Merge pull request KelvinTegelaar#1908 from KelvinTegelaar/dev

Dev to hf

Author: KelvinTegelaar

CIPPTimer/function.json

@@ -12,6 +12,12 @@
       "name": "starter",
       "type": "durableClient",
       "direction": "in"
+    },
+    {
+      "type": "queue",
+      "direction": "out",
+      "name": "QueueItem",
+      "queueName": "cippqueue"
     }
   ]
 }

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMFAAdmins.ps1

@@ -23,7 +23,7 @@ function Get-CIPPAlertMFAAdmins {
 
             # Check 1: Admins with no MFA registered — prefer cache, fall back to live Graph
             $Users = if ($MFAReport) {
-                $MFAReport | Where-Object { $_.IsAdmin -eq $true -and $_.MFARegistration -eq $false -and ($IncludeDisabled -or $_.AccountEnabled -eq $true) }
+                $MFAReport | Where-Object { $_.IsAdmin -eq $true -and $_.MFARegistration -eq $false -and $_.UserType -ne 'Guest' -and ($IncludeDisabled -or $_.AccountEnabled -eq $true) }
             } else {
                 New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq true and isMfaRegistered eq false and userType eq 'member'&`$select=id,userDisplayName,userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true |
                     Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' } |
@@ -35,6 +35,7 @@ function Get-CIPPAlertMFAAdmins {
             $UnenforcedAdmins = $MFAReport | Where-Object {
                 $_.IsAdmin -eq $true -and
                 $_.MFARegistration -eq $true -and
+                $_.UserType -ne 'Guest' -and
                 ($IncludeDisabled -or $_.AccountEnabled -eq $true) -and
                 $_.PerUser -notin @('Enforced', 'Enabled') -and
                 $null -ne $_.CoveredBySD -and

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMFAAlertUsers.ps1

@@ -11,19 +11,24 @@ function Get-CIPPAlertMFAAlertUsers {
         $TenantFilter
     )
     try {
+        $MFAReport = try { Get-CIPPMFAStateReport -TenantFilter $TenantFilter | Where-Object { $_.DisplayName -ne 'On-Premises Directory Synchronization Service Account' } } catch { $null }
+
+        $Users = if ($MFAReport) {
+            $MFAReport | Where-Object { $_.IsAdmin -ne $true -and $_.MFARegistration -eq $false -and $_.UserType -ne 'Guest' -and $_.UPN -notmatch '^package_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}@' }
+        } else {
+            New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq false and isMfaRegistered eq false and userType eq 'member'&`$select=userDisplayName,userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true |
+                Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' -and $_.userPrincipalName -notmatch '^package_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}@' } |
+                Select-Object @{n = 'UPN'; e = { $_.userPrincipalName } }, @{n = 'DisplayName'; e = { $_.userDisplayName } }
+        }
 
-        $Users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq false and isMfaRegistered eq false and userType eq 'member'&`$select=userDisplayName,userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true |
-            Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' -and $_.userPrincipalName -notmatch '^package_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}@' }
         if ($Users) {
             $AlertData = foreach ($user in $Users) {
                 [PSCustomObject]@{
-                    UserPrincipalName = $user.userPrincipalName
-                    DisplayName       = $user.userDisplayName
-                    LastUpdated       = $user.lastUpdatedDateTime
+                    UserPrincipalName = $user.UPN
+                    DisplayName       = $user.DisplayName
                 }
             }
             Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
-
         }
 
     } catch {

Modules/CIPPCore/Public/Compare-CIPPIntuneObject.ps1

@@ -277,29 +277,45 @@ function Compare-CIPPIntuneObject {
                                 ($Object2 -is [Array] -or $Object2 -is [System.Collections.IList])) {
                                 continue
                             }
-                            if ($Object1.$propName -and $Object2.$propName) {
-                                Compare-ObjectsRecursively -Object1 $Object1.$propName -Object2 $Object2.$propName -PropertyPath $newPath -Depth ($Depth + 1) -MaxDepth $MaxDepth
+                            $val1 = $Object1.$propName
+                            $val2 = $Object2.$propName
+                            $val1IsEmpty = ($null -eq $val1 -or $val1 -eq '' -or ($val1 -is [Array] -and $val1.Count -eq 0))
+                            $val2IsEmpty = ($null -eq $val2 -or $val2 -eq '' -or ($val2 -is [Array] -and $val2.Count -eq 0))
+                            if ($val1IsEmpty -and $val2IsEmpty) {
+                                # Both empty (null, "", []) - no difference
+                                continue
+                            }
+                            if ($val1 -or $val2) {
+                                Compare-ObjectsRecursively -Object1 $val1 -Object2 $val2 -PropertyPath $newPath -Depth ($Depth + 1) -MaxDepth $MaxDepth
                             }
                         } catch {
                             throw
                         }
                     } elseif ($prop1Exists) {
                         try {
-                            $result.Add([PSCustomObject]@{
+                            $val = $Object1.$propName
+                            $valIsEmpty = ($null -eq $val -or $val -eq '' -or ($val -is [Array] -and $val.Count -eq 0))
+                            if (-not $valIsEmpty) {
+                                $result.Add([PSCustomObject]@{
                                     Property      = $newPath
-                                    ExpectedValue = $Object1.$propName
+                                    ExpectedValue = $val
                                     ReceivedValue = ''
                                 })
+                            }
                         } catch {
                             throw
                         }
                     } else {
                         try {
-                            $result.Add([PSCustomObject]@{
+                            $val = $Object2.$propName
+                            $valIsEmpty = ($null -eq $val -or $val -eq '' -or ($val -is [Array] -and $val.Count -eq 0))
+                            if (-not $valIsEmpty) {
+                                $result.Add([PSCustomObject]@{
                                     Property      = $newPath
                                     ExpectedValue = ''
-                                    ReceivedValue = $Object2.$propName
+                                    ReceivedValue = $val
                                 })
+                            }
                         } catch {
                             throw
                         }

