if ($Cached -and $Cached.PolicyCount -ne $null) {
+                            $CountChanged = ($GraphCount -ne $Cached.PolicyCount)
+                        }
+
+                        $IdChanged = $false
+                        if ($GraphId -and $Cached -and $Cached.LatestPolicyId) {
+                            $IdChanged = ($GraphId -ne $Cached.LatestPolicyId)
+                        }
+
+                        if ($GraphTime) {
+                            $GraphTimeUtc = ([DateTime]$GraphTime).ToUniversalTime()
+                            if ($Cached -and $Cached.LatestPolicyModified -and -not $IdChanged -and -not $CountChanged) {
+                                $CachedTimeUtc = ([DateTimeOffset]$Cached.LatestPolicyModified).UtcDateTime
+                                $TimeDiff = [Math]::Abs(($GraphTimeUtc - $CachedTimeUtc).TotalSeconds)
+                                $Changed = ($TimeDiff -gt 60)
+                            } else {
+                                $Changed = $true
+                            }
+                            Add-CIPPAzDataTableEntity @TrackingTable -Entity @{
+                                PartitionKey         = $TenantFilter
+                                RowKey               = $Result.id
+                                LatestPolicyModified = $GraphTime
+                                LatestPolicyId       = $GraphId
+                                PolicyCount          = $GraphCount
+                            } -Force | Out-Null
+                        } else {
+                            $Changed = $true
+                        }
+
+                        $PolicyTimestamps[$Result.id] = $Changed
+                    }
+
+                    # Filter unchanged templates
+                    $TemplateTable = Get-CippTable -tablename 'templates'
+                    $StandardTemplateTable = Get-CippTable -tablename 'templates'
+                    $IntuneKeys = @($ComputedStandards.Keys | Where-Object { $_ -like '*IntuneTemplate*' })
+
+                    foreach ($Key in $IntuneKeys) {
+                        $Template = $ComputedStandards[$Key]
+                        $TemplateEntity = Get-CIPPAzDataTableEntity @TemplateTable -Filter "PartitionKey eq 'IntuneTemplate' and RowKey eq '$($Template.Settings.TemplateList.value)'"
+
+                        if (-not $TemplateEntity) { continue }
+
+                        $ParsedTemplate = $TemplateEntity.JSON | ConvertFrom-Json
+                        if (-not $ParsedTemplate.Type) { continue }
+
+                        $PolicyType = $ParsedTemplate.Type
+                        $PolicyChanged = if ($PolicyType -eq 'AppProtection') {
+                            [bool]($PolicyTimestamps['AppProtection_Android'] -or $PolicyTimestamps['AppProtection_iOS'])
+                        } else {
+                            [bool]$PolicyTimestamps[$PolicyType]
+                        }
+
+                        # Check StandardTemplate changes
+                        $StandardTemplate = Get-CIPPAzDataTableEntity @StandardTemplateTable -Filter "PartitionKey eq 'StandardsTemplateV2' and RowKey eq '$($Template.TemplateId)'"
+                        $StandardTemplateChanged = $false
+
+                        if ($StandardTemplate) {
+                            $StandardTimeUtc = ([DateTimeOffset]$StandardTemplate.Timestamp).UtcDateTime
+                            $CachedStandardTemplate = Get-CIPPAzDataTableEntity @TrackingTable -Filter "PartitionKey eq '$TenantFilter' and RowKey eq 'StandardTemplate_$($Template.TemplateId)'"
+
+                            if ($CachedStandardTemplate -and $CachedStandardTemplate.CachedTimestamp) {
+                                $CachedStandardTimeUtc = ([DateTimeOffset]$CachedStandardTemplate.CachedTimestamp).UtcDateTime
+                                $TimeDiff = [Math]::Abs(($StandardTimeUtc - $CachedStandardTimeUtc).TotalSeconds)
+                                $StandardTemplateChanged = ($TimeDiff -gt 60)
+                            } else {
+                                $StandardTemplateChanged = $true
+                            }
+
+                            Add-CIPPAzDataTableEntity @TrackingTable -Entity @{
+                                PartitionKey    = $TenantFilter
+                                RowKey          = "StandardTemplate_$($Template.TemplateId)"
+                                CachedTimestamp = $StandardTemplate.Timestamp
+                            } -Force | Out-Null
+                        }
+
+                        # Remove if both unchanged
+                        if (-not $PolicyChanged -and -not $StandardTemplateChanged) {
+                            [void]$ComputedStandards.Remove($Key)
+                        }
+                    }
+                } catch {
+                    Write-Warning "Timestamp check failed for $TenantFilter : $($_.Exception.Message)"
+                }
+            }
+        }
+
+        # Return filtered standards
+        $ComputedStandards.Values | ForEach-Object {
+            [PSCustomObject]@{
+                Tenant       = $_.Tenant
+                Standard     = $_.Standard
+                Settings     = $_.Settings
+                TemplateId   = $_.TemplateId
+                FunctionName = 'CIPPStandard'
+            }
+        }
+
+    } catch {
+        Write-Warning "Error listing standards for $TenantFilter : $($_.Exception.Message)"
+        return @()
+    }
+}
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-CIPPStandardsRun.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-CIPPStandardsRun.ps1
@@ -48,49 +48,52 @@ function Invoke-CIPPStandardsRun {
     } else {
         Write-Information 'Classic Standards Run'
 
