rtbsec
diff --git a/‎.github/workflows/PR_Branch_Check.yml‎
Lines changed: 32 additions & 8 deletions b/‎.github/workflows/PR_Branch_Check.yml‎
Lines changed: 32 additions & 8 deletions
diff --git a/‎Config/CIPPTimers.json‎
Lines changed: 15 additions & 0 deletions b/‎Config/CIPPTimers.json‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎Modules/CIPPActivityTriggers/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserDomain.ps1‎
Lines changed: 21 additions & 0 deletions b/‎Modules/CIPPActivityTriggers/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserDomain.ps1‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎Modules/CIPPActivityTriggers/Public/Entrypoints/Activity Triggers/Graph Requests/Push-ListGraphRequestQueue.ps1‎
Lines changed: 9 additions & 0 deletions b/‎Modules/CIPPActivityTriggers/Public/Entrypoints/Activity Triggers/Graph Requests/Push-ListGraphRequestQueue.ps1‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎Modules/CIPPActivityTriggers/Public/Entrypoints/Activity Triggers/Push-CIPPDBCacheData.ps1‎
Lines changed: 41 additions & 1 deletion b/‎Modules/CIPPActivityTriggers/Public/Entrypoints/Activity Triggers/Push-CIPPDBCacheData.ps1‎
Lines changed: 41 additions & 1 deletion
diff --git a/‎Modules/CIPPActivityTriggers/Public/Entrypoints/Activity Triggers/Push-UpdatePermissionsQueue.ps1‎
Lines changed: 47 additions & 23 deletions b/‎Modules/CIPPActivityTriggers/Public/Entrypoints/Activity Triggers/Push-UpdatePermissionsQueue.ps1‎
Lines changed: 47 additions & 23 deletions
@@ -16,22 +16,46 @@ permissions:
 
 jobs:
   check-branch:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     steps:
       - name: Check and Comment on PR
         # Only process fork PRs with specific branch conditions
         # Must be a fork AND (source is main/master OR target is main/master)
         if: |
-          github.event.pull_request.head.repo.fork == true && 
+          github.event.pull_request.head.repo.fork == true &&
           ((github.event.pull_request.head.ref == 'main' || github.event.pull_request.head.ref == 'master') ||
           (github.event.pull_request.base.ref == 'main' || github.event.pull_request.base.ref == 'master'))
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
             let message = '';
 
-            message += '🔄 If you are attempting to update your CIPP repo please follow the instructions at: https://docs.cipp.app/setup/self-hosting-guide/updating ';
+            // Check if the fork has open PRs (indicates pull bot or similar is active)
+            const forkOwner = context.payload.pull_request.head.repo.owner.login;
+            const forkRepo = context.payload.pull_request.head.repo.name;
+            const forkPullsUrl = context.payload.pull_request.head.repo.html_url + '/pulls';
+
+            let openPRs = [];
+            try {
+              const { data: prs } = await github.rest.pulls.list({
+                owner: forkOwner,
+                repo: forkRepo,
+                state: 'open',
+                per_page: 5
+              });
+              openPRs = prs;
+            } catch (e) {
+              // Can't read fork PRs — skip
+            }
+
+            message += '🔄 If you are attempting to update your CIPP-API repo please follow the instructions at: https://docs.cipp.app/setup/self-hosting-guide/updating. Are you a sponsor? Contact the helpdesk for direct assistance with updating to the latest version.';
+
+            if (openPRs.length > 0) {
+              message += ` It looks like you may already have a pending update PR on your fork — check your [open pull requests](${forkPullsUrl}) to accept it.`;
+            } else {
+              message += ` You can enable [Pull Bot](https://github.com/apps/pull) or [Repo Sync](https://github.com/apps/repo-sync) to automatically keep your fork up to date.`;
+            }
             message += '\n\n';
 
             // Check if PR is targeting main/master
@@ -40,20 +64,20 @@ jobs:
             }
 
             // Check if PR is from a fork's main/master branch
-            if (context.payload.pull_request.head.repo.fork && 
+            if (context.payload.pull_request.head.repo.fork &&
                 (context.payload.pull_request.head.ref === 'main' || context.payload.pull_request.head.ref === 'master')) {
               message += '⚠️ This PR cannot be merged because it originates from your fork\'s main/master branch. If you are attempting to contribute code please PR from your dev branch or another non-main/master branch.\n\n';
             }
 
-            message += '🔒 This PR will now be automatically closed due to the above violation(s).';
-            
+            message += '🔒 This PR will now be automatically closed due to the above rules.';
+
             // Post the comment
             await github.rest.issues.createComment({
               ...context.repo,
               issue_number: context.issue.number,
               body: message
             });
-            
+
             // Close the PR
             await github.rest.pulls.update({
               ...context.repo,
 
