Merge pull request #612 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

CIPPTimers.json

@@ -203,5 +203,14 @@
     "Priority": 20,
     "RunOnProcessor": true,
     "IsSystem": true
+  },
+  {
+    "Id": "b8f3c2e1-5d4a-4f7b-9a2c-1e6d8f3b5a7c",
+    "Command": "Start-BackupRetentionCleanup",
+    "Description": "Timer to cleanup old backups based on retention policy",
+    "Cron": "0 0 2 * * *",
+    "Priority": 21,
+    "RunOnProcessor": true,
+    "IsSystem": true
   }
 ]

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertGlobalAdminAllowList.ps1

@@ -0,0 +1,84 @@
+function Get-CIPPAlertGlobalAdminAllowList {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $InputValue,
+        $TenantFilter
+    )
+    try {
+        $AllowedAdmins = @()
+        $AlertEachAdmin = $false
+        if ($InputValue -is [hashtable] -or $InputValue -is [pscustomobject]) {
+            $AlertEachAdmin = [bool]($InputValue['AlertEachAdmin'])
+            $ApprovedValue = if ($InputValue.ContainsKey('ApprovedGlobalAdmins') -or ($InputValue.PSObject.Properties.Name -contains 'ApprovedGlobalAdmins')) {
+                $InputValue['ApprovedGlobalAdmins']
+            } else {
+                $null
+            }
+            $InputValue = $ApprovedValue
+        }
+        if ($null -ne $InputValue) {
+            if ($InputValue -is [string]) {
+                $AllowedAdmins = $InputValue -split ',' | ForEach-Object { $_.Trim() } | Where-Object { $_ }
+            } elseif ($InputValue -is [System.Collections.IEnumerable]) {
+                $AllowedAdmins = $InputValue | ForEach-Object { $_.ToString().Trim() } | Where-Object { $_ }
+            } else {
+                $AllowedAdmins = @("$InputValue")
+            }
+        }
+        $AllowedLookup = $AllowedAdmins | ForEach-Object { $_.ToLowerInvariant() } | Select-Object -Unique
+
+        if (-not $AllowedLookup -or $AllowedLookup.Count -eq 0) {
+            return
+        }
+
+        $GlobalAdmins = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/directoryRoles/roleTemplateId=62e90394-69f5-4237-9190-012177145e10/members?`$select=id,displayName,userPrincipalName" -tenantid $TenantFilter -AsApp $true -ErrorAction Stop | Where-Object {
+            $_.'@odata.type' -eq '#microsoft.graph.user' -and $_.displayName -ne 'On-Premises Directory Synchronization Service Account'
+        }
+
+        $UnapprovedAdmins = foreach ($admin in $GlobalAdmins) {
+            if ([string]::IsNullOrWhiteSpace($admin.userPrincipalName)) { continue }
+            $UpnPrefix = ($admin.userPrincipalName -split '@')[0].ToLowerInvariant()
+            if ($AllowedLookup -notcontains $UpnPrefix) {
+                [PSCustomObject]@{
+                    Admin      = $admin
+                    UpnPrefix  = $UpnPrefix
+                }
+            }
+        }
+
+        if ($UnapprovedAdmins) {
+            if ($AlertEachAdmin) {
+                $AlertData = foreach ($item in $UnapprovedAdmins) {
+                    $admin = $item.Admin
+                    $UpnPrefix = $item.UpnPrefix
+                    [PSCustomObject]@{
+                        Message           = "$($admin.userPrincipalName) has Global Administrator role but is not in the approved allow list (prefix '$UpnPrefix')."
+                        DisplayName       = $admin.displayName
+                        UserPrincipalName = $admin.userPrincipalName
+                        Id                = $admin.id
+                        AllowedList       = if ($AllowedAdmins) { $AllowedAdmins -join ', ' } else { 'Not provided' }
+                        Tenant            = $TenantFilter
+                    }
+                }
+            } else {
+                $NonCompliantUpns = @($UnapprovedAdmins.Admin.userPrincipalName)
+                $AlertData = @([PSCustomObject]@{
+                        Message            = "Found $($NonCompliantUpns.Count) Global Administrator account(s) not in the approved allow list."
+                        NonCompliantUsers  = $NonCompliantUpns
+                        ApprovedPrefixes   = if ($AllowedAdmins) { $AllowedAdmins -join ', ' } else { 'Not provided' }
+                        Tenant             = $TenantFilter
+                    })
+            }
+
+            Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+        }
+    } catch {
+        Write-AlertMessage -tenant $TenantFilter -message "Failed to check approved Global Admins: $(Get-NormalizedError -message $_.Exception.Message)"
+    }
+}

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-SchedulerCIPPNotifications.ps1

