Skip to content

Commit 6f3579c

Browse files
authored
Merge pull request #999 from KelvinTegelaar/dev
[pull] dev from KelvinTegelaar:dev
2 parents 084bbee + d817b6d commit 6f3579c

18 files changed

Lines changed: 329 additions & 132 deletions

File tree

Config/FeatureFlags.json

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,6 @@
3838
],
3939
"Pages": [
4040
"/cipp/advanced/super-admin/cipp-users",
41-
"/cipp/advanced/super-admin/sso",
4241
"/cipp/advanced/super-admin/container",
4342
"/cipp/advanced/container-logs",
4443
"/cipp/advanced/worker-health"

Config/SAMManifest.json

Lines changed: 71 additions & 46 deletions
Original file line numberDiff line numberDiff line change
@@ -10,20 +10,7 @@
1010
"http://localhost:8400"
1111
]
1212
},
13-
"servicePrincipalLockConfiguration": {
14-
"isEnabled": true,
15-
"allProperties": true
16-
},
1713
"requiredResourceAccess": [
18-
{
19-
"resourceAppId": "c5393580-f805-4401-95e8-94b7a6ef2fc2",
20-
"resourceAccess": [
21-
{
22-
"id": "594c1fb6-4f81-4475-ae41-0c394909246c",
23-
"type": "Scope"
24-
}
25-
]
26-
},
2714
{
2815
"resourceAppId": "aeb86249-8ea3-49e2-900b-54cc8e308f85",
2916
"resourceAccess": [
@@ -48,6 +35,10 @@
4835
"id": "5e1e9171-754d-478c-812c-f1755a9a4c2d",
4936
"type": "Role"
5037
},
38+
{
39+
"id": "57f1cf28-c0c4-4ec3-9a30-19a2eaaf2f6e",
40+
"type": "Role"
41+
},
5142
{
5243
"id": "f3a65bd4-b703-46df-8f7e-0174fea562aa",
5344
"type": "Role"
@@ -60,6 +51,10 @@
6051
"id": "35930dcf-aceb-4bd1-b99a-8ffed403c974",
6152
"type": "Role"
6253
},
54+
{
55+
"id": "c8948c23-e66b-42db-83fd-770b71ab78d2",
56+
"type": "Role"
57+
},
6358
{
6459
"id": "cac88765-0581-4025-9725-5ebc13f729ee",
6560
"type": "Role"
@@ -92,10 +87,6 @@
9287
"id": "9255e99d-faf5-445e-bbf7-cb71482737c4",
9388
"type": "Role"
9489
},
95-
{
96-
"id": "8b9d79d0-ad75-4566-8619-f7500ecfcebe",
97-
"type": "Scope"
98-
},
9990
{
10091
"id": "5ac13192-7ace-4fcf-b828-1a26f28068ee",
10192
"type": "Role"
@@ -116,6 +107,10 @@
116107
"id": "75359482-378d-4052-8f01-80520e7db3cd",
117108
"type": "Role"
118109
},
110+
{
111+
"id": "2d9bd318-b883-40be-9df7-63ec4fcdc424",
112+
"type": "Role"
113+
},
119114
{
120115
"id": "bf7b1a76-6e77-406b-b258-bf5c7720e98f",
121116
"type": "Role"
@@ -224,6 +219,14 @@
224219
"id": "4437522e-9a86-4a41-a7da-e380edd4a97d",
225220
"type": "Role"
226221
},
222+
{
223+
"id": "0a42382f-155c-4eb1-9bdc-21548ccaa387",
224+
"type": "Role"
225+
},
226+
{
227+
"id": "a94a502d-0281-4d15-8cd2-682ac9362c4c",
228+
"type": "Role"
229+
},
227230
{
228231
"id": "741f803b-c850-494e-b5df-cde7c675a1ca",
229232
"type": "Role"
@@ -232,6 +235,10 @@
232235
"id": "50483e42-d915-4231-9639-7fdb7fd190e5",
233236
"type": "Role"
234237
},
238+
{
239+
"id": "d72bdbf4-a59b-405c-8b04-5995895819ac",
240+
"type": "Role"
241+
},
235242
{
236243
"id": "bdfbf15f-ee85-4955-8675-146e8e5296b5",
237244
"type": "Scope"
@@ -332,6 +339,10 @@
332339
"id": "0c5e8a55-87a6-4556-93ab-adc52c4d862d",
333340
"type": "Scope"
334341
},
342+
{
343+
"id": "8b9d79d0-ad75-4566-8619-f7500ecfcebe",
344+
"type": "Scope"
345+
},
335346
{
336347
"id": "662ed50a-ac44-4eef-ad86-62eed9be2a29",
337348
"type": "Scope"
@@ -400,6 +411,10 @@
400411
"id": "46ca0847-7e6b-426e-9775-ea810a948356",
