Merge pull request #37 from KelvinTegelaar/master

[pull] master from KelvinTegelaar:master

Author: pull[bot]

Config/CIPPTimers.json

@@ -59,7 +59,7 @@
     "Id": "5ff6c500-e420-4a3b-8532-ace2e4da4f7d",
     "Command": "Start-ApplicationOrchestrator",
     "Description": "Orchestrator to process application uploads",
-    "Cron": "0 0 */12 * * *",
+    "Cron": "0 30 */12 * * *",
     "Priority": 2,
     "RunOnProcessor": true
   },
@@ -84,7 +84,7 @@
     "Id": "4d80205c-674d-4fc1-abeb-a1ec37e0d796",
     "Command": "Start-DriftStandardsOrchestrator",
     "Description": "Orchestrator to process drift standards",
-    "Cron": "0 0 */12 * * *",
+    "Cron": "0 15 */12 * * *",
     "Priority": 5,
     "RunOnProcessor": true,
     "PreferredProcessor": "standards"
@@ -101,15 +101,15 @@
     "Id": "ed7b5241-1cb9-499b-8f5b-1013ba5764b4",
     "Command": "Set-CIPPGDAPInviteGroups",
     "Description": "Orchestrator to map the groups for GDAP invites",
-    "Cron": "0 0 */3 * * *",
+    "Cron": "0 45 */3 * * *",
     "Priority": 5,
     "RunOnProcessor": true
   },
   {
     "Id": "0967c860-3a57-4860-8f33-e5136eae7b4e",
     "Command": "Start-TenantDynamicGroupOrchestrator",
     "Description": "Orchestrator to update dynamic tenant groups",
-    "Cron": "0 0 */4 * * *",
+    "Cron": "0 30 */4 * * *",
     "Priority": 6,
     "RunOnProcessor": true
   },
@@ -180,7 +180,7 @@
     "Id": "54c39540-fe91-4795-8613-ac4295751a51",
     "Command": "Start-ExtensionOrchestrator",
     "Description": "Orchestrator to process extensions",
-    "Cron": "0 0 */2 * * *",
+    "Cron": "0 45 */2 * * *",
     "Priority": 12,
     "RunOnProcessor": true
   },

Modules/CIPPCore/Public/Authentication/New-CIPPAPIConfig.ps1

@@ -193,6 +193,20 @@ function New-CIPPAPIConfig {
             if ($PSCmdlet.ShouldProcess($APIApp.displayName, 'Reset API Secret')) {
                 $Step = 'Resetting Application Password'
                 Write-Information 'Removing all old passwords'
+
+                $AppManagementPolicy = New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/policies/defaultAppManagementPolicy' -AsApp $true -NoAuthCheck $true
+                $PasswordExpirationPolicy = $AppManagementPolicy.applicationRestrictions.passwordcredentials |
+                    Where-Object { $_.restrictionType -eq 'passwordLifetime' }
+
+                $NewPasswordCredential = @{
+                    displayName = 'Generated by API Setup'
+                }
+                if (-not ($PasswordExpirationPolicy.state -eq 'disabled' -or $null -eq $PasswordExpirationPolicy.state)) {
+                    $TimeToExpiration = [System.Xml.XmlConvert]::ToTimeSpan($PasswordExpirationPolicy.maxLifetime)
+                    $ExpirationDate = (Get-Date).AddDays($TimeToExpiration.Days).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ss.fffZ')
+                    $NewPasswordCredential.endDateTime = $ExpirationDate
+                }
+
                 $Requests = @(
                     @{
                         id      = 'removeOldPasswords'
@@ -213,15 +227,19 @@ function New-CIPPAPIConfig {
                             'Content-Type' = 'application/json'
                         }
                         body      = @{
-                            passwordCredential = @{
-                                displayName = 'Generated by API Setup'
-                            }
+                            passwordCredential = $NewPasswordCredential
                         }
                         dependsOn = @('removeOldPasswords')
                     }
                 )
                 $BatchResponse = New-GraphBulkRequest -tenantid $env:TenantID -NoAuthCheck $true -asapp $true -Requests $Requests
-                $APIPassword = $BatchResponse | Where-Object { $_.id -eq 'addNewPassword' } | Select-Object -ExpandProperty body
+                $AddPasswordResponse = $BatchResponse | Where-Object { $_.id -eq 'addNewPassword' }
+                if ($AddPasswordResponse.status -ge 400) {
+                    $ErrorBody = $AddPasswordResponse.body
+                    $ErrorMsg = $ErrorBody.error.message ?? ($ErrorBody | ConvertTo-Json -Compress -Depth 5)
+                    throw "Failed to add new password during secret reset: $ErrorMsg"
+                }
+                $APIPassword = $AddPasswordResponse.body
                 Write-LogMessage -headers $Headers -API $APINAME -tenant 'None '-message "Reset CIPP-API Password for '$($APIApp.displayName)'." -Sev 'info'
             }
         }

