Merge pull request #83 from KelvinTegelaar/master

[pull] master from KelvinTegelaar:master

Author: pull[bot]

Config/intuneCollection.json

@@ -10,13 +10,10 @@ function Push-AuditLogSearchCreation {
     $Tenant = $Item.Tenant
     $StartTime = $Item.StartTime
     $EndTime = $Item.EndTime
-    $ServiceFilters = @($Item.ServiceFilters)
-
     try {
         $LogSearch = @{
             StartTime         = $StartTime
             EndTime           = $EndTime
-            ServiceFilters    = $ServiceFilters
             TenantFilter      = $Tenant.defaultDomainName
             ProcessLogs       = $true
             RecordTypeFilters = @(
@@ -30,6 +27,8 @@ function Push-AuditLogSearchCreation {
             $NewSearch = New-CippAuditLogSearch @LogSearch
             if ($NewSearch.id) {
                 Write-Information "Created audit log search $($Tenant.defaultDomainName) - $($NewSearch.displayName)"
+            } elseif ($NewSearch.cippStatus -eq 'TransientError') {
+                Write-Information "Audit log search creation hit transient error for tenant $($Tenant.defaultDomainName) ($($NewSearch.status))"
             } elseif ($NewSearch.status -eq 'AuditingDisabledTenant') {
                 Write-Information "Skipping audit log search $($Tenant.defaultDomainName) because unified auditing is disabled for this tenant"
                 Write-LogMessage -API 'Audit Logs' -Message "Skipped audit log search creation for tenant $($Tenant.defaultDomainName) because unified auditing is disabled" -Sev Warning -tenant $Tenant.defaultDomainName

Modules/CIPPActivityTriggers/Public/Entrypoints/Activity Triggers/Webhooks/Push-AuditLogSearchCreation.ps1

@@ -20,7 +20,7 @@ function Get-CippAuditLogSearches {
         $PendingQueries = Get-CIPPAzDataTableEntity @AuditLogSearchesTable -Filter "PartitionKey eq 'Search' and Tenant eq '$TenantFilter' and (CippStatus eq 'Pending' or (CippStatus eq 'Processing' and Timestamp le datetime'$15MinutesAgo')) and Timestamp ge datetime'$1DayAgo'" | Sort-Object Timestamp
     } else {
         $7DaysAgo = (Get-Date).AddDays(-7).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')
-        $PendingQueries = Get-CIPPAzDataTableEntity @AuditLogSearchesTable -Filter "Tenant eq '$TenantFilter' and Timestamp ge datetime'$7DaysAgo'"
+        $PendingQueries = Get-CIPPAzDataTableEntity @AuditLogSearchesTable -Filter "PartitionKey eq 'Search' and Tenant eq '$TenantFilter' and Timestamp ge datetime'$7DaysAgo'"
     }
 
     $BulkRequests = foreach ($PendingQuery in $PendingQueries) {

Modules/CIPPCore/Public/AuditLogs/Get-CippAuditLogSearches.ps1

@@ -16,8 +16,6 @@ function New-CippAuditLogSearch {
         The record types to filter on.
     .PARAMETER KeywordFilter
         The keyword to filter on.
-    .PARAMETER ServiceFilter
-        The service to filter on.
     .PARAMETER OperationsFilters
         The operations to filter on.
     .PARAMETER UserPrincipalNameFilters
@@ -109,8 +107,6 @@ function New-CippAuditLogSearch {
         [Parameter()]
         [string]$KeywordFilters,
         [Parameter()]
-        [string[]]$ServiceFilters,
-        [Parameter()]
         [string[]]$OperationsFilters,
         [Parameter()]
         [string[]]$UserPrincipalNameFilters,
@@ -130,16 +126,13 @@ function New-CippAuditLogSearch {
         filterEndDateTime   = $EndTime.AddHours(1).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ss')
     }
     if ($OperationsFilters) {
-        $SearchParams.operationsFilters = $OperationsFilters
+        $SearchParams.operationFilters = @($OperationsFilters)
     }
     if ($RecordTypeFilters) {
         $SearchParams.recordTypeFilters = @($RecordTypeFilters)
     }
     if ($KeywordFilters) {
-        $SearchParams.keywordFilters = $KeywordFilters
-    }
-    if ($ServiceFilters) {
-        $SearchParams.serviceFilters = $ServiceFilters
+        $SearchParams.keywordFilter = $KeywordFilters
     }
     if ($UserPrincipalNameFilters) {
         $SearchParams.userPrincipalNameFilters = @($UserPrincipalNameFilters)
@@ -151,7 +144,7 @@ function New-CippAuditLogSearch {
         $SearchParams.objectIdFilters = @($ObjectIdFilters)
     }
     if ($AdministrativeUnitFilters) {
-        $SearchParams.administrativeUnitFilters = @($AdministrativeUnitFilters)
+        $SearchParams.administrativeUnitIdFilters = @($AdministrativeUnitFilters)
     }
 
