Merge pull request #1271 from KelvinTegelaar/dev

Dev to release

Author: KelvinTegelaar

.github/workflows/PR_Branch_Check.yml

@@ -0,0 +1,62 @@
+name: PR Branch Check
+
+on:
+  # Using pull_request_target instead of pull_request for secure handling of fork PRs
+  pull_request_target:
+    # Only run on these PR events
+    types: [opened, synchronize, reopened]
+    # Only check PRs targeting these branches
+    branches:
+      - main
+      - master
+
+permissions:
+  pull-requests: write
+  issues: write
+
+jobs:
+  check-branch:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check and Comment on PR
+        # Only process fork PRs with specific branch conditions
+        # Must be a fork AND (source is main/master OR target is main/master)
+        if: |
+          github.event.pull_request.head.repo.fork == true && 
+          ((github.event.pull_request.head.ref == 'main' || github.event.pull_request.head.ref == 'master') ||
+          (github.event.pull_request.base.ref == 'main' || github.event.pull_request.base.ref == 'master'))
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            let message = '';
+
+            message += '🔄 If you are attempting to update your CIPP repo please follow the instructions at: https://docs.cipp.app/setup/self-hosting-guide/updating ';
+            message += '\n\n';
+
+            // Check if PR is targeting main/master
+            if (context.payload.pull_request.base.ref === 'main' || context.payload.pull_request.base.ref === 'master') {
+              message += '⚠️ PRs cannot target the main branch directly. If you are attempting to contribute code please PR to the dev branch.\n\n';
+            }
+
+            // Check if PR is from a fork's main/master branch
+            if (context.payload.pull_request.head.repo.fork && 
+                (context.payload.pull_request.head.ref === 'main' || context.payload.pull_request.head.ref === 'master')) {
+              message += '⚠️ This PR cannot be merged because it originates from your fork\'s main/master branch. If you are attempting to contribute code please PR from your dev branch or another non-main/master branch.\n\n';
+            }
+
+            message += '🔒 This PR will now be automatically closed due to the above violation(s).';
+            
+            // Post the comment
+            await github.rest.issues.createComment({
+              ...context.repo,
+              issue_number: context.issue.number,
+              body: message
+            });
+            
+            // Close the PR
+            await github.rest.pulls.update({
+              ...context.repo,
+              pull_number: context.issue.number,
+              state: 'closed'
+            });

.github/workflows/dev_cippbcaom.yml

@@ -27,4 +27,4 @@ jobs:
           app-name: 'cippbcaom'
           slot-name: 'Production'
           package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
-          publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_56AD4FDD49354D0CAB4D9A9E868D2015 }}
+          publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_0FE8CACBBF7D409DAAF132988BECEC4B }}

.github/workflows/dev_cippjta72.yml

@@ -0,0 +1,30 @@
+# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action
+# More GitHub Actions for Azure: https://github.com/Azure/actions
+
+name: Build and deploy Powershell project to Azure Function App - cippjta72
+
+on:
+  push:
+    branches:
+      - dev
+  workflow_dispatch:
+
+env:
+  AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
+
+jobs:
+  deploy:
+    runs-on: windows-latest
+    
+    steps:
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@v4
+      
+      - name: 'Run Azure Functions Action'
+        uses: Azure/functions-action@v1
+        id: fa
+        with:
+          app-name: 'cippjta72'
+          slot-name: 'Production'
+          package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
+          publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_5B44448119C645C099EE192346D7433A }}

Modules/CIPPCore/Public/Add-CIPPAzDataTableEntity.ps1

@@ -19,12 +19,14 @@ function Add-CIPPAzDataTableEntity {
         } catch [System.Exception] {
             if ($_.Exception.ErrorCode -eq 'PropertyValueTooLarge' -or $_.Exception.ErrorCode -eq 'EntityTooLarge' -or $_.Exception.ErrorCode -eq 'RequestBodyTooLarge') {
                 try {
+                    Write-Host 'Entity is too large. Splitting entity into multiple parts.'
+                    Write-Information ($SingleEnt | ConvertTo-Json)
                     $largePropertyNames = [System.Collections.Generic.List[string]]::new()
                     $entitySize = 0
 
                     # Convert $SingleEnt to hashtable if it is a PSObject
                     if ($SingleEnt -is [System.Management.Automation.PSCustomObject]) {
-                        $SingleEnt = $SingleEnt | ConvertTo-Json -Depth 100 | ConvertFrom-Json -AsHashtable
+                        $SingleEnt = $SingleEnt | ConvertTo-Json -Depth 100 -Compress | ConvertFrom-Json -AsHashtable
                     }
 
                     foreach ($key in $SingleEnt.Keys) {
@@ -35,7 +37,7 @@ function Add-CIPPAzDataTableEntity {
                         }
                     }
 