-        $GetStandardParams = @{
-            TenantFilter  = $TenantFilter
-            runManually   = $runManually
-            LicenseChecks = $true
-        }
-
-        if ($TemplateID) {
-            $GetStandardParams['TemplateId'] = $TemplateID
-        }
-
-        $AllTasks = Get-CIPPStandards @GetStandardParams
-
         if ($Force.IsPresent) {
             Write-Information 'Clearing Rerun Cache'
             Test-CIPPRerun -ClearAll -TenantFilter $TenantFilter -Type 'Standard'
         }
 
-        if ($AllTasks.Count -eq 0) {
-            Write-Information "No standards found for tenant $($TenantFilter)."
+        # Get tenant list for batch processing
+        $AllTenantsList = if ($TenantFilter -eq 'allTenants') {
+            Get-Tenants
+        } else {
+            Get-Tenants | Where-Object {
+                $_.defaultDomainName -eq $TenantFilter -or $_.customerId -eq $TenantFilter
+            }
+        }
+
+        if ($AllTenantsList.Count -eq 0) {
+            Write-Information "No tenants found for filter $TenantFilter"
             return
         }
 
-        #For each item in our object, run the queue.
-        $Queue = New-CippQueueEntry -Name "Applying Standards ($TenantFilter)" -TotalTasks ($AllTasks | Measure-Object).Count
+        # Build batch of per-tenant list activities
+        $Batch = foreach ($Tenant in $AllTenantsList) {
+            $BatchItem = @{
+                FunctionName = 'CIPPStandardsList'
+                TenantFilter = $Tenant.defaultDomainName
+                runManually  = $runManually
+            }
+            if ($TemplateID) {
+                $BatchItem['TemplateId'] = $TemplateID
+            }
+            $BatchItem
+        }
+
+        Write-Information "Built batch of $($Batch.Count) tenant standards list activities"
 
+        # Start orchestrator with distributed batch and post-exec aggregation
         $InputObject = [PSCustomObject]@{
-            OrchestratorName = 'StandardsOrchestrator'
-            QueueFunction    = @{
-                FunctionName   = 'GetStandards'
-                QueueId        = $Queue.RowKey
-                StandardParams = @{
-                    TenantFilter = $TenantFilter
-                    runManually  = $runManually
-                }
+            OrchestratorName = 'StandardsList'
+            Batch            = @($Batch)
+            PostExecution    = @{
+                FunctionName = 'CIPPStandardsApplyBatch'
             }
             SkipLog          = $true
         }
-        if ($TemplateID) {
-            $InputObject.QueueFunction.StandardParams['TemplateId'] = $TemplateID
-        }
+
         Write-Information "InputObject: $($InputObject | ConvertTo-Json -Depth 5 -Compress)"
         $InstanceId = Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress)
-        Write-Information "Started orchestration with ID = '$InstanceId'"
-        #$Orchestrator = New-OrchestrationCheckStatusResponse -Request $Request -InstanceId $InstanceId
+        Write-Information "Started standards list orchestration with ID = '$InstanceId'"
     }
 }
diff --git a/Modules/CIPPCore/Public/Standards/Get-CIPPStandards.ps1 b/Modules/CIPPCore/Public/Standards/Get-CIPPStandards.ps1
