In the name of SPEEEEEEEED

Author: Zacgoose

.github/instructions/auth-model.instructions.md

@@ -30,7 +30,7 @@ New-GraphGetRequest / New-ExoRequest / New-TeamsRequest / etc.
         ▼
     Get-GraphToken($tenantid, $scope, $AsApp)
         │
-        ├─ Check in-memory cache: $script:AccessTokens["{tenantid}-{scope}-{asApp}"]
+        ├─ Check process-wide .NET cache: [CIPP.CIPPTokenCache]::Lookup(key, 120)
         │    └─ Hit + not expired → return cached token
         │
         ├─ Determine grant type:
@@ -43,7 +43,7 @@ New-GraphGetRequest / New-ExoRequest / New-TeamsRequest / etc.
         │
         └─ POST to login.microsoftonline.com/{tenantid}/oauth2/v2.0/token
              │
-             └─ Cache result in $script:AccessTokens with expires_on
+             └─ Cache result via [CIPP.CIPPTokenCache]::Store(key, json, expiresOn)
 ```
 
 The `-tenantid` parameter **drives token acquisition**, not just filtering. It determines which customer tenant the token is issued for.
@@ -116,10 +116,11 @@ Customer provides their own refresh token, stored in Key Vault per-tenant (keyed
 
 ## Token caching
 
-Tokens are cached in `$script:AccessTokens` — a synchronized hashtable keyed by `{tenantid}-{scope}-{asApp}`.
+Tokens are cached in `[CIPP.CIPPTokenCache]` — a process-wide `ConcurrentDictionary` backed by a static .NET class in `Shared/CIPPHttp/CIPPHttpClient.cs`.
 
-- **Per-runspace**: Not shared across Azure Functions instances
-- **Expiry-aware**: Checks `expires_on` (Unix timestamp) before returning cached token
+- **Process-wide**: Shared across all runspaces in the worker process (unlike the old `$script:AccessTokens` which was per-runspace)
+- **Cache key**: Built via `[CIPP.CIPPTokenCache]::BuildKey($tenantid, $scope, $asApp, $clientId, $grantType)`
+- **Expiry-aware**: `Lookup()` accepts a buffer (seconds) and returns `$false` for expired or soon-to-expire tokens
 - **Auto-refresh**: Expired tokens trigger automatic re-acquisition — no manual refresh needed
 - **Skip cache**: Pass `-SkipCache $true` to force a fresh token (rare, for debugging)
 

.gitignore

@@ -13,6 +13,7 @@ SendNotifications/config.json
 Output/
 node_modules/.yarn-integrity
 yarn.lock
+Shared/CIPPHttp/obj/
 
 # Cursor IDE
 .cursor/rules

Modules/CIPPCore/Public/Entrypoints/Timer Functions/Start-TokenWarmupTimer.ps1

@@ -6,12 +6,23 @@ function Get-GraphToken($tenantid, $scope, $AsApp, $AppID, $AppSecret, $refreshT
     if (!$scope) { $scope = 'https://graph.microsoft.com/.default' }
     if (!$tenantid) { $tenantid = $env:TenantID }
 
-    # ── Fast path: return cached token immediately, skip all table lookups ──
-    $TokenKey = '{0}-{1}-{2}' -f $tenantid, $scope, $asApp
-    if ($SkipCache -ne $true -and $script:AccessTokens.$TokenKey -and [int](Get-Date -UFormat %s -Millisecond 0) -lt $script:AccessTokens.$TokenKey.expires_on) {
-        $AccessToken = $script:AccessTokens.$TokenKey
-        if ($ReturnRefresh) { return $AccessToken }
-        return @{ Authorization = "Bearer $($AccessToken.access_token)" }
+    $UseSharedTokenCache = ($SkipCache -ne $true) -and ($null -ne ('CIPP.CIPPTokenCache' -as [type]))
+
+    # ── Fast path: check shared .NET token cache before any table lookups ──
+    if ($UseSharedTokenCache) {
+        $CacheClientId = if ($AppID) { [string]$AppID } else { [string]$env:ApplicationID }
+        $GrantType = if ($asApp -eq $true -or ($null -ne $AppID -and $null -ne $AppSecret)) { 'client_credentials' } else { 'refresh_token' }
+        $SharedTokenCacheKey = [CIPP.CIPPTokenCache]::BuildKey([string]$tenantid, [string]$scope, [bool]$asApp, $CacheClientId, $GrantType)