-                    if ($largePropertyNames.Count -gt 0) {
+                    if (($largePropertyNames | Measure-Object).Count -gt 0) {
                         $splitInfoList = [System.Collections.Generic.List[object]]::new()
                         foreach ($largePropertyName in $largePropertyNames) {
                             $dataString = $SingleEnt[$largePropertyName]
@@ -45,20 +47,20 @@ function Add-CIPPAzDataTableEntity {
                                 $start = $i * $MaxSize
                                 $splitData.Add($dataString.Substring($start, [Math]::Min($MaxSize, $dataString.Length - $start))) > $null
                             }
-
+                            $splitDataCount = ($splitData | Measure-Object).Count
                             $splitPropertyNames = [System.Collections.Generic.List[object]]::new()
-                            for ($i = 0; $i -lt $splitData.Count; $i++) {
-                                $splitPropertyNames.Add("${largePropertyName}_Part$i") > $null
+                            for ($i = 0; $i -lt $splitDataCount; $i++) {
+                                $splitPropertyNames.Add("${largePropertyName}_Part$i")
                             }
 
                             $splitInfo = @{
                                 OriginalHeader = $largePropertyName
                                 SplitHeaders   = $splitPropertyNames
                             }
-                            $splitInfoList.Add($splitInfo) > $null
+                            $splitInfoList.Add($splitInfo)
                             $SingleEnt.Remove($largePropertyName)
 
-                            for ($i = 0; $i -lt $splitData.Count; $i++) {
+                            for ($i = 0; $i -lt $splitDataCount; $i++) {
                                 $SingleEnt[$splitPropertyNames[$i]] = $splitData[$i]
                             }
                         }
@@ -67,7 +69,7 @@ function Add-CIPPAzDataTableEntity {
                     }
 
                     # Check if the entity is still too large
-                    $entitySize = [System.Text.Encoding]::UTF8.GetByteCount($($SingleEnt | ConvertTo-Json))
+                    $entitySize = [System.Text.Encoding]::UTF8.GetByteCount($($SingleEnt | ConvertTo-Json -Compress))
                     if ($entitySize -gt $MaxRowSize) {
                         $rows = [System.Collections.Generic.List[object]]::new()
                         $originalPartitionKey = $SingleEnt.PartitionKey
@@ -89,7 +91,7 @@ function Add-CIPPAzDataTableEntity {
 
                             $propertiesToRemove = [System.Collections.Generic.List[object]]::new()
                             foreach ($key in $SingleEnt.Keys) {
-                                $newEntitySize = [System.Text.Encoding]::UTF8.GetByteCount($($newEntity | ConvertTo-Json))
+                                $newEntitySize = [System.Text.Encoding]::UTF8.GetByteCount($($newEntity | ConvertTo-Json -Compress))
                                 if ($newEntitySize -lt $MaxRowSize) {
                                     $propertySize = [System.Text.Encoding]::UTF8.GetByteCount($SingleEnt[$key].ToString())
                                     if ($propertySize -gt $MaxRowSize) {
@@ -103,7 +105,7 @@ function Add-CIPPAzDataTableEntity {
 
                                         $splitPropertyNames = [System.Collections.Generic.List[object]]::new()
                                         for ($i = 0; $i -lt $splitData.Count; $i++) {
-                                            $splitPropertyNames.Add("${key}_Part$i") > $null
+                                            $splitPropertyNames.Add("${key}_Part$i")
                                         }
 
                                         for ($i = 0; $i -lt $splitData.Count; $i++) {
@@ -112,29 +114,29 @@ function Add-CIPPAzDataTableEntity {
                                     } else {
                                         $newEntity[$key] = $SingleEnt[$key]
                                     }
-                                    $propertiesToRemove.Add($key) > $null
+                                    $propertiesToRemove.Add($key)
                                 }
                             }
 
                             foreach ($prop in $propertiesToRemove) {
                                 $SingleEnt.Remove($prop)
                             }
 
-                            $rows.Add($newEntity) > $null
-                            $entitySize = [System.Text.Encoding]::UTF8.GetByteCount($($SingleEnt | ConvertTo-Json))
+                            $rows.Add($newEntity)
+                            $entitySize = [System.Text.Encoding]::UTF8.GetByteCount($($SingleEnt | ConvertTo-Json -Compress))
                         }
 
-                        if ($SingleEnt.Count -gt 0) {
+                        if (($SingleEnt | Measure-Object).Count -gt 0) {
                             $SingleEnt['RowKey'] = "$($originalRowKey)-part$entityIndex"
                             $SingleEnt['OriginalEntityId'] = $originalRowKey
                             $SingleEnt['PartIndex'] = $entityIndex
                             $SingleEnt['PartitionKey'] = $originalPartitionKey
 