@@ -78,6 +78,7 @@
     "Cron": "0 0 */12 * * *",
     "Priority": 4,
     "RunOnProcessor": true,
+    "TZOffset": true,
     "PreferredProcessor": "standards"
   },
   {
@@ -87,6 +88,7 @@
     "Cron": "0 15 */12 * * *",
     "Priority": 5,
     "RunOnProcessor": true,
+    "TZOffset": true,
     "PreferredProcessor": "standards"
   },
   {
@@ -120,6 +122,7 @@
     "Cron": "0 0 0 * * 0",
     "Priority": 7,
     "RunOnProcessor": true,
+    "TZOffset": true,
     "IsSystem": true
   },
   {
@@ -137,6 +140,7 @@
     "Description": "Orchestrator to process domains",
     "Cron": "0 30 5 * * *",
     "Priority": 22,
+    "TZOffset": true,
     "RunOnProcessor": true
   },
   {
@@ -149,6 +153,7 @@
     "Cron": "0 0 23 * * *",
     "Priority": 10,
     "RunOnProcessor": true,
+    "TZOffset": true,
     "IsSystem": true
   },
   {
@@ -158,6 +163,7 @@
     "Cron": "0 0 0 * * *",
     "Priority": 10,
     "RunOnProcessor": true,
+    "TZOffset": true,
     "IsSystem": true
   },
   {
@@ -166,6 +172,7 @@
     "Description": "Timer to process billing",
     "Cron": "0 0 0 * * *",
     "Priority": 12,
+    "TZOffset": true,
     "RunOnProcessor": true
   },
   {
@@ -174,6 +181,7 @@
     "Description": "Orchestrator to process BPA reports",
     "Cron": "0 0 3 * * *",
     "Priority": 10,
+    "TZOffset": true,
     "RunOnProcessor": true
   },
   {
@@ -191,6 +199,7 @@
     "Cron": "0 0 0 * * *",
     "Priority": 15,
     "RunOnProcessor": true,
+    "TZOffset": true,
     "IsSystem": true
   },
   {
@@ -200,6 +209,7 @@
     "Cron": "0 0 23 * * *",
     "Priority": 20,
     "RunOnProcessor": true,
+    "TZOffset": true,
     "IsSystem": true
   },
   {
@@ -212,6 +222,7 @@
     "Cron": "0 0 0 * * *",
     "Priority": 20,
     "RunOnProcessor": true,
+    "TZOffset": true,
     "IsSystem": true
   },
   {
@@ -221,6 +232,7 @@
     "Cron": "0 0 2 * * *",
     "Priority": 21,
     "RunOnProcessor": true,
+    "TZOffset": true,
     "IsSystem": true
   },
   {
@@ -230,6 +242,7 @@
     "Cron": "0 30 2 * * *",
     "Priority": 22,
     "RunOnProcessor": true,
+    "TZOffset": true,
     "IsSystem": true
   },
   {
@@ -239,6 +252,7 @@
     "Cron": "0 0 3 * * *",
     "Priority": 23,
     "RunOnProcessor": true,
+    "TZOffset": true,
     "IsSystem": true
   },
   {
@@ -248,6 +262,7 @@
     "Cron": "0 0 4 * * *",
     "Priority": 24,
     "RunOnProcessor": true,
+    "TZOffset": true,
     "IsSystem": true
   }
 ]
@@ -62,6 +62,7 @@ function Push-DomainAnalyserDomain {
         MSCNAMEDKIMSelectors   = ''
         EnterpriseEnrollment   = ''
         EnterpriseRegistration = ''
+        AutoDiscover           = ''
         Score                  = ''
         MaximumScore           = 160
         ScorePercentage        = ''
@@ -293,6 +294,26 @@ function Push-DomainAnalyserDomain {
     }
     #EndRegion Intune Enrollment CNAME Check
 
+    #Region AutoDiscover Check
+    try {
+        $AutoDiscoverRecord = Read-AutoDiscoverRecord -Domain $Domain
+        $AutoDiscoverFailCount = $AutoDiscoverRecord.ValidationFails | Measure-Object | Select-Object -ExpandProperty Count
+        $AutoDiscoverWarnCount = $AutoDiscoverRecord.ValidationWarns | Measure-Object | Select-Object -ExpandProperty Count
+        if ($AutoDiscoverFailCount -eq 0 -and $AutoDiscoverWarnCount -eq 0) {
+            $Result.AutoDiscover = 'Correct'
+        } elseif ($AutoDiscoverFailCount -eq 0) {
+            $Result.AutoDiscover = "$($AutoDiscoverRecord.RecordType): $($AutoDiscoverRecord.Record)"
+            $ScoreExplanation.Add("AutoDiscover $($AutoDiscoverRecord.RecordType) record points to unexpected target") | Out-Null
+        } else {
+            $Result.AutoDiscover = 'No Record'
+            $ScoreExplanation.Add('No AutoDiscover DNS record found') | Out-Null
+        }
+    } catch {
+        $Result.AutoDiscover = 'Error'
+        Write-LogMessage -API 'DomainAnalyser' -tenant $DomainObject.TenantId -message "AutoDiscover check error for $Domain" -LogData (Get-CippException -Exception $_) -sev Error
+    }
+    #EndRegion AutoDiscover Check
+
     #Region MSCNAME DKIM Records
     # Get Microsoft DKIM CNAME selector Records
     # Ugly, but i needed to create a scope/loop i could break out of without breaking the rest of the function
 