@@ -115,6 +115,7 @@ function Push-SchedulerCIPPNotifications {
             }
 
             if ($CurrentStandardsLogs) {
+                $Data = $CurrentStandardsLogs
                 $JSONContent = New-CIPPAlertTemplate -Data $Data -Format 'json' -InputObject 'table' -CIPPURL $CIPPURL
                 $CurrentStandardsLogs | ConvertTo-Json -Compress
                 Send-CIPPAlert -Type 'webhook' -JSONContent $JSONContent -TenantFilter $Tenant -APIName 'Alerts'

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Standards/Push-CIPPStandardsApplyBatch.ps1

@@ -7,23 +7,29 @@ function Push-CIPPStandardsApplyBatch {
 
     try {
         # Aggregate all standards from all tenants
-        $AllStandards = @($Item.Results | Where-Object { $_ -and $_.FunctionName -eq 'CIPPStandard' })
+        $AllStandards = $Item.Results | ForEach-Object {
+            foreach ($Standard in $_) {
+                if ($Standard -and $Standard.FunctionName -eq 'CIPPStandard') {
+                    $Standard
+                }
+            }
+        }
 
         if ($AllStandards.Count -eq 0) {
             Write-Information 'No standards to apply across all tenants'
             return
         }
 
-        Write-Information "Aggregated $($AllStandards.Count) standards from all tenants"
+        Write-Information "Aggregated $($AllStandards.Count) standards from all tenants: $($AllStandards | ConvertTo-Json -Depth 5 -Compress)"
 
         # Start orchestrator to apply standards
         $InputObject = [PSCustomObject]@{
             OrchestratorName = 'StandardsApply'
             Batch            = @($AllStandards)
             SkipLog          = $true
-        }
-
-        $InstanceId = Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress)
+        } | ConvertTo-Json -Depth 25 -Compress
+        Write-Host "Standards InputObject: $InputObject"
+        $InstanceId = Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject $InputObject
         Write-Information "Started standards apply orchestrator with ID = '$InstanceId'"
 
     } catch {

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Standards/Push-CIPPStandardsList.ps1

@@ -170,7 +170,7 @@ function Push-CIPPStandardsList {
 
                         # Remove if both unchanged
                         if (-not $PolicyChanged -and -not $StandardTemplateChanged) {
-                            [void]$ComputedStandards.Remove($Key)
+x                            [void]$ComputedStandards.Remove($Key)
                         }
                     }
                 } catch {
@@ -181,7 +181,7 @@ function Push-CIPPStandardsList {
 
         Write-Host "Returning $($ComputedStandards.Count) standards for tenant $TenantFilter after filtering."
         # Return filtered standards
-        $ComputedStandards.Values | ForEach-Object {
+        $FilteredStandards = $ComputedStandards.Values | ForEach-Object {
             [PSCustomObject]@{
                 Tenant       = $_.Tenant
                 Standard     = $_.Standard
@@ -190,6 +190,8 @@ function Push-CIPPStandardsList {
                 FunctionName = 'CIPPStandard'
             }
         }
+        Write-Host "Sending back $($FilteredStandards.Count) standards: $($FilteredStandards | ConvertTo-Json -Depth 5 -Compress)"
+        return $FilteredStandards
 
     } catch {
         Write-Warning "Error listing standards for $TenantFilter : $($_.Exception.Message)"

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecBackupRetentionConfig.ps1

@@ -0,0 +1,56 @@
+function Invoke-ExecBackupRetentionConfig {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    .ROLE
+        CIPP.AppSettings.ReadWrite
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+    $Table = Get-CIPPTable -TableName Config
+    $Filter = "PartitionKey eq 'BackupRetention' and RowKey eq 'Settings'"
+
+    $results = try {
+        if ($Request.Query.List) {
+            $RetentionSettings = Get-CIPPAzDataTableEntity @Table -Filter $Filter
+            if (!$RetentionSettings) {
+                # Return default values if not set
+                @{
+                    RetentionDays = 30
+                }
+            } else {
+                @{
+                    RetentionDays = [int]$RetentionSettings.RetentionDays
+                }
+            }
+        } else {
+            $RetentionDays = [int]$Request.Body.RetentionDays
+
+            # Validate minimum value
+            if ($RetentionDays -lt 7) {
+                throw 'Retention days must be at least 7 days'
+            }
+
+            $RetentionConfig = @{
+                'RetentionDays' = $RetentionDays
+                'PartitionKey'  = 'BackupRetention'
+                'RowKey'        = 'Settings'
+            }
+
+            Add-CIPPAzDataTableEntity @Table -Entity $RetentionConfig -Force | Out-Null
+            Write-LogMessage -headers $Request.Headers -API $Request.Params.CIPPEndpoint -message "Set backup retention to $RetentionDays days" -Sev 'Info'
+            "Successfully set backup retention to $RetentionDays days"
+        }
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -headers $Request.Headers -API $Request.Params.CIPPEndpoint -message "Failed to set backup retention configuration: $($ErrorMessage.NormalizedError)" -Sev 'Error' -LogData $ErrorMessage
+        "Failed to set configuration: $($ErrorMessage.NormalizedError)"
+    }
+
+    $body = [pscustomobject]@{'Results' = $Results }
+
+    return ([HttpResponseContext]@{
+            StatusCode = [HttpStatusCode]::OK
+            Body       = $body
+        })
+}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/MEM/Invoke-ExecDevicePasscodeAction.ps1