-                            $rows.Add($SingleEnt) > $null
+                            $rows.Add($SingleEnt)
                         }
 
                         foreach ($row in $rows) {
-                            Write-Information "current entity is $($row.RowKey) with $($row.PartitionKey). Our size is $([System.Text.Encoding]::UTF8.GetByteCount($($row | ConvertTo-Json)))"
+                            Write-Information "current entity is $($row.RowKey) with $($row.PartitionKey). Our size is $([System.Text.Encoding]::UTF8.GetByteCount($($row | ConvertTo-Json -Compress)))"
                             Add-AzDataTableEntity -Context $Context -Force:$Force -CreateTableIfNotExists:$CreateTableIfNotExists -Entity $row
                         }
                     } else {

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertAppCertificateExpiry.ps1

@@ -0,0 +1,33 @@
+function Get-CIPPAlertAppCertificateExpiry {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    Param (
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $InputValue,
+        $TenantFilter
+    )
+
+    try {
+        Write-Host "Checking app expire for $($TenantFilter)"
+        $appList = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/applications?`$select=appId,displayName,keyCredentials" -tenantid $TenantFilter
+    } catch {
+        return
+    }
+
+    $AlertData = foreach ($App in $applist) {
+        Write-Host "checking $($App.displayName)"
+        if ($App.keyCredentials) {
+            foreach ($Credential in $App.keyCredentials) {
+                if ($Credential.endDateTime -lt (Get-Date).AddDays(30) -and $Credential.endDateTime -gt (Get-Date).AddDays(-7)) {
+                    Write-Host ("Application '{0}' has certificates expiring on {1}" -f $App.displayName, $Credential.endDateTime)
+                    @{ DisplayName = $App.displayName; Expires = $Credential.endDateTime }
+                }
+            }
+        }
+    }
+    Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+}

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertAppleTerms.ps1

@@ -0,0 +1,30 @@
+function Get-CIPPAlertAppleTerms {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    Param (
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $InputValue,
+        $TenantFilter
+    )
+
+    # 0 = Expired
+    # 1 = expired?
+    # 2 = unknown
+    # 3 = Terms & Conditions
+    # 4 = Warning
+
+    try {
+        $appleterms = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings" -tenantid $TenantFilter
+    } catch {
+        return
+    }
+
+    if ($appleterms.lastSyncErrorCode -eq 3) {
+        $AlertData = "New Apple Business Manager terms are ready to accept."
+        Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+    }
+}

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDeviceCompliance.ps1

@@ -12,9 +12,7 @@ function Get-CIPPAlertDeviceCompliance {
         $TenantFilter
     )
     try {
-        $AlertData = New-GraphGETRequest -uri "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?`$top=999" -tenantid $TenantFilter | Where-Object -Property complianceState -NE 'compliant' | ForEach-Object {
-            $_ | Select-Object -Property id, deviceName, deviceType, complianceState, lastReportedDateTime
-        }
+        $AlertData = New-GraphGETRequest -uri "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?`$filter=complianceState eq 'noncompliant'&`$select=id,deviceName,managedDeviceOwnerType,complianceState,lastSyncDateTime&`$top=999" -tenantid $TenantFilter
         Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
     } catch {
         Write-AlertMessage -tenant $($TenantFilter) -message "Could not get compliance state for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveLicensedUsers.ps1

@@ -15,10 +15,14 @@ function Get-CIPPAlertInactiveLicensedUsers {
         try {
 
             $Lookup = (Get-Date).AddDays(-90).ToUniversalTime().ToString('o')
-            $GraphRequest = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$filter=(signInActivity/lastNonInteractiveSignInDateTime le $Lookup)&`$select=id,UserPrincipalName,signInActivity,mail,userType,accountEnabled,assignedLicenses" -scope 'https://graph.microsoft.com/.default' -tenantid $TenantFilter | Where-Object { $_.assignedLicenses.skuId -ne $null }
+            $GraphRequest = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$filter=(signInActivity/lastNonInteractiveSignInDateTime le $Lookup)&`$select=id,UserPrincipalName,signInActivity,mail,userType,accountEnabled,assignedLicenses" -scope 'https://graph.microsoft.com/.default' -tenantid $TenantFilter |
+                Where-Object { $null -ne $_.assignedLicenses.skuId }
+
+            # true = only active users
+            if ($InputValue -eq $true) { $GraphRequest = $GraphRequest | Where-Object { $_.accountEnabled -eq $true } }
             $AlertData = foreach ($user in $GraphRequest) {
                 $Message = 'User {0} has been inactive for 90 days, but still has a license assigned.' -f $user.UserPrincipalName
-                $user | Select-Object -Property userPrincipalname, signInActivity, @{Name = 'Message'; Expression = { $Message } }
+                $user | Select-Object -Property UserPrincipalName, signInActivity, @{Name = 'Message'; Expression = { $Message } }
 