@@ -63,6 +63,15 @@ function Push-ListGraphRequestQueue {
             Data         = [string]$Json
         }
         Add-CIPPAzDataTableEntity @Table -Entity $GraphResults -Force | Out-Null
+
+        if ($env:CIPPNG -eq 'true') {
+            try {
+                [Craft.Services.CacheBridge]::InvalidateByScope('AllTenants')
+            } catch {
+                Write-Information "CacheBridge invalidation skipped: $($_.Exception.Message)"
+            }
+        }
+
         return $true
     } catch {
         Write-Warning "Queue Error: $($_.Exception.Message)"
 
@@ -65,7 +65,23 @@ function Push-CIPPDBCacheData {
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Compliance license check failed: $($_.Exception.Message)" -sev Warning -LogData $ErrorMessage
         }
 
-        Write-Information "License capabilities for $TenantFilter - Intune: $IntuneCapable, CA: $ConditionalAccessCapable, P2: $AzureADPremiumP2Capable, Exchange: $ExchangeCapable, Compliance: $ComplianceCapable"
+        $SharePointCapable = $false
+        try {
+            $SharePointCapable = Test-CIPPStandardLicense -StandardName 'SharePointLicenseCheck' -TenantFilter $TenantFilter -RequiredCapabilities @('SHAREPOINTWAC', 'SHAREPOINTSTANDARD', 'SHAREPOINTENTERPRISE', 'SHAREPOINTENTERPRISE_EDU', 'ONEDRIVE_BASIC', 'ONEDRIVE_ENTERPRISE') -SkipLog
+        } catch {
+            $ErrorMessage = Get-CippException -Exception $_
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "SharePoint license check failed: $($_.Exception.Message)" -sev Warning -LogData $ErrorMessage
+        }
+
+        $TeamsCapable = $false
+        try {
+            $TeamsCapable = Test-CIPPStandardLicense -StandardName 'TeamsLicenseCheck' -TenantFilter $TenantFilter -RequiredCapabilities @('MCOSTANDARD', 'MCOEV', 'MCOIMP', 'TEAMS1', 'Teams_Room_Standard') -SkipLog
+        } catch {
+            $ErrorMessage = Get-CippException -Exception $_
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Teams license check failed: $($_.Exception.Message)" -sev Warning -LogData $ErrorMessage
+        }
+
+        Write-Information "License capabilities for $TenantFilter - Intune: $IntuneCapable, CA: $ConditionalAccessCapable, P2: $AzureADPremiumP2Capable, Exchange: $ExchangeCapable, Compliance: $ComplianceCapable, SharePoint: $SharePointCapable, Teams: $TeamsCapable"
 
         # Build grouped collection tasks — one activity per license category instead of one per cache type
         $Tasks = [System.Collections.Generic.List[object]]::new()
@@ -174,6 +190,30 @@ function Push-CIPPDBCacheData {
             Write-Host "Skipping Compliance data collection for $TenantFilter - no required license"
         }
 
+        if ($SharePointCapable) {
+            $Tasks.Add(@{
+                    FunctionName   = 'ExecCIPPDBCache'
+                    CollectionType = 'SharePoint'
+                    TenantFilter   = $TenantFilter
+                    QueueId        = $QueueId
+                    QueueName      = "DB Cache SharePoint - $TenantFilter"
+                })
+        } else {
+            Write-Host "Skipping SharePoint data collection for $TenantFilter - no required license"
+        }
+
+        if ($TeamsCapable) {
+            $Tasks.Add(@{
+                    FunctionName   = 'ExecCIPPDBCache'
+                    CollectionType = 'Teams'
+                    TenantFilter   = $TenantFilter
+                    QueueId        = $QueueId
+                    QueueName      = "DB Cache Teams - $TenantFilter"
+                })
+        } else {
+            Write-Host "Skipping Teams data collection for $TenantFilter - no required license"
+        }
+
         Write-Information "Built $($Tasks.Count) grouped cache tasks for tenant $TenantFilter (down from individual per-type tasks)"
 