401412
"type": "Scope"
402413
},
414+
{
415+
"id": "1e9b7a7e-4d64-44ff-acf5-2e9651c1519f",
416+
"type": "Scope"
417+
},
403418
{
404419
"id": "346c19ff-3fb2-4e81-87a0-bac9e33990c1",
405420
"type": "Scope"
@@ -528,6 +543,10 @@
528543
"id": "b98bfd41-87c6-45cc-b104-e2de4f0dafb9",
529544
"type": "Scope"
530545
},
546+
{
547+
"id": "424b07a8-1209-4d17-9fe4-9018a93a1024",
548+
"type": "Scope"
549+
},
531550
{
532551
"id": "cac97e40-6730-457d-ad8d-4852fddab7ad",
533552
"type": "Scope"
@@ -551,38 +570,31 @@
551570
{
552571
"id": "b7887744-6746-4312-813d-72daeaee7e2d",
553572
"type": "Scope"
554-
},
573+
}
574+
]
575+
},
576+
{
577+
"resourceAppId": "fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd",
578+
"resourceAccess": [
555579
{
556-
"id": "424b07a8-1209-4d17-9fe4-9018a93a1024",
580+
"id": "1cebfa2a-fb4d-419e-b5f9-839b4383e05a",
557581
"type": "Scope"
558-
},
559-
{
560-
"id": "0a42382f-155c-4eb1-9bdc-21548ccaa387",
561-
"type": "Role"
562-
},
563-
{
564-
"id": "2d9bd318-b883-40be-9df7-63ec4fcdc424",
565-
"type": "Role"
566-
},
582+
}
583+
]
584+
},
585+
{
586+
"resourceAppId": "00000012-0000-0000-c000-000000000000",
587+
"resourceAccess": [
567588
{
568-
"id": "c8948c23-e66b-42db-83fd-770b71ab78d2",
589+
"id": "e23bd57d-bfd5-4906-867f-89fb5ed8cd43",
569590
"type": "Role"
570591
},
571592
{
572-
"id": "a94a502d-0281-4d15-8cd2-682ac9362c4c",
593+
"id": "7347eb49-7a1a-43c5-8eac-a5cd1d1c7cf0",
573594
"type": "Role"
574595
},
575596
{
576-
"id": "d72bdbf4-a59b-405c-8b04-5995895819ac",
577-
"type": "Role"
578-
}
579-
]
580-
},
581-
{
582-
"resourceAppId": "fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd",
583-
"resourceAccess": [
584-
{
585-
"id": "1cebfa2a-fb4d-419e-b5f9-839b4383e05a",
597+
"id": "c9c9a04d-3b66-4ca8-a00c-fca953e2afd3",
586598
"type": "Scope"
587599
}
588600
]
@@ -591,23 +603,23 @@
591603
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
592604
"resourceAccess": [
593605
{
594-
"id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
606+
"id": "ef54d2bf-783f-4e0f-bca1-3210c0444d99",
595607
"type": "Role"
596608
},
597609
{
598-
"id": "ef54d2bf-783f-4e0f-bca1-3210c0444d99",
610+
"id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
599611
"type": "Role"
600612
},
601613
{
602614
"id": "f9156939-25cd-4ba8-abfe-7fabcf003749",
603615
"type": "Role"
604616
},
605617
{
606-
"id": "ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c",
618+
"id": "bbd1ca91-75e0-4814-ad94-9c5dbbae3415",
607619
"type": "Scope"
608620
},
609621
{
610-
"id": "bbd1ca91-75e0-4814-ad94-9c5dbbae3415",
622+
"id": "ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c",
611623
"type": "Scope"
612624
},
613625
{
@@ -616,6 +628,15 @@
616628
}
617629
]
618630
},
631+
{
632+
"resourceAppId": "c5393580-f805-4401-95e8-94b7a6ef2fc2",
633+
"resourceAccess": [
634+
{
635+
"id": "594c1fb6-4f81-4475-ae41-0c394909246c",
636+
"type": "Scope"
637+
}
638+
]
639+
},
619640
{
620641
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
621642
"resourceAccess": [
@@ -647,5 +668,9 @@
647668
}
648669
]
649670
}
650-
]
651-
}
671+
],
672+
"servicePrincipalLockConfiguration": {
673+
"isEnabled": true,
674+
"allProperties": true
675+
}
676+
}