     if ($PSCmdlet.ShouldProcess('Create a new audit log search for tenant ' + $TenantFilter)) {
@@ -193,26 +186,26 @@ function New-CippAuditLogSearch {
             # Handle HTML error pages (e.g. Azure Front Door 502/504 gateway timeouts)
             if ($TrimmedAuditLogErrorMessage -match '<!DOCTYPE|<html' -and $TrimmedAuditLogErrorMessage -match '<title>([^<]+)</title>') {
                 $HtmlTitle = $Matches[1].Trim()
-                Write-LogMessage -API 'Audit Logs' -tenant $TenantFilter -message "Audit log search creation failed with gateway error for tenant $TenantFilter ($HtmlTitle) - will retry next cycle" -sev Warning
+                Write-LogMessage -API 'Audit Logs' -tenant $TenantFilter -message "Audit log search creation failed with gateway error for tenant $TenantFilter ($HtmlTitle)" -sev Warning
                 return [PSCustomObject]@{
                     id          = $null
                     displayName = [string]$DisplayName
                     status      = [string]'GatewayError'
                     cippStatus  = [string]'TransientError'
-                    message     = [string]"Microsoft returned gateway error ($HtmlTitle) - search will be retried next cycle."
+                    message     = [string]"Microsoft returned gateway error ($HtmlTitle)."
                 }
             }
 
             # Handle Microsoft-side timeouts / transient errors (e.g. UnknownError with empty message)
             $ErrorCode = $AuditLogError.error.code ?? $AuditLogError.code
             if ($ErrorCode -in @('UnknownError', 'ServiceUnavailable', 'RequestTimeout', 'GatewayTimeout', 'TooManyRequests')) {
-                Write-LogMessage -API 'Audit Logs' -tenant $TenantFilter -message "Audit log search creation failed with transient error for tenant $TenantFilter ($ErrorCode) - will retry next cycle" -sev Warning
+                Write-LogMessage -API 'Audit Logs' -tenant $TenantFilter -message "Audit log search creation failed with transient error for tenant $TenantFilter ($ErrorCode)" -sev Warning
                 return [PSCustomObject]@{
                     id          = $null
                     displayName = [string]$DisplayName
                     status      = [string]$ErrorCode
                     cippStatus  = [string]'TransientError'
-                    message     = [string]"Microsoft returned $ErrorCode - search will be retried next cycle."
+                    message     = [string]"Microsoft returned $ErrorCode."
                 }
             }
 

Modules/CIPPCore/Public/AuditLogs/New-CippAuditLogSearch.ps1

@@ -192,7 +192,13 @@ function New-CIPPAPIConfig {
         if ($ResetSecret.IsPresent -and $APIApp) {
             if ($PSCmdlet.ShouldProcess($APIApp.displayName, 'Reset API Secret')) {
                 $Step = 'Resetting Application Password'
-                Write-Information 'Removing all old passwords'
+
+                try {
+                    $PolicyUpdate = Update-AppManagementPolicy -ApplicationId $APIApp.appId
+                    Write-Information "Policy check for secret reset: $($PolicyUpdate.PolicyAction)"
+                } catch {
+                    Write-Information "Failed to update app management policy during secret reset: $($_.Exception.Message)"
+                }
 
                 $AppManagementPolicy = New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/policies/defaultAppManagementPolicy' -AsApp $true -NoAuthCheck $true
                 $PasswordExpirationPolicy = $AppManagementPolicy.applicationRestrictions.passwordcredentials |
@@ -207,39 +213,50 @@ function New-CIPPAPIConfig {
                     $NewPasswordCredential.endDateTime = $ExpirationDate
                 }
 
