Merge branch 'KelvinTegelaar:master' into master

Author: ruhanstander

.github/workflows/dev_clouduptest.yml

@@ -0,0 +1,32 @@
+# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action
+# More GitHub Actions for Azure: https://github.com/Azure/actions
+
+name: Build and deploy Powershell project to Azure Function App - clouduptest
+
+on:
+  push:
+    branches:
+      - dev
+  workflow_dispatch:
+
+env:
+  AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@v4
+      
+      - name: 'Run Azure Functions Action'
+        uses: Azure/functions-action@v1
+        id: fa
+        with:
+          app-name: 'clouduptest'
+          slot-name: 'Production'
+          package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
+          publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_9B9E8B9A9BBE446188BCA9F126A1B646 }}
+          sku: 'flexconsumption'
+        

Modules/CIPPCore/Public/Add-CIPPAzDataTableEntity.ps1

@@ -102,6 +102,7 @@ function Add-CIPPAzDataTableEntity {
 
                             $propertiesToRemove = [System.Collections.Generic.List[object]]::new()
                             foreach ($key in $SingleEnt.Keys) {
+                                if ($key -in @('RowKey', 'PartitionKey')) { continue }
                                 $newEntitySize = [System.Text.Encoding]::UTF8.GetByteCount($($newEntity | ConvertTo-Json -Compress))
                                 if ($newEntitySize -lt $MaxRowSize) {
                                     $propertySize = [System.Text.Encoding]::UTF8.GetByteCount($SingleEnt[$key].ToString())

Modules/CIPPCore/Public/Add-CIPPScheduledTask.ps1

@@ -19,6 +19,9 @@ function Add-CIPPScheduledTask {
         [Parameter(Mandatory = $true, ParameterSetName = 'RunNow')]
         [string]$RowKey,
 
+        [Parameter(Mandatory = $false, ParameterSetName = 'Default')]
+        [string]$DesiredStartTime = $null,
+
         [Parameter(Mandatory = $false, ParameterSetName = 'Default')]
         [Parameter(Mandatory = $false, ParameterSetName = 'RunNow')]
         $Headers
@@ -119,8 +122,24 @@ function Add-CIPPScheduledTask {
                 $task.Recurrence.value
             }
 
-            if ([int64]$task.ScheduledTime -eq 0 -or [string]::IsNullOrEmpty($task.ScheduledTime)) {
-                $task.ScheduledTime = [int64](([datetime]::UtcNow) - (Get-Date '1/1/1970')).TotalSeconds
+            if ($DesiredStartTime) {
+                try {
+                    # Parse the epoch time
+                    $epochSeconds = [int64]$DesiredStartTime
+                    # Set ScheduledTime to the desired time
+                    $task.ScheduledTime = $epochSeconds
+                } catch {
+                    Write-Warning "Failed to parse DesiredStartTime: $DesiredStartTime. Using provided ScheduledTime."
+                    # Fall back to default
+                    if ([int64]$task.ScheduledTime -eq 0 -or [string]::IsNullOrEmpty($task.ScheduledTime)) {
+                        $task.ScheduledTime = [int64](([datetime]::UtcNow) - (Get-Date '1/1/1970')).TotalSeconds
+                    }
+                }
+            } else {
+                # No DesiredStartTime - use current behavior (immediate execution)
+                if ([int64]$task.ScheduledTime -eq 0 -or [string]::IsNullOrEmpty($task.ScheduledTime)) {
+                    $task.ScheduledTime = [int64](([datetime]::UtcNow) - (Get-Date '1/1/1970')).TotalSeconds
+                }
             }
             $excludedTenants = if ($task.excludedTenants.value) {
                 $task.excludedTenants.value -join ','
@@ -166,6 +185,10 @@ function Add-CIPPScheduledTask {
                 Hidden               = [bool]$Hidden
                 Results              = 'Planned'
             }
+            # Always store DesiredStartTime if provided
+            if ($DesiredStartTime) {
+                $entity['DesiredStartTime'] = [string]$DesiredStartTime
+            }
 
             # Store the original tenant filter for group expansion during execution
             if ($originalTenantFilter -is [PSCustomObject] -and $originalTenantFilter.type -eq 'Group') {
@@ -190,6 +213,7 @@ function Add-CIPPScheduledTask {
                 $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
                 return "Could not add task: $ErrorMessage"
             }
+            Write-LogMessage -headers $Headers -API 'ScheduledTask' -message "Added task $($entity.Name) with ID $($entity.RowKey)" -Sev 'Info' -Tenant $tenantFilter
             return "Successfully added task: $($entity.Name)"
         }
     } catch {