Modules/CIPPActivityTriggers/Public/Entrypoints/Activity Triggers/Push-CIPPDBCacheData.ps1

Lines changed: 0 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -104,24 +104,6 @@ function Push-CIPPDBCacheData {
104104
QueueName = "DB Cache Graph - $TenantFilter"
105105
})
106106

107-
# SharePoint config + site data
108-
$Tasks.Add(@{
109-
FunctionName = 'ExecCIPPDBCache'
110-
CollectionType = 'SharePoint'
111-
TenantFilter = $TenantFilter
112-
QueueId = $QueueId
113-
QueueName = "DB Cache SharePoint - $TenantFilter"
114-
})
115-
116-
# Teams config + usage data
117-
$Tasks.Add(@{
118-
FunctionName = 'ExecCIPPDBCache'
119-
CollectionType = 'Teams'
120-
TenantFilter = $TenantFilter
121-
QueueId = $QueueId
122-
QueueName = "DB Cache Teams - $TenantFilter"
123-
})
124-
125107
# MFAState runs as its own activity — it makes 6+ API calls, bulk group/role member
126108
# resolution, and O(users × policies) CPU work that can take minutes on large tenants
127109
$Tasks.Add(@{

Modules/CIPPCore/Public/Authentication/Initialize-CIPPAuth.ps1

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -88,7 +88,7 @@ function Initialize-CIPPAuth {
8888
Write-Information "[Auth-Init] EasyAuth clientId ($ConfiguredAppId) differs from migration app — migration complete, cleaning up"
8989
$Removed = Remove-CIPPMigrationAppSetting -SettingName 'CIPP_SSO_MIGRATION_APPID'
9090
if ($Removed) {
91-
[Craft.Services.AppLifecycleBridge]::RequestRestart('SSO migration env var cleaned up during warmup')
91+
Request-CIPPRestart -Reason 'SSO migration env var cleaned up during warmup'
9292
}
9393
} else {
9494
Write-Information '[Auth-Init] No clientId found in EasyAuth config — skipping cleanup'
@@ -134,7 +134,7 @@ function Initialize-CIPPAuth {
134134
$Configured = Set-CIPPSSOEasyAuth -AppId $ConfiguredAppId -MultiTenant $SSOMultiTenant -TenantId $env:TenantID
135135
if ($Configured) {
136136
Write-Information '[Auth-Init] EasyAuth issuer updated — requesting container restart'
137-
[Craft.Services.AppLifecycleBridge]::RequestRestart('EasyAuth issuer updated to match SSOMultiTenant setting during warmup')
137+
Request-CIPPRestart -Reason 'EasyAuth issuer updated to match SSOMultiTenant setting during warmup'
138138
}
139139
} else {
140140
Write-Information "[Auth-Init] EasyAuth issuer matches SSOMultiTenant setting ($SSOMultiTenant) — no update needed"
@@ -155,7 +155,7 @@ function Initialize-CIPPAuth {
155155
$Configured = Set-CIPPSSOEasyAuth -AppId $env:CIPP_SSO_MIGRATION_APPID -MultiTenant $false -TenantId $env:TenantID -UseKvReferences -ImplicitAuth
156156
if ($Configured) {
157157