-                $Requests = @(
-                    @{
-                        id      = 'removeOldPasswords'
-                        method  = 'PATCH'
-                        url     = "applications/$($APIApp.id)/"
-                        headers = @{
-                            'Content-Type' = 'application/json'
-                        }
-                        body    = @{
-                            passwordCredentials = @()
-                        }
-                    },
-                    @{
-                        id        = 'addNewPassword'
-                        method    = 'POST'
-                        url       = "applications/$($APIApp.id)/addPassword"
-                        headers   = @{
-                            'Content-Type' = 'application/json'
+                Write-Information 'Removing all old passwords'
+                for ($Attempt = 1; $Attempt -le 6; $Attempt++) {
+                    $Requests = @(
+                        @{
+                            id      = 'removeOldPasswords'
+                            method  = 'PATCH'
+                            url     = "applications/$($APIApp.id)/"
+                            headers = @{
+                                'Content-Type' = 'application/json'
+                            }
+                            body    = @{
+                                passwordCredentials = @()
+                            }
+                        },
+                        @{
+                            id        = 'addNewPassword'
+                            method    = 'POST'
+                            url       = "applications/$($APIApp.id)/addPassword"
+                            headers   = @{
+                                'Content-Type' = 'application/json'
+                            }
+                            body      = @{
+                                passwordCredential = $NewPasswordCredential
+                            }
+                            dependsOn = @('removeOldPasswords')
                         }
-                        body      = @{
-                            passwordCredential = $NewPasswordCredential
+                    )
+                    $BatchResponse = New-GraphBulkRequest -tenantid $env:TenantID -NoAuthCheck $true -asapp $true -Requests $Requests
+                    $AddPasswordResponse = $BatchResponse | Where-Object { $_.id -eq 'addNewPassword' }
+                    if ($AddPasswordResponse.status -ge 400) {
+                        $ErrorBody = $AddPasswordResponse.body
+                        $ErrorMsg = $ErrorBody.error.message ?? ($ErrorBody | ConvertTo-Json -Compress -Depth 5)
+                        $IsCredentialPolicyBlocked = $ErrorMsg -match 'Credential type not allowed as per assigned policy'
+                        if ($IsCredentialPolicyBlocked -and $Attempt -lt 6) {
+                            $DelaySeconds = [Math]::Min(10, 1 * $Attempt)
+                            Write-Information "Credential policy still blocks addPassword (attempt $Attempt of 6). Waiting for policy propagation and retrying in $DelaySeconds second(s)."
+                            Start-Sleep -Seconds $DelaySeconds
+                            continue
                         }
-                        dependsOn = @('removeOldPasswords')
+                        throw "Failed to add new password during secret reset: $ErrorMsg"
                     }
-                )
-                $BatchResponse = New-GraphBulkRequest -tenantid $env:TenantID -NoAuthCheck $true -asapp $true -Requests $Requests
-                $AddPasswordResponse = $BatchResponse | Where-Object { $_.id -eq 'addNewPassword' }
-                if ($AddPasswordResponse.status -ge 400) {
-                    $ErrorBody = $AddPasswordResponse.body
-                    $ErrorMsg = $ErrorBody.error.message ?? ($ErrorBody | ConvertTo-Json -Compress -Depth 5)
-                    throw "Failed to add new password during secret reset: $ErrorMsg"
+                    $APIPassword = $AddPasswordResponse.body
+                    break
                 }
-                $APIPassword = $AddPasswordResponse.body
                 Write-LogMessage -headers $Headers -API $APINAME -tenant 'None '-message "Reset CIPP-API Password for '$($APIApp.displayName)'." -Sev 'info'
             }
         }

Modules/CIPPCore/Public/Authentication/New-CIPPAPIConfig.ps1

@@ -68,29 +68,25 @@ function Start-AuditLogSearchCreation {
             }
 
             $TenantInConfig = $false
-            $MatchingConfigs = [System.Collections.Generic.List[object]]::new()
             foreach ($ConfigEntry in $ConfigEntries) {
                 if ($ConfigEntry.excludedTenants.value -contains $Tenant.defaultDomainName) {
                     continue
                 }
                 if ($ConfigEntry.ExpandedTenants -contains $Tenant.defaultDomainName -or $ConfigEntry.ExpandedTenants -contains 'AllTenants') {
                     $TenantInConfig = $true
-                    $MatchingConfigs.Add($ConfigEntry)
+                    break
                 }
             }
 
             if (!$TenantInConfig) {
                 continue
             }
 
-            if ($MatchingConfigs) {
-                [PSCustomObject]@{
-                    FunctionName   = 'AuditLogSearchCreation'
-                    Tenant         = $Tenant | Select-Object defaultDomainName, customerId, displayName
-                    StartTime      = $StartTime
-                    EndTime        = $EndTime
-                    ServiceFilters = @($MatchingConfigs | Select-Object -Property type | Sort-Object -Property type -Unique | ForEach-Object { $_.type.split('.')[1] })
-                }
+            [PSCustomObject]@{
+                FunctionName = 'AuditLogSearchCreation'
+                Tenant       = $Tenant | Select-Object defaultDomainName, customerId, displayName
+                StartTime    = $StartTime
+                EndTime      = $EndTime
             }
         }
 

Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-AuditLogSearchCreation.ps1

@@ -34,23 +34,23 @@ function Start-CIPPOrchestrator {
         [switch]$CallerIsQueueTrigger
     )
 
-    # ─── CIPPNG runtime: push batch directly to OrchestratorService ───
+    # ─── CRAFT runtime: push batch directly to OrchestratorService ───
     if ($env:CIPPNG -eq 'true' -and $InputObject) {
         $OrchestratorName = $InputObject.OrchestratorName ?? 'UnnamedOrchestrator'
 
