fix: Improve error handling and logging in Push-UpdatePermissionsQueue and Invoke-ExecUpdateRefreshToken functions

JohnDuprey · JohnDuprey · commit c3fdef46282d · 2026-04-13T14:20:30.000-04:00
diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-UpdatePermissionsQueue.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-UpdatePermissionsQueue.ps1
@@ -30,8 +30,8 @@ function Push-UpdatePermissionsQueue {
 
         # Check for permission failures (excluding service principal creation failures)
         $AllResults = @($AppResults) + @($DelegatedResults)
-        $PermissionFailures = $AllResults | Where-Object { 
-            $_ -like '*Failed*' -and 
+        $PermissionFailures = $AllResults | Where-Object {
+            $_ -like '*Failed*' -and
             $_ -notlike '*Failed to create service principal*'
         }
 
@@ -71,7 +71,8 @@ function Push-UpdatePermissionsQueue {
             }
         }
     } catch {
-        Write-Information "Error updating permissions for $($Item.displayName)"
-        Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message "Error updating permissions for $($Item.displayName) - $($_.Exception.Message)" -Sev 'Error' -API 'UpdatePermissionsQueue'
+        Write-Information "Error updating permissions for $($Item.displayName): $($_.Exception.Message)"
+        Write-Information $_.InvocationInfo.PositionMessage
+        Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message "Error updating permissions for $($Item.displayName) - $($_.Exception.Message)" -Sev 'Error' -API 'UpdatePermissionsQueue' -LogData (Get-CippException -Exception $_)
     }
 }
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecUpdateRefreshToken.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecUpdateRefreshToken.ps1
@@ -15,61 +15,58 @@ function Invoke-ExecUpdateRefreshToken {
         # Handle refresh token update
         #make sure we get the latest authentication:
         $auth = Get-CIPPAuthentication
+        $IsPartnerTenant = $env:TenantID -eq $Request.body.tenantId
+
         if ($env:AzureWebJobsStorage -eq 'UseDevelopmentStorage=true' -or $env:NonLocalHostAzurite -eq 'true') {
             $DevSecretsTable = Get-CIPPTable -tablename 'DevSecrets'
             $Secret = Get-CIPPAzDataTableEntity @DevSecretsTable -Filter "PartitionKey eq 'Secret' and RowKey eq 'Secret'"
-
-            if ($env:TenantID -eq $Request.body.tenantId) {
+            if ($IsPartnerTenant) {
                 $Secret | Add-Member -MemberType NoteProperty -Name 'RefreshToken' -Value $Request.body.refreshtoken -Force
-                # Set environment variable to make it immediately available
                 Set-Item -Path env:RefreshToken -Value $Request.body.refreshtoken -Force
             } else {
-                Write-Host "$($env:TenantID) does not match $($Request.body.tenantId)"
                 $name = $Request.body.tenantId -replace '-', '_'
-                $secret | Add-Member -MemberType NoteProperty -Name $name -Value $Request.body.refreshtoken -Force
-                # Set environment variable to make it immediately available
+                $Secret | Add-Member -MemberType NoteProperty -Name $name -Value $Request.body.refreshtoken -Force
                 Set-Item -Path env:$name -Value $Request.body.refreshtoken -Force
             }
             Add-CIPPAzDataTableEntity @DevSecretsTable -Entity $Secret -Force
         } else {
-            if ($env:TenantID -eq $Request.body.tenantId) {
+            if ($IsPartnerTenant) {
                 Set-CippKeyVaultSecret -VaultName $kv -Name 'RefreshToken' -SecretValue (ConvertTo-SecureString -String $Request.body.refreshtoken -AsPlainText -Force)
-                # Set environment variable to make it immediately available
                 Set-Item -Path env:RefreshToken -Value $Request.body.refreshtoken -Force
-
-                # Trigger CPV refresh for partner tenant only
-                try {
-                    $Queue = New-CippQueueEntry -Name 'Update Permissions - Partner Tenant' -TotalTasks 1
-                    $TenantBatch = @([PSCustomObject]@{
-                            defaultDomainName = 'PartnerTenant'
-                            customerId        = $env:TenantID
-                            displayName       = '*Partner Tenant'
-                            FunctionName      = 'UpdatePermissionsQueue'
-                            QueueId           = $Queue.RowKey
-                        })
-                    $InputObject = [PSCustomObject]@{
-                        OrchestratorName = 'UpdatePermissionsOrchestrator'
-                        Batch            = @($TenantBatch)
-                    }
-                    Start-CIPPOrchestrator -InputObject $InputObject
-                    Write-Information 'Started permissions update orchestrator for Partner Tenant'
-                } catch {
-                    Write-Warning "Failed to start permissions orchestrator: $($_.Exception.Message)"
-                }
             } else {
-                Write-Host "$($env:TenantID) does not match $($Request.body.tenantId) - we're adding a new secret for the tenant."
+                Write-Information "$($env:TenantID) does not match $($Request.body.tenantId) - adding a new secret for the tenant."
                 $name = $Request.body.tenantId
                 try {
                     Set-CippKeyVaultSecret -VaultName $kv -Name $name -SecretValue (ConvertTo-SecureString -String $Request.body.refreshtoken -AsPlainText -Force)
-                    # Set environment variable to make it immediately available
                     Set-Item -Path env:$name -Value $Request.body.refreshtoken -Force
                 } catch {
-                    Write-Host "Failed to set secret $name in KeyVault. $($_.Exception.Message)"
+                    Write-Information "Failed to set secret $name in KeyVault. $($_.Exception.Message)"
                     throw $_
                 }
             }
         }
 