+        $SharedCacheEntry = [CIPP.CIPPTokenCache]::Lookup($SharedTokenCacheKey, 120)
+        if ($SharedCacheEntry.Found -and -not [string]::IsNullOrWhiteSpace($SharedCacheEntry.TokenPayloadJson)) {
+            try {
+                $AccessToken = $SharedCacheEntry.TokenPayloadJson | ConvertFrom-Json -ErrorAction Stop
+                if ($ReturnRefresh) { return $AccessToken }
+                return @{ Authorization = "Bearer $($AccessToken.access_token)" }
+            } catch {
+                [CIPP.CIPPTokenCache]::Remove($SharedTokenCacheKey)
+            }
+        }
     }
 
     # ── Slow path: need a new token — do table lookups + token acquisition ──
@@ -98,30 +109,31 @@ function Get-GraphToken($tenantid, $scope, $AsApp, $AppID, $AppSecret, $refreshT
         }
     }
 
+    # Rebuild cache key after credential loading (env vars may have been set by Get-CIPPAuthentication)
+    if ($UseSharedTokenCache) {
+        $CacheClientId = if ($AppID) { [string]$AppID } else { [string]$env:ApplicationID }
+        $GrantType = if ($asApp -eq $true -or ($null -ne $AppID -and $null -ne $AppSecret)) { 'client_credentials' } else { 'refresh_token' }
+        $SharedTokenCacheKey = [CIPP.CIPPTokenCache]::BuildKey([string]$tenantid, [string]$scope, [bool]$asApp, $CacheClientId, $GrantType)
+    }
 
     try {
-        $TokenRequest = @{
-            Method      = 'POST'
-            Uri         = "https://login.microsoftonline.com/$($tenantid)/oauth2/v2.0/token"
-            Body        = $Authbody
-            ErrorAction = 'Stop'
+        $AccessToken = (Invoke-CIPPRestMethod -Method post -Uri "https://login.microsoftonline.com/$($tenantid)/oauth2/v2.0/token" -Body $Authbody -ContentType 'application/x-www-form-urlencoded' -ErrorAction Stop)
+        if ($null -eq $AccessToken.expires_on -and $AccessToken.expires_in) {
+            $ExpiresOn = [int](Get-Date -UFormat %s -Millisecond 0) + $AccessToken.expires_in
+            Add-Member -InputObject $AccessToken -NotePropertyName 'expires_on' -NotePropertyValue $ExpiresOn -Force
         }
-        if ($script:LoginWebSession) {
-            $TokenRequest.WebSession = $script:LoginWebSession
-        } else {
-            $TokenRequest.SessionVariable = 'NewLoginSession'
-        }
-        $AccessToken = (Invoke-RestMethod @TokenRequest)
-        if (!$script:LoginWebSession -and $NewLoginSession) {
-            $script:LoginWebSession = $NewLoginSession
+
+        if ($UseSharedTokenCache -and $SharedTokenCacheKey) {
+            try {
+                $TokenPayloadJson = $AccessToken | ConvertTo-Json -Depth 20 -Compress
+                [CIPP.CIPPTokenCache]::Store($SharedTokenCacheKey, $TokenPayloadJson, [int64]$AccessToken.expires_on)
+            } catch {
+                # Ignore shared cache write failures
+            }
         }
-        $ExpiresOn = [int](Get-Date -UFormat %s -Millisecond 0) + $AccessToken.expires_in
-        Add-Member -InputObject $AccessToken -NotePropertyName 'expires_on' -NotePropertyValue $ExpiresOn
-        if (!$script:AccessTokens) { $script:AccessTokens = [HashTable]::Synchronized(@{}) }
-        $script:AccessTokens.$TokenKey = $AccessToken
 
-        if ($ReturnRefresh) { $header = $AccessToken } else { $header = @{ Authorization = "Bearer $($AccessToken.access_token)" } }
-        return $header
+        if ($ReturnRefresh) { return $AccessToken }
+        return @{ Authorization = "Bearer $($AccessToken.access_token)" }
     } catch {
         # Track consecutive Graph API failures
         $TenantsTable = Get-CippTable -tablename Tenants

Modules/CIPPCore/Public/GraphHelper/Get-GraphToken.ps1

@@ -99,7 +99,7 @@ function New-ExoBulkRequest {