         # QueueFunction pattern: call the function first to generate batch items
         if (-not $InputObject.Batch -and $InputObject.QueueFunction) {
             $QueueFuncName = "Push-$($InputObject.QueueFunction.FunctionName)"
-            Write-Information "CIPP-NG: Calling QueueFunction '$QueueFuncName' to build batch for '$OrchestratorName'"
+            Write-Information "CRAFT: Calling QueueFunction '$QueueFuncName' to build batch for '$OrchestratorName'"
             $QueueItem = [PSCustomObject]@{}
             if ($InputObject.QueueFunction.Parameters) {
                 $QueueItem = [PSCustomObject]$InputObject.QueueFunction.Parameters
             }
             $BatchResult = & $QueueFuncName -Item $QueueItem
             $QueueBatch = @($BatchResult | Where-Object { $null -ne $_ })
             if ($QueueBatch.Count -eq 0) {
-                Write-Information "CIPP-NG: QueueFunction '$QueueFuncName' returned 0 tasks for '$OrchestratorName' - skipping"
-                return "CIPPNG-$OrchestratorName-NoTasks"
+                Write-Information "CRAFT: QueueFunction '$QueueFuncName' returned 0 tasks for '$OrchestratorName' - skipping"
+                return "CRAFT-$OrchestratorName-NoTasks"
             }
             $InputObject | Add-Member -MemberType NoteProperty -Name 'Batch' -Value $QueueBatch -Force
         }
@@ -66,15 +66,15 @@ function Start-CIPPOrchestrator {
             }
         }
 
-        Write-Information "CIPP-NG: Queuing orchestrator '$OrchestratorName' ($($InputObject.Batch.Count) tasks$(if ($PostExecFunctionName) { ", PostExec: $PostExecFunctionName" }))"
-        [CIPPASP.Services.OrchestratorBridge]::QueueOrchestration(
+        Write-Information "CRAFT: Queuing orchestrator '$OrchestratorName' ($($InputObject.Batch.Count) tasks$(if ($PostExecFunctionName) { ", PostExec: $PostExecFunctionName" }))"
+        [CRAFT.Services.OrchestratorBridge]::QueueOrchestration(
             $OrchestratorName,
             $BatchJson,
             4,
             $PostExecFunctionName,
             $PostExecParametersJson
         )
-        return "CIPPNG-$OrchestratorName"
+        return "CRAFT-$OrchestratorName"
     }
 
     $OrchestratorTable = Get-CippTable -TableName 'CippOrchestratorInput'

Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-CIPPOrchestrator.ps1

@@ -34,6 +34,11 @@ function Get-CIPPDbItem {
     )
 
     try {
+        # Enforce tenant lock when running inside custom script execution
+        if ($script:CIPPLockedTenant) {
+            $TenantFilter = $script:CIPPLockedTenant
+        }
+
         $Table = Get-CippTable -tablename 'CippReportingDB'
 
         if ($TenantFilter -ne 'allTenants') {

Modules/CIPPCore/Public/Get-CIPPDbItem.ps1

@@ -119,11 +119,13 @@ function Get-CIPPLicenseOverview {
                 $SubInfo = $SkuIDs | Where-Object { $_.id -eq $Subscription }
                 $diff = $SubInfo.nextLifecycleDateTime - $SubInfo.createdDateTime
                 $Term = 'Term unknown or non-NCE license'
-                if ($diff.Days -ge 32 -and $diff.Days -le 1089) {
+                if ($SubInfo.isTrial) {
+                    $Term = 'Trial'
+                } elseif ($diff.Days -ge 36 -and $diff.Days -le 1089) {
                     $Term = 'Yearly'
                 } elseif ($diff.Days -ge 1090 -and $diff.Days -le 1100) {
                     $Term = '3 Year'
-                } elseif ($diff.Days -ge 25 -and $diff.Days -le 31) {
+                } elseif ($diff.Days -ge 25 -and $diff.Days -le 35) {
                     $Term = 'Monthly'
                 }
                 $TimeUntilRenew = ($subinfo.nextLifecycleDateTime - (Get-Date)).days

Modules/CIPPCore/Public/Get-CIPPLicenseOverview.ps1

@@ -19,6 +19,10 @@ function Get-CIPPMDEOnboardingReport {
             $TenantList = Get-Tenants -IncludeErrors
             $Tenants = $Tenants | Where-Object { $TenantList.defaultDomainName -contains $_ }
 
+            if (-not $Tenants) {
+                throw 'No MDE onboarding data found in reporting database for any tenant. Sync the report data first.'
+            }
+
             $AllResults = [System.Collections.Generic.List[PSCustomObject]]::new()
             foreach ($Tenant in $Tenants) {
                 try {