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Mailbox Permissions/Push-StoreMailboxPermissions.ps1

@@ -40,25 +40,28 @@ function Push-StoreMailboxPermissions {
                 $ActualResult = $BatchResult[0]
             }
 
-            if ($ActualResult -and $ActualResult -is [hashtable]) {
+            if ($ActualResult -and ($ActualResult -is [hashtable] -or $ActualResult -is [System.Collections.IDictionary])) {
                 Write-Information "Processing hashtable result with keys: $($ActualResult.Keys -join ', ')"
                 # Results are grouped by cmdlet name due to ReturnWithCommand
                 if ($ActualResult['Get-MailboxPermission']) {
-                    Write-Information "Adding $($ActualResult['Get-MailboxPermission'].Count) mailbox permissions"
-                    $AllMailboxPermissions.AddRange($ActualResult['Get-MailboxPermission'])
+                    $MailboxPerms = @($ActualResult['Get-MailboxPermission'])
+                    Write-Information "Adding $($MailboxPerms.Count) mailbox permissions"
+                    $AllMailboxPermissions.AddRange($MailboxPerms)
                 }
                 if ($ActualResult['Get-RecipientPermission']) {
-                    Write-Information "Adding $($ActualResult['Get-RecipientPermission'].Count) recipient permissions"
-                    $AllRecipientPermissions.AddRange($ActualResult['Get-RecipientPermission'])
+                    $RecipientPerms = @($ActualResult['Get-RecipientPermission'])
+                    Write-Information "Adding $($RecipientPerms.Count) recipient permissions"
+                    $AllRecipientPermissions.AddRange($RecipientPerms)
                 }
                 if ($ActualResult['Get-Mailbox']) {
                     $SendOnBehalfRows = @($ActualResult['Get-Mailbox'])
                     Write-Information "Adding $($SendOnBehalfRows.Count) send-on-behalf permissions"
                     $AllSendOnBehalfPermissions.AddRange($SendOnBehalfRows)
                 }
                 if ($ActualResult['Get-MailboxFolderPermission']) {
-                    Write-Information "Adding $($ActualResult['Get-MailboxFolderPermission'].Count) calendar permissions"
-                    $AllCalendarPermissions.AddRange($ActualResult['Get-MailboxFolderPermission'])
+                    $CalendarPerms = @($ActualResult['Get-MailboxFolderPermission'])
+                    Write-Information "Adding $($CalendarPerms.Count) calendar permissions"
+                    $AllCalendarPermissions.AddRange($CalendarPerms)
                 }
             } else {
                 Write-Information "Skipping non-hashtable result: $($ActualResult.GetType().Name)"

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-CIPPDBCacheData.ps1

@@ -116,7 +116,7 @@ function Push-CIPPDBCacheData {
         if ($ConditionalAccessCapable) {
             $ConditionalAccessCacheFunctions = @(
                 'ConditionalAccessPolicies'
-                'AuthenticationFlowsPolicy'
+                #'AuthenticationFlowsPolicy'
                 'CredentialUserRegistrationDetails'
                 'UserRegistrationDetails'
             )

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Scheduler/Invoke-AddScheduledItem.ps1

@@ -15,6 +15,9 @@ function Invoke-AddScheduledItem {
 
     $DisallowDuplicateName = $Request.Query.DisallowDuplicateName ?? $Request.Body.DisallowDuplicateName
 
+    $HeaderProperties = @('x-ms-client-principal', 'x-ms-client-principal-id', 'x-ms-client-principal-name', 'x-forwarded-for')
+    $Headers = $Request.Headers | Select-Object -Property $HeaderProperties -ErrorAction SilentlyContinue
+
     if ($Request.Body.RunNow -eq $true) {
         try {
             $Table = Get-CIPPTable -TableName 'ScheduledTasks'
@@ -29,7 +32,7 @@ function Invoke-AddScheduledItem {
                     Clear        = $true
                 }
                 $null = Test-CIPPRerun @RerunParams
-                $Result = Add-CIPPScheduledTask -RowKey $Request.Body.RowKey -RunNow -Headers $Request.Headers
+                $Result = Add-CIPPScheduledTask -RowKey $Request.Body.RowKey -RunNow -Headers $Headers
             } else {
                 $Result = "Task with id $($Request.Body.RowKey) does not exist"
             }
@@ -41,7 +44,7 @@ function Invoke-AddScheduledItem {
     } else {
         $ScheduledTask = @{
             Task                  = $Request.Body
-            Headers               = $Request.Headers
+            Headers               = $Headers
             Hidden                = $hidden
             DisallowDuplicateName = $DisallowDuplicateName
             DesiredStartTime      = $Request.Body.DesiredStartTime