         # Return the task list — the PostExecution function will aggregate and start a flat orchestrator
 
@@ -5,9 +5,11 @@ function Push-UpdatePermissionsQueue {
     #>
     param($Item)
 
-    try {
-        $DomainRefreshRequired = $false
+    $Status = 'Failed'
+    $FailureMessage = $null
+    $DomainRefreshRequired = $false
 
+    try {
         if (!$Item.defaultDomainName) {
             $DomainRefreshRequired = $true
         }
@@ -46,33 +48,55 @@ function Push-UpdatePermissionsQueue {
 
         if ($Item.defaultDomainName -ne 'PartnerTenant') {
             Write-Information 'Pushing CIPP-SAM admin roles'
-            Set-CIPPSAMAdminRoles -TenantFilter $Item.customerId
+            try {
+                Set-CIPPSAMAdminRoles -TenantFilter $Item.customerId
+            } catch {
+                $SamRoleError = Get-CippException -Exception $_
+                Write-Information "Failed to set CIPP-SAM admin roles for $($Item.displayName): $($_.Exception.Message)"
+                Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message "Failed to set CIPP-SAM admin roles for $($Item.displayName) - $($_.Exception.Message)" -Sev 'Warning' -API 'UpdatePermissionsQueue' -LogData $SamRoleError
+                if ($Status -eq 'Success') {
+                    $Status = 'Failed'
+                    $FailureMessage = "Set-CIPPSAMAdminRoles: $($_.Exception.Message)"
+                }
+            }
         }
-
-        $Table = Get-CIPPTable -TableName cpvtenants
-        $unixtime = [int64](([datetime]::UtcNow) - (Get-Date '1/1/1970')).TotalSeconds
-        $GraphRequest = @{
-            LastApply     = "$unixtime"
-            LastStatus    = "$Status"
-            applicationId = "$($env:ApplicationID)"
-            Tenant        = "$($Item.customerId)"
-            PartitionKey  = 'Tenant'
-            RowKey        = "$($Item.customerId)"
+    } catch {
+        Write-Information "Error updating permissions for $($Item.displayName): $($_.Exception.Message)"
+        Write-Information $_.InvocationInfo.PositionMessage
+        Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message "Error updating permissions for $($Item.displayName) - $($_.Exception.Message)" -Sev 'Error' -API 'UpdatePermissionsQueue' -LogData (Get-CippException -Exception $_)
+        $Status = 'Failed'
+        if (-not $FailureMessage) {
+            $FailureMessage = $_.Exception.Message
         }
-        if ($PermissionFailures) {
-            $GraphRequest.LastError = $FailureMessage
+    } finally {
+        try {
+            $CpvTable = Get-CIPPTable -TableName cpvtenants
+            $unixtime = [int64](([datetime]::UtcNow) - (Get-Date '1/1/1970')).TotalSeconds
+            $GraphRequest = @{
+                LastApply     = "$unixtime"
+                LastStatus    = "$Status"
+                applicationId = "$($env:ApplicationID)"
+                Tenant        = "$($Item.customerId)"
+                PartitionKey  = 'Tenant'
+                RowKey        = "$($Item.customerId)"
+            }
+            if ($FailureMessage) {
+                $GraphRequest.LastError = "$FailureMessage"
+            }
+            Add-CIPPAzDataTableEntity @CpvTable -Entity $GraphRequest -Force
+        } catch {
+            Write-Information "Failed to persist cpvtenants row for $($Item.displayName): $($_.Exception.Message)"
         }
-        Add-CIPPAzDataTableEntity @Table -Entity $GraphRequest -Force
 
         if ($DomainRefreshRequired) {
-            $UpdatedTenant = Get-Tenants -TenantFilter $Item.customerId -TriggerRefresh
-            if ($UpdatedTenant.defaultDomainName) {
-                Write-Information "Updated tenant domains $($UpdatedTenant.defaultDomainName)"
+            try {
+                $UpdatedTenant = Get-Tenants -TenantFilter $Item.customerId -TriggerRefresh
+                if ($UpdatedTenant.defaultDomainName) {
+                    Write-Information "Updated tenant domains $($UpdatedTenant.defaultDomainName)"
+                }
+            } catch {
+                Write-Information "Failed to refresh tenant domains for $($Item.displayName): $($_.Exception.Message)"
             }
         }
-    } catch {
-        Write-Information "Error updating permissions for $($Item.displayName): $($_.Exception.Message)"
-        Write-Information $_.InvocationInfo.PositionMessage
-        Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message "Error updating permissions for $($Item.displayName) - $($_.Exception.Message)" -Sev 'Error' -API 'UpdatePermissionsQueue' -LogData (Get-CippException -Exception $_)
     }
 }