Modules/CIPPCore/Public/Functions/Get-CIPPTenantAlignment.ps1

@@ -400,6 +400,27 @@ function Get-CIPPTenantAlignment {
                     if ($item.ReportingDisabled) { $ReportingDisabledStandardsCount++ }
                 }
 
+                # For drift templates, include all policy deviation entries from tenantDrift table in alignment score
+                # Accepted/CustomerSpecific count as compliant, all others (New, Denied, etc.) count as non-compliant
+                $CurrentDeviationsCount = $null
+                if ($IsDriftTemplate) {
+                    $PolicyDeviationCompliant = 0
+                    $PolicyDeviationNonCompliant = 0
+                    foreach ($DriftKey in $TenantDriftStatuses.Keys) {
+                        if ($DriftKey -like 'IntuneTemplates.*' -or $DriftKey -like 'ConditionalAccessTemplates.*') {
+                            if ($TenantDriftStatuses[$DriftKey] -in @('Accepted', 'CustomerSpecific')) {
+                                $PolicyDeviationCompliant++
+                            } else {
+                                $PolicyDeviationNonCompliant++
+                            }
+                        }
+                    }
+                    $AllCount += $PolicyDeviationCompliant + $PolicyDeviationNonCompliant
+                    $CompliantStandards += $PolicyDeviationCompliant
+                    $NonCompliantStandards += $PolicyDeviationNonCompliant
+                    $CurrentDeviationsCount = $PolicyDeviationNonCompliant
+                }
+
                 $AlignmentPercentage = if (($AllCount - $ReportingDisabledStandardsCount) -gt 0) {
                     [Math]::Round(($CompliantStandards / ($AllCount - $ReportingDisabledStandardsCount)) * 100)
                 } else {
@@ -429,6 +450,7 @@ function Get-CIPPTenantAlignment {
                     LicenseMissingStandards  = $LicenseMissingStandards
                     TotalStandards           = $AllCount
                     ReportingDisabledCount   = $ReportingDisabledStandardsCount
+                    CurrentDeviationsCount   = $CurrentDeviationsCount
                     LatestDataCollection     = if ($LatestDataCollection) { $LatestDataCollection } else { $null }
                     ComparisonDetails        = $ComparisonResults
                 }

Modules/CIPPHTTP/Public/Entrypoints/HTTP Functions/Tenant/Administration/Alerts/Invoke-PublicWebhooks.ps1

@@ -7,19 +7,11 @@ function Invoke-PublicWebhooks {
     #>
     param($Request, $TriggerMetadata)
     $Headers = $Request.Headers
-
-    $WebhookTable = Get-CIPPTable -TableName webhookTable
-    $WebhookIncoming = Get-CIPPTable -TableName WebhookIncoming
-    $Webhooks = Get-CIPPAzDataTableEntity @WebhookTable
     Write-Host 'Received request'
     $url = ($Headers.'x-ms-original-url').split('/API') | Select-Object -First 1
     $CIPPURL = [string]$url
     Write-Host $url
-    if ($Webhooks.Resource -eq 'M365AuditLogs') {
-        Write-Host "Found M365AuditLogs - This is an old entry, we'll deny so Microsoft stops sending it."
-        $body = 'This webhook is not authorized, its an old entry.'
-        $StatusCode = [HttpStatusCode]::Forbidden
-    }
+
     if ($Request.Query.ValidationToken) {
         Write-