Merge pull request #416 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDepTokenExpiry.ps1

@@ -4,7 +4,7 @@ function Get-CIPPAlertDepTokenExpiry {
         Entrypoint
     #>
     [CmdletBinding()]
-    Param (
+    param (
         [Parameter(Mandatory = $false)]
         [Alias('input')]
         $InputValue,
@@ -13,7 +13,7 @@ function Get-CIPPAlertDepTokenExpiry {
 
     try {
         try {
-            $DepTokens = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings' -tenantid $TenantFilter).value
+            $DepTokens = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings' -tenantid $TenantFilter
             $AlertData = foreach ($Dep in $DepTokens) {
                 if ($Dep.tokenExpirationDateTime -lt (Get-Date).AddDays(30) -and $Dep.tokenExpirationDateTime -gt (Get-Date).AddDays(-7)) {
                     $Message = 'Apple Device Enrollment Program token expiring on {0}' -f $Dep.tokenExpirationDateTime

Modules/CIPPCore/Public/Authentication/Get-CippAllowedPermissions.ps1

@@ -70,7 +70,6 @@ function Get-CippAllowedPermissions {
 
     # For admin and superadmin: Compute permissions from base role include/exclude rules
     if ($PrimaryRole -in @('admin', 'superadmin')) {
-        Write-Information "Computing permissions for $PrimaryRole using base role rules"
 
         if ($BaseRole) {
             # Start with all permissions and apply include/exclude rules
@@ -143,7 +142,19 @@ function Get-CippAllowedPermissions {
                 }
 
                 # Restrict base permissions to only those allowed by custom roles
-                $RestrictedPermissions = $BasePermissions | Where-Object { $CustomRolePermissions -contains $_ }
+                # Include Read permissions when ReadWrite permissions are present
+                $RestrictedPermissions = $BasePermissions | Where-Object {
+                    $Permission = $_
+                    if ($CustomRolePermissions -contains $Permission) {
+                        $true
+                    } elseif ($Permission -match 'Read$') {
+                        # Check if there's a corresponding ReadWrite permission
+                        $ReadWritePermission = $Permission -replace 'Read', 'ReadWrite'
+                        $CustomRolePermissions -contains $ReadWritePermission
+                    } else {
+                        $false
+                    }
+                }
                 foreach ($Permission in $RestrictedPermissions) {
                     if ($null -ne $Permission -and $Permission -is [string]) {
                         $AllowedPermissions.Add($Permission)
@@ -161,8 +172,6 @@ function Get-CippAllowedPermissions {
     }
     # Handle users with only custom roles (no base role)
     elseif ($CustomRoles.Count -gt 0) {
-        Write-Information 'Computing permissions for custom roles only'
-
         foreach ($CustomRole in $CustomRoles) {
             try {
                 $RolePermissions = Get-CIPPRolePermissions -RoleName $CustomRole

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecTenantGroup.ps1

@@ -43,7 +43,7 @@ function Invoke-ExecTenantGroup {
                 Add-CIPPAzDataTableEntity @Table -Entity $GroupEntity -Force
             }
 
-            $CurrentMembers = Get-CIPPAzDataTableEntity @MembersTable -Filter "GroupId eq '$groupId'"
+            $CurrentMembers = Get-CIPPAzDataTableEntity @MembersTable -Filter "PartitionKey eq 'Member' and GroupId eq '$groupId'"
 
             $Adds = [System.Collections.Generic.List[string]]::new()
             $Removes = [System.Collections.Generic.List[string]]::new()

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1

@@ -134,19 +134,21 @@ function Invoke-ExecJITAdmin {
         if ($Request.Body.useraction -eq 'Create') {
             Write-LogMessage -Headers $User -API $APIName -tenant $TenantFilter -message "Creating JIT Admin user $($Request.Body.Username)" -Sev 'Info'
             Write-Information "Creating JIT Admin user $($Request.Body.username)"
+            $Domain = $Request.Body.Domain.value ? $Request.Body.Domain.value : $Request.Body.Domain
+
             $JITAdmin = @{
                 User         = @{
                     'FirstName'         = $Request.Body.FirstName
                     'LastName'          = $Request.Body.LastName
-                    'UserPrincipalName' = "$($Request.Body.Username)@$($Request.Body.Domain.value)"
+                    'UserPrincipalName' = "$($Request.Body.Username)@$($Domain)"
                 }
                 Expiration   = $Expiration
                 Action       = 'Create'
                 TenantFilter = $TenantFilter
             }
             $CreateResult = Set-CIPPUserJITAdmin @JITAdmin
-            $Username = "$($Request.Body.Username)@$($Request.Body.Domain.value)"
-            $Results.Add("Created User: $($Request.Body.Username)@$($Request.Body.Domain.value)")
+            $Username = "$($Request.Body.Username)@$($Domain)"
+            $Results.Add("Created User: $Username")
             if (!$Request.Body.UseTAP) {
                 $Results.Add("Password: $($CreateResult.password)")
             }

…dards/Invoke-CIPPStandardExConnector.ps1 …IPPStandardExchangeConnectorTemplate.ps1Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 renamed to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExchangeConnectorTemplate.ps1 Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 renamed to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExchangeConnectorTemplate.ps1

@@ -37,20 +37,20 @@ function Invoke-CIPPStandardMailContacts {
     try {
         $TenantID = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/organization' -tenantid $tenant)
         $CurrentInfo = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/organization/$($TenantID.id)" -tenantid $Tenant
-    }
-    catch {
+    } catch {
         $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
         Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Could not get the MailContacts state for $Tenant. Error: $ErrorMessage" -Sev Error
         return
     }
     $contacts = $settings
     $TechAndSecurityContacts = @($Contacts.SecurityContact, $Contacts.TechContact)
 
+    $state = $CurrentInfo.marketingNotificationEmails -eq $Contacts.MarketingContact -and `
+    ($CurrentInfo.securityComplianceNotificationMails -in $TechAndSecurityContacts -or
+        $CurrentInfo.technicalNotificationMails -in $TechAndSecurityContacts) -and `
+        $CurrentInfo.privacyProfile.contactEmail -eq $Contacts.GeneralContact
+
     if ($Settings.remediate -eq $true) {
-        $state = $CurrentInfo.marketingNotificationEmails -eq $Contacts.MarketingContact -and `
-        ($CurrentInfo.securityComplianceNotificationMails -in $TechAndSecurityContacts -or
-            $CurrentInfo.technicalNotificationMails -in $TechAndSecurityContacts) -and `
-            $CurrentInfo.privacyProfile.contactEmail -eq $Contacts.GeneralContact
         if ($state) {
             Write-LogMessage -API 'Standards' -tenant $tenant -message 'Contact emails are already set.' -sev Info
         } else {