                 }
                 $BatchBodyJson = ConvertTo-Json -InputObject $BatchBodyObj -Depth 10
                 $BatchBodyJson = Get-CIPPTextReplacement -TenantFilter $tenantid -Text $BatchBodyJson
-                $Results = Invoke-RestMethod $BatchURL -ResponseHeadersVariable responseHeaders -Method POST -Body $BatchBodyJson -Headers $Headers -ContentType 'application/json; charset=utf-8'
+                $Results = Invoke-CIPPRestMethod $BatchURL -ResponseHeadersVariable responseHeaders -Method POST -Body $BatchBodyJson -Headers $Headers -ContentType 'application/json; charset=utf-8'
                 foreach ($Response in $Results.responses) {
                     $ReturnedData.Add($Response)
                 }

Modules/CIPPCore/Public/GraphHelper/New-ExoBulkRequest.ps1

@@ -98,7 +98,7 @@ function New-ExoRequest {
             if (!$Tenant.ComplianceUrl) {
                 Write-Verbose "Getting Compliance URL for $($tenant.defaultDomainName)"
                 $URL = "$Resource/adminapi/$ApiVersion/$($tenant.customerId)/EXOBanner('AutogenSession')?Version=$ModuleVersion"
-                Invoke-RestMethod -ResponseHeadersVariable ComplianceHeaders -MaximumRedirection 0 -ErrorAction SilentlyContinue -Uri $URL -Headers $Headers -SkipHttpErrorCheck | Out-Null
+                Invoke-CIPPRestMethod -ResponseHeadersVariable ComplianceHeaders -MaximumRedirection 0 -ErrorAction SilentlyContinue -Uri $URL -Headers $Headers -SkipHttpErrorCheck | Out-Null
                 $RedirectedHost = ([System.Uri]($ComplianceHeaders.Location | Select-Object -First 1)).Host
                 $RedirectedHostname = '{0}.ps.compliance.protection.outlook.com' -f ($RedirectedHost -split '\.' | Select-Object -First 1)
                 $Resource = "https://$($RedirectedHostname)"
@@ -121,7 +121,7 @@ function New-ExoRequest {
             $Headers.CommandName = '*'
             $URL = "$Resource/adminapi/v1.0/$($tenant.customerId)/EXOModuleFile?Version=$ModuleVersion"
             Write-Verbose "GET [ $URL ]"
-            return (Invoke-RestMethod -Uri $URL -Headers $Headers).value.exportedCmdlets -split ',' | Where-Object { $_ } | Sort-Object
+            return (Invoke-CIPPRestMethod -Uri $URL -Headers $Headers).value.exportedCmdlets -split ',' | Where-Object { $_ } | Sort-Object
         }
 
         if ($PSCmdlet.ParameterSetName -eq 'ExoRequest') {
@@ -140,7 +140,7 @@ function New-ExoRequest {
                         ContentType = 'application/json; charset=utf-8'
                     }
 
-                    $Return = Invoke-RestMethod @ExoRequestParams -ResponseHeadersVariable ResponseHeaders
+                    $Return = Invoke-CIPPRestMethod @ExoRequestParams -ResponseHeadersVariable ResponseHeaders
                     $URL = $Return.'@odata.nextLink'
                     $Return
                 } until ($null -eq $URL)

Modules/CIPPCore/Public/GraphHelper/New-ExoRequest.ps1

@@ -47,11 +47,11 @@ function New-GraphBulkRequest {
                 # Use select to create hashtables of id, method and url for each call
                 $req['requests'] = ($Requests[$i..($i + 19)])
                 $ReqBody = (ConvertTo-Json -InputObject $req -Compress -Depth 100)
-                $Return = Invoke-RestMethod -Uri $URL -Method POST -Headers $headers -ContentType 'application/json; charset=utf-8' -Body $ReqBody
+                $Return = Invoke-CIPPRestMethod -Uri $URL -Method POST -Headers $headers -ContentType 'application/json; charset=utf-8' -Body $ReqBody
                 if ($Return.headers.'retry-after') {
                     #Revist this when we are pushing this data into our custom schema instead.