             }
             Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNewAppApproval.ps1

@@ -13,7 +13,7 @@ function Get-CIPPAlertNewAppApproval {
     )
     try {
         $Approvals = New-GraphGetRequest -Uri "https://graph.microsoft.com/v1.0/identityGovernance/appConsent/appConsentRequests?`$filter=userConsentRequests/any (u:u/status eq 'InProgress')" -tenantid $TenantFilter
-        if ($Approvals.count -gt 1) {
+        if ($Approvals.count -gt 0) {
             $AlertData = "There are $($Approvals.count) App Approval(s) pending."
             Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
         }

Modules/CIPPCore/Public/Authentication/Get-CIPPRolePermissions.ps1

@@ -18,13 +18,15 @@ function Get-CIPPRolePermissions {
     $Role = Get-CIPPAzDataTableEntity @Table -Filter $Filter
     if ($Role) {
         $Permissions = $Role.Permissions | ConvertFrom-Json
+        $AllowedTenants = if ($Role.AllowedTenants) { $Role.AllowedTenants | ConvertFrom-Json } else { @() }
+        $BlockedTenants = if ($Role.BlockedTenants) { $Role.BlockedTenants | ConvertFrom-Json } else { @() }
         [PSCustomObject]@{
             Role           = $Role.RowKey
             Permissions    = $Permissions.PSObject.Properties.Value
-            AllowedTenants = if ($Role.AllowedTenants) { $Role.AllowedTenants | ConvertFrom-Json } else { @() }
-            BlockedTenants = if ($Role.BlockedTenants) { $Role.BlockedTenants | ConvertFrom-Json } else { @() }
+            AllowedTenants = @($AllowedTenants)
+            BlockedTenants = @($BlockedTenants)
         }
     } else {
         throw "Role $RoleName not found."
     }
-}
+}

Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1

@@ -69,8 +69,8 @@ function Test-CIPPAccess {
         if ($PermissionsFound) {
             if ($TenantList.IsPresent) {
                 $LimitedTenantList = foreach ($Permission in $PermissionSet) {
-                    if (($Permission.AllowedTenants | Measure-Object).Count -eq 0 -and ($Permission.BlockedTenants | Measure-Object).Count -eq 0) {
-                        return @('AllTenants')
+                    if ((($Permission.AllowedTenants | Measure-Object).Count -eq 0 -or $Permission.AllowedTenants -contains 'AllTenants') -and (($Permission.BlockedTenants | Measure-Object).Count -eq 0)) {
+                        @('AllTenants')
                     } else {
                         if ($Permission.AllowedTenants -contains 'AllTenants') {
                             $Permission.AllowedTenants = $Tenants.customerId
@@ -135,4 +135,4 @@ function Test-CIPPAccess {
     } else {
         return $true
     }
-}
+}

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/BPA/Push-BPACollectData.ps1

@@ -21,7 +21,7 @@ function Push-BPACollectData {
     $Table = Get-CippTable -tablename 'cachebpav2'
     $Rerun = Test-CIPPRerun -Type 'BPA' -Tenant $TenantName.defaultDomainName -API $Item.Template
     if ($Rerun) {
-        Write-Host 'Detected rerun. Exiting cleanly'
+        Write-Host 'Detected rerun for BPA. Exiting cleanly'
         exit 0
     }
     Write-Host "Working on BPA for $($TenantName.defaultDomainName) with GUID $($TenantName.customerId) - Report ID $($Item.Template)"

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ListMailboxRulesQueue.ps1

@@ -21,8 +21,8 @@ function Push-ListMailboxRulesQueue {
             }
         }
         if (($Rules | Measure-Object).Count -gt 0) {
-            foreach ($Rule in $Rules) {
-                $GraphRequest = [PSCustomObject]@{
+            $GraphRequest = foreach ($Rule in $Rules) {
+                [PSCustomObject]@{
                     Rules        = [string]($Rule | ConvertTo-Json)
                     RowKey       = [string](New-Guid).guid
                     Tenant       = [string]$domainName
@@ -31,9 +31,9 @@ function Push-ListMailboxRulesQueue {
 
             }
         } else {
-            $Rules = @{
-                Name = 'No rules found'
-            } | ConvertTo-Json
+            $Rules = @(@{
+                    Name = 'No rules found'
+                }) | ConvertTo-Json
             $GraphRequest = [PSCustomObject]@{
                 Rules        = [string]$Rules
                 RowKey       = [string]$domainName