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDepTokenExpiry.ps1

@@ -4,7 +4,7 @@ function Get-CIPPAlertDepTokenExpiry {
         Entrypoint
     #>
     [CmdletBinding()]
-    Param (
+    param (
         [Parameter(Mandatory = $false)]
         [Alias('input')]
         $InputValue,
@@ -13,7 +13,7 @@ function Get-CIPPAlertDepTokenExpiry {
 
     try {
         try {
-            $DepTokens = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings' -tenantid $TenantFilter).value
+            $DepTokens = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings' -tenantid $TenantFilter
             $AlertData = foreach ($Dep in $DepTokens) {
                 if ($Dep.tokenExpirationDateTime -lt (Get-Date).AddDays(30) -and $Dep.tokenExpirationDateTime -gt (Get-Date).AddDays(-7)) {
                     $Message = 'Apple Device Enrollment Program token expiring on {0}' -f $Dep.tokenExpirationDateTime

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNoCAConfig.ps1

@@ -12,8 +12,13 @@ function Get-CIPPAlertNoCAConfig {
     )
 
     try {
-        $CAAvailable = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/subscribedSkus' -tenantid $TenantFilter -ErrorAction Stop).serviceplans
-        if ('AAD_PREMIUM' -in $CAAvailable.servicePlanName) {
+        # Only consider CA available when a SKU that grants it has enabled seats (> 0)
+        $SubscribedSkus = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/subscribedSkus?`$select=prepaidUnits,servicePlans" -tenantid $TenantFilter -ErrorAction Stop
+        $CAAvailable = foreach ($sku in $SubscribedSkus) {
+            if ([int]$sku.prepaidUnits.enabled -gt 0) { $sku.servicePlans }
+        }
+
+        if (('AAD_PREMIUM' -in $CAAvailable.servicePlanName) -or ('AAD_PREMIUM_P2' -in $CAAvailable.servicePlanName)) {
             $CAPolicies = (New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies' -tenantid $TenantFilter)
             if (!$CAPolicies.id) {
                 $AlertData = 'Conditional Access is available, but no policies could be found.'

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertSmtpAuthSuccess.ps1

@@ -0,0 +1,32 @@
+function Get-CIPPAlertSmtpAuthSuccess {
+    <#
+    .FUNCTIONALITY
+        Entrypoint – Check sign-in logs for SMTP AUTH with success status
+    #>
+    [CmdletBinding()]
+    Param (
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $InputValue,
+        $TenantFilter
+    )
+
+    try {
+        # Graph API endpoint for sign-ins
+        $uri = "https://graph.microsoft.com/v1.0/auditLogs/signIns?`$filter=clientAppUsed eq 'SMTP' and status/errorCode eq 0"
+
+        # Call Graph API for the given tenant
+        $SignIns = New-GraphGetRequest -uri $uri -tenantid $TenantFilter
+
+        # Select only the properties you care about
+        $AlertData = $SignIns.value | Select-Object userPrincipalName, createdDateTime, clientAppUsed, ipAddress, status
+
+        # Write results into the alert pipeline
+        Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+
+    } catch {
+        # Suppress errors if no data returned
+        # Uncomment if you want explicit error logging
+        # Write-AlertMessage -tenant $($TenantFilter) -message "Failed to query SMTP AUTH sign-ins for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+    }
+}

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertVppTokenExpiry.ps1

@@ -4,21 +4,20 @@ function Get-CIPPAlertVppTokenExpiry {
         Entrypoint
     #>
     [CmdletBinding()]
-    Param (
+    param (
         [Parameter(Mandatory = $false)]
         [Alias('input')]
         $InputValue,
         $TenantFilter
     )
     try {
         try {
-            $VppTokens = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceAppManagement/vppTokens' -tenantid $TenantFilter).value
+            $VppTokens = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceAppManagement/vppTokens' -tenantid $TenantFilter
             $AlertData = foreach ($Vpp in $VppTokens) {
                 if ($Vpp.state -ne 'valid') {
                     $Message = 'Apple Volume Purchase Program Token is not valid, new token required'
                     $Vpp | Select-Object -Property organizationName, appleId, vppTokenAccountType, @{Name = 'Message'; Expression = { $Message } }
-                }
-                if ($Vpp.expirationDateTime -lt (Get-Date).AddDays(30) -and $Vpp.expirationDateTime -gt (Get-Date).AddDays(-7)) {
+                } elseif ($Vpp.expirationDateTime -lt (Get-Date).AddDays(30).ToUniversalTime() -and $Vpp.expirationDateTime -gt (Get-Date).AddDays(-7).ToUniversalTime()) {
                     $Message = 'Apple Volume Purchase Program token expiring on {0}' -f $Vpp.expirationDateTime
                     $Vpp | Select-Object -Property organizationName, appleId, vppTokenAccountType, @{Name = 'Message'; Expression = { $Message } }
                 }