                     $headers = Get-GraphToken -tenantid $tenantid -scope $scope -AsApp $asapp
-                    Invoke-RestMethod -Uri $URL -Method POST -Headers $headers -ContentType 'application/json; charset=utf-8' -Body $ReqBody
+                    Invoke-CIPPRestMethod -Uri $URL -Method POST -Headers $headers -ContentType 'application/json; charset=utf-8' -Body $ReqBody
                 }
                 $Return
             }

Modules/CIPPCore/Public/GraphHelper/New-GraphBulkRequest.ps1

@@ -71,27 +71,15 @@ function New-GraphGetRequest {
                         ContentType = 'application/json; charset=utf-8'
                     }
 
-                    # Reuse WebSession for TCP/TLS connection pooling (PS 7.4+)
-                    if ($script:GraphWebSession) {
-                        $GraphRequest.WebSession = $script:GraphWebSession
-                    } else {
-                        $GraphRequest.SessionVariable = 'NewGraphSession'
-                    }
-
                     if ($ReturnRawResponse) {
                         $GraphRequest.SkipHttpErrorCheck = $true
                         $Data = Invoke-WebRequest @GraphRequest
                     } else {
                         $GraphRequest.ResponseHeadersVariable = 'ResponseHeaders'
-                        $Data = (Invoke-RestMethod @GraphRequest)
+                        $Data = (Invoke-CIPPRestMethod @GraphRequest)
                         $script:LastGraphResponseHeaders = $ResponseHeaders
                     }
 
-                    # Store the WebSession for future calls in this runspace
-                    if (!$script:GraphWebSession -and $NewGraphSession) {
-                        $script:GraphWebSession = $NewGraphSession
-                    }
-
                     # If we reach here, the request was successful
                     $RequestSuccessful = $true
 

Modules/CIPPCore/Public/GraphHelper/New-GraphGetRequest.ps1

@@ -48,7 +48,7 @@ function New-GraphPOSTRequest {
         do {
             try {
                 Write-Information "$($type.ToUpper()) [ $uri ] | tenant: $tenantid | attempt: $($RetryCount + 1) of $maxRetries"
-                $ReturnedData = (Invoke-RestMethod -Uri $($uri) -Method $TYPE -Body $body -Headers $headers -ContentType $contentType -SkipHttpErrorCheck:$IgnoreErrors -ResponseHeadersVariable responseHeaders)
+                $ReturnedData = (Invoke-CIPPRestMethod -Uri $($uri) -Method $TYPE -Body $body -Headers $headers -ContentType $contentType -SkipHttpErrorCheck:$IgnoreErrors -ResponseHeadersVariable responseHeaders)
                 $RequestSuccessful = $true
             } catch {
                 $ShouldRetry = $false