Write-Information '[Auth-Init] Implicit auth EasyAuth configured — requesting restart'
158-
[Craft.Services.AppLifecycleBridge]::RequestRestart('Implicit auth EasyAuth configured with central migration app during warmup')
158+
Request-CIPPRestart -Reason 'Implicit auth EasyAuth configured with central migration app during warmup'
159159
}
160160
} catch {
161161
Write-Information "[Auth-Init] Implicit auth EasyAuth setup failed (non-fatal): $_"
@@ -186,7 +186,7 @@ function Initialize-CIPPAuth {
186186
$Configured = Set-CIPPSSOEasyAuth -AppId $SSOAppId -MultiTenant $SSOMultiTenant -TenantId $env:TenantID -UseKvReferences
187187
if ($Configured) {
188188
Write-Information '[Auth-Init] EasyAuth configured — requesting container restart'
189-
[Craft.Services.AppLifecycleBridge]::RequestRestart('EasyAuth configured from SSO credentials during warmup')
189+
Request-CIPPRestart -Reason 'EasyAuth configured from SSO credentials during warmup'
190190
}
191191
} else {
192192
Write-Information '[Auth-Init] SAM credentials loaded but no SSO AppId found — enabling setup wizard'

Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -241,7 +241,7 @@ function Test-CIPPAccess {
241241
}
242242
}
243243

244-
if ($Permissions -contains 'CIPP.AppSettings.ReadWrite' -and $env:CIPPNG -ne 'true' -and $env:CIPP_SSO_MIGRATION_PROMPT -eq 'true') {
244+
if ($env:CIPPNG -ne 'true') {
245245
try {
246246
$SSOTable = Get-CIPPTable -tablename 'SSOMigration'
247247
$SSOMigration = Get-CIPPAzDataTableEntity @SSOTable -Filter "PartitionKey eq 'SSO' and RowKey eq 'MigrationConfig'" -ErrorAction SilentlyContinue

Modules/CIPPCore/Public/Entrypoints/Timer Functions/Start-ContainerUpdateCheck.ps1

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -176,7 +176,7 @@ function Start-ContainerUpdateCheck {
176176
if ($UpdateAvailable -and $Settings.AutoUpdate -eq 'true') {
177177
Write-LogMessage -API 'ContainerUpdateCheck' -message "Auto-update: new container image detected (running: $RunningDigest, remote: $RemoteDigest). Restarting." -sev Info
178178
try {
179-
[Craft.Services.AppLifecycleBridge]::RequestRestart('Auto-update: new container image available')
179+
Request-CIPPRestart -Reason 'Auto-update: new container image available'
180180
} catch {
181181
Write-LogMessage -API 'ContainerUpdateCheck' -message 'Auto-restart requested but AppLifecycleBridge is not available' -sev Warning
182182
}

Modules/CIPPCore/Public/Functions/Get-CIPPTenantAlignment.ps1

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -108,7 +108,8 @@ function Get-CIPPTenantAlignment {
108108
}
109109
}
110110