Modules/CIPPCore/Public/Authentication/Get-CippAllowedPermissions.ps1

@@ -70,7 +70,6 @@ function Get-CippAllowedPermissions {
 
     # For admin and superadmin: Compute permissions from base role include/exclude rules
     if ($PrimaryRole -in @('admin', 'superadmin')) {
-        Write-Information "Computing permissions for $PrimaryRole using base role rules"
 
         if ($BaseRole) {
             # Start with all permissions and apply include/exclude rules
@@ -143,7 +142,19 @@ function Get-CippAllowedPermissions {
                 }
 
                 # Restrict base permissions to only those allowed by custom roles
-                $RestrictedPermissions = $BasePermissions | Where-Object { $CustomRolePermissions -contains $_ }
+                # Include Read permissions when ReadWrite permissions are present
+                $RestrictedPermissions = $BasePermissions | Where-Object {
+                    $Permission = $_
+                    if ($CustomRolePermissions -contains $Permission) {
+                        $true
+                    } elseif ($Permission -match 'Read$') {
+                        # Check if there's a corresponding ReadWrite permission
+                        $ReadWritePermission = $Permission -replace 'Read', 'ReadWrite'
+                        $CustomRolePermissions -contains $ReadWritePermission
+                    } else {
+                        $false
+                    }
+                }
                 foreach ($Permission in $RestrictedPermissions) {
                     if ($null -ne $Permission -and $Permission -is [string]) {
                         $AllowedPermissions.Add($Permission)
@@ -161,8 +172,6 @@ function Get-CippAllowedPermissions {
     }
     # Handle users with only custom roles (no base role)
     elseif ($CustomRoles.Count -gt 0) {
-        Write-Information 'Computing permissions for custom roles only'
-
         foreach ($CustomRole in $CustomRoles) {
             try {
                 $RolePermissions = Get-CIPPRolePermissions -RoleName $CustomRole

Modules/CIPPCore/Public/CippQueue/Invoke-ListCippQueue.ps1

@@ -15,10 +15,10 @@ function Invoke-ListCippQueue {
     $CippQueue = Get-CippTable -TableName 'CippQueue'
     $CippQueueTasks = Get-CippTable -TableName 'CippQueueTasks'
     $3HoursAgo = (Get-Date).ToUniversalTime().AddHours(-3).ToString('yyyy-MM-ddTHH:mm:ssZ')
-    $CippQueueData = Get-CIPPAzDataTableEntity @CippQueue -Filter "Timestamp ge datetime'$3HoursAgo'" | Sort-Object -Property Timestamp -Descending
+    $CippQueueData = Get-CIPPAzDataTableEntity @CippQueue -Filter "PartitionKey eq 'CippQueue' and Timestamp ge datetime'$3HoursAgo'" | Sort-Object -Property Timestamp -Descending
 
     $QueueData = foreach ($Queue in $CippQueueData) {
-        $Tasks = Get-CIPPAzDataTableEntity @CippQueueTasks -Filter "QueueId eq '$($Queue.RowKey)'" | Where-Object { $_.Name } | Select-Object @{n = 'Timestamp'; exp = { $_.Timestamp.DateTime.ToUniversalTime() } }, Name, Status
+        $Tasks = Get-CIPPAzDataTableEntity @CippQueueTasks -Filter "PartitionKey eq 'Task' and QueueId eq '$($Queue.RowKey)'" | Where-Object { $_.Name } | Select-Object @{n = 'Timestamp'; exp = { $_.Timestamp.DateTime.ToUniversalTime() } }, Name, Status
         $TaskStatus = @{}
         $Tasks | Group-Object -Property Status | ForEach-Object {
             $TaskStatus.$($_.Name) = $_.Count

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecOnboardTenantQueue.ps1

@@ -364,7 +364,7 @@ function Push-ExecOnboardTenantQueue {
                 $Table = Get-CippTable -tablename 'templates'
                 $ExistingTemplates = Get-CippazDataTableEntity @Table -Filter "PartitionKey eq 'StandardsTemplateV2'" | Where-Object { $_.JSON -match 'AllTenants' }
                 foreach ($AllTenantsTemplate in $ExistingTemplates) {
-                    $object = $AllTenantesTemplate.JSON | ConvertFrom-Json
+                    $object = $AllTenantsTemplate.JSON | ConvertFrom-Json
                     $NewExcludedTenants = [system.collections.generic.list[object]]::new()
                     if (!$object.excludedTenants) {
                         $object | Add-Member -MemberType NoteProperty -Name 'excludedTenants' -Value @() -Force