+        if ($IsPartnerTenant) {
+            try {
+                $Queue = New-CippQueueEntry -Name 'Update Permissions - Partner Tenant' -TotalTasks 1
+                $TenantBatch = @([PSCustomObject]@{
+                        defaultDomainName = 'PartnerTenant'
+                        customerId        = $env:TenantID
+                        displayName       = '*Partner Tenant'
+                        FunctionName      = 'UpdatePermissionsQueue'
+                        QueueId           = $Queue.RowKey
+                    })
+                $InputObject = [PSCustomObject]@{
+                    OrchestratorName = 'UpdatePermissionsOrchestrator'
+                    Batch            = @($TenantBatch)
+                }
+                Start-CIPPOrchestrator -InputObject $InputObject
+                Write-Information 'Started permissions update orchestrator for Partner Tenant'
+            } catch {
+                Write-Warning "Failed to start permissions orchestrator: $($_.Exception.Message)"
+            }
+        }
+
         if ($request.body.tenantId -eq $env:TenantID) {
             $TenantName = 'your partner tenant'
         } else {
diff --git a/Modules/CIPPCore/Public/New-CIPPDbRequest.ps1 b/Modules/CIPPCore/Public/New-CIPPDbRequest.ps1
@@ -32,6 +32,9 @@ function New-CIPPDbRequest {
 
         $Tenant = Get-Tenants -TenantFilter $TenantFilter | Select-Object -ExpandProperty defaultDomainName
         if (-not $Tenant) {
+            if ($TenantFilter -eq $env:TenantID) {
+                return $false
+            }
             throw "Tenant '$TenantFilter' not found"
         }
         $SafeTenantFilter = ConvertTo-CIPPODataFilterValue -Value $Tenant -Type String

Original file line number	Diff line number	Diff line change
`@@ -30,8 +30,8 @@ function Push-UpdatePermissionsQueue {`
`30`	`30`
`31`	`31`	`# Check for permission failures (excluding service principal creation failures)`
`32`	`32`	`$AllResults = @($AppResults) + @($DelegatedResults)`
`33`		`- $PermissionFailures = $AllResults \| Where-Object {`
`34`		`- $_ -like 'Failed' -and`
	`33`	`+ $PermissionFailures = $AllResults \| Where-Object {`
	`34`	`+ $_ -like 'Failed' -and`
`35`	`35`	`$_ -notlike 'Failed to create service principal'`
`36`	`36`	`}`
`37`	`37`
`@@ -71,7 +71,8 @@ function Push-UpdatePermissionsQueue {`
`71`	`71`	`}`
`72`	`72`	`}`
`73`	`73`	`} catch {`
`74`		`- Write-Information "Error updating permissions for $($Item.displayName)"`
`75`		`- Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message "Error updating permissions for $($Item.displayName) - $($_.Exception.Message)" -Sev 'Error' -API 'UpdatePermissionsQueue'`
	`74`	`+ Write-Information "Error updating permissions for $($Item.displayName): $($_.Exception.Message)"`
	`75`	`+ Write-Information $_.InvocationInfo.PositionMessage`
	`76`	`+ Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message "Error updating permissions for $($Item.displayName) - $($_.Exception.Message)" -Sev 'Error' -API 'UpdatePermissionsQueue' -LogData (Get-CippException -Exception $_)`
`76`	`77`	`}`
`77`	`78`	`}`
Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,9 @@ function New-CIPPDbRequest {`
`32`	`32`
`33`	`33`	`$Tenant = Get-Tenants -TenantFilter $TenantFilter \| Select-Object -ExpandProperty defaultDomainName`
`34`	`34`	`if (-not $Tenant) {`
	`35`	`+ if ($TenantFilter -eq $env:TenantID) {`
	`36`	`+ return $false`
	`37`	`+ }`
`35`	`38`	`throw "Tenant '$TenantFilter' not found"`
`36`	`39`	`}`
`37`	`40`	`$SafeTenantFilter = ConvertTo-CIPPODataFilterValue -Value $Tenant -Type String`