111-
if ($Tenant -and -not $tenantData.ContainsKey($Tenant)) {
111+
if (-not $Tenant) { continue }
112+
if (-not $tenantData.ContainsKey($Tenant)) {
112113
$tenantData[$Tenant] = @{}
113114
}
114115
$tenantData[$Tenant][$FieldName] = @{
@@ -224,7 +225,8 @@ function Get-CIPPTenantAlignment {
224225
foreach ($Tag in $IntuneTemplate.'TemplateList-Tags') {
225226
$IntuneActions = if ($IntuneTemplate.action) { $IntuneTemplate.action } else { @() }
226227
$IntuneReportingEnabled = ($IntuneActions | Where-Object { $_.value -and ($_.value.ToLower() -eq 'report' -or $_.value.ToLower() -eq 'remediate') }).Count -gt 0
227-
$TagTemplate = if ($TemplatesByPackage.ContainsKey($Tag.value)) { $TemplatesByPackage[$Tag.value] } else { @() }
228+
$TagValue = if ($Tag.value) { $Tag.value } else { $Tag }
229+
$TagTemplate = if ($TagValue -and $TemplatesByPackage.ContainsKey($TagValue)) { $TemplatesByPackage[$TagValue] } else { @() }
228230
$TagTemplate | ForEach-Object {
229231
$TagStandardId = "standards.IntuneTemplate.$($_.GUID)"
230232
[PSCustomObject]@{
@@ -289,8 +291,10 @@ function Get-CIPPTenantAlignment {
289291
}
290292
}
291293

292-
$AllStandards = $StandardsData.StandardId
293-
$AllStandardsArray = @($AllStandards)
294+
if (-not $StandardsData) { continue }
295+
$AllStandards = @($StandardsData.StandardId | Where-Object { $_ })
296+
if ($AllStandards.Count -eq 0) { continue }
297+
$AllStandardsArray = $AllStandards
294298
$ReportingDisabledStandards = ($StandardsData | Where-Object { -not $_.ReportingEnabled }).StandardId
295299
$ReportingDisabledSet = [System.Collections.Generic.HashSet[string]]::new()
296300
foreach ($item in $ReportingDisabledStandards) { [void]$ReportingDisabledSet.Add($item) }
Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
function Request-CIPPRestart {
2+
<#
3+
.SYNOPSIS
4+
Requests a graceful application restart.
5+
.DESCRIPTION
6+
Attempts to restart the application using the AppLifecycleBridge for a graceful in-process restart.
7+
Falls back to the Azure ARM REST API if the bridge is unavailable.
8+
.PARAMETER Reason
9+
Log message explaining why the restart was requested.
10+
.FUNCTIONALITY
11+
Internal
12+
#>
13+
[CmdletBinding()]
14+
param(
15+
[Parameter(Mandatory = $true)]
16+
[string]$Reason
17+
)
18+
19+
try {
20+
$Subscription = Get-CIPPAzFunctionAppSubId
21+
$SiteName = $env:WEBSITE_SITE_NAME
22+
$RGName = $env:WEBSITE_RESOURCE_GROUP
23+
if (-not $RGName) {
24+
$Owner = $env:WEBSITE_OWNER_NAME
25+
if ($Owner -match '^(?<SubscriptionId>[^+]+)\+(?<RGName>[^-]+(?:-[^-]+)*?)(?:-[^-]+webspace(?:-Linux)?)?$') {
26+
$RGName = $Matches.RGName
27+
}
28+
}
29+
if (-not ($Subscription -and $RGName -and $SiteName)) {
30+
throw 'Azure App Service details could not be determined from environment'
31+
}
32+
$restartUrl = "https://management.azure.com/subscriptions/$Subscription/resourceGroups/$RGName/providers/Microsoft.Web/sites/$SiteName/restart?api-version=2024-04-01"
33+
$null = New-CIPPAzRestRequest -Uri $restartUrl -Method POST
34+
} catch {
35+
Write-Information "ARM REST API restart failed, falling back to AppLifecycleBridge: $($_.Exception.Message)"
36+
[Craft.Services.AppLifecycleBridge]::RequestRestart($Reason)
37+
}
38+
}

0 commit comments

Comments
 (0)