@@ -0,0 +1,53 @@
+function Invoke-ExecDevicePasscodeAction {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    .ROLE
+        Endpoint.MEM.ReadWrite
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $APIName = $Request.Params.CIPPEndpoint
+    $Headers = $Request.Headers
+
+    $Action = $Request.Body.Action
+    $DeviceFilter = $Request.Body.GUID
+    $TenantFilter = $Request.Body.tenantFilter
+
+    try {
+        $GraphResponse = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/managedDevices('$DeviceFilter')/$($Action)" -type POST -tenantid $TenantFilter -body '{}'
+
+        $Result = switch ($Action) {
+            'resetPasscode' {
+                if ($GraphResponse.value) {
+                    "Passcode reset successfully. New passcode: $($GraphResponse.value)"
+                } else {
+                    "Passcode reset queued for device $DeviceFilter. The new passcode will be generated and can be retrieved from the device details."
+                }
+            }
+            'removeDevicePasscode' {
+                "Successfully removed passcode requirement from device $DeviceFilter"
+            }
+            default {
+                "Successfully queued $Action on device $DeviceFilter"
+            }
+        }
+
+        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Result -Sev Info
+        $StatusCode = [HttpStatusCode]::OK
+        $Results = $Result
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        $Result = "Failed to execute $Action on device $DeviceFilter : $($ErrorMessage.NormalizedError)"
+        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Result -Sev Error -LogData $ErrorMessage
+        $StatusCode = [HttpStatusCode]::InternalServerError
+        $Results = $Result
+    }
+
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = $StatusCode
+            Body       = @{Results = $Results }
+        })
+}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1

@@ -32,6 +32,7 @@ function Invoke-ExecJITAdmin {
                 'UserPrincipalName' = $Username
             }
             Expiration   = $Expiration
+            StartDate    = $Start
             Reason       = $Request.Body.reason
             Action       = 'Create'
             TenantFilter = $TenantFilter
@@ -152,6 +153,7 @@ function Invoke-ExecJITAdmin {
         Action       = 'AddRoles'
         Reason       = $Request.Body.Reason
         Expiration   = $Expiration
+        StartDate    = $Start
         Headers      = $Headers
         APIName      = $APIName
     }
@@ -173,7 +175,7 @@ function Invoke-ExecJITAdmin {
         }
         Add-CIPPScheduledTask -Task $TaskBody -hidden $false
         if ($Request.Body.userAction -ne 'create') {
-            Set-CIPPUserJITAdminProperties -TenantFilter $TenantFilter -UserId $Request.Body.existingUser.value -Expiration $Expiration -Reason $Request.Body.Reason
+            Set-CIPPUserJITAdminProperties -TenantFilter $TenantFilter -UserId $Request.Body.existingUser.value -Expiration $Expiration -StartDate $Start -Reason $Request.Body.Reason -CreatedBy (([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Headers.'x-ms-client-principal')) | ConvertFrom-Json).userDetails)
         }
         $Results.Add("Scheduling JIT Admin enable task for $Username")
     } else {

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ListJITAdmin.ps1

@@ -46,7 +46,9 @@
                 accountEnabled     = $_.accountEnabled
                 jitAdminEnabled    = $_.($Schema.id).jitAdminEnabled
                 jitAdminExpiration = $_.($Schema.id).jitAdminExpiration
+                jitAdminStartDate  = $_.($Schema.id).jitAdminStartDate
                 jitAdminReason     = $_.($Schema.id).jitAdminReason
+                jitAdminCreatedBy  = $_.($Schema.id).jitAdminCreatedBy
                 memberOf           = $MemberOf
             }
         }
@@ -109,7 +111,9 @@
                         accountEnabled     = $UserObject.accountEnabled
                         jitAdminEnabled    = $UserObject.jitAdminEnabled
                         jitAdminExpiration = $UserObject.jitAdminExpiration
+                        jitAdminStartDate  = $UserObject.jitAdminStartDate
                         jitAdminReason     = $UserObject.jitAdminReason
+                        jitAdminCreatedBy  = $UserObject.jitAdminCreatedBy
                         memberOf           = $UserObject.memberOf
                     }
                 )

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-CIPPStandardsRun.ps1

@@ -54,6 +54,7 @@ function Invoke-CIPPStandardsRun {
         }
 
         # Get tenant list for batch processing
+        write-host "Getting tenants for filter: $TenantFilter"
         $AllTenantsList = if ($TenantFilter -eq 'allTenants') {
             Get-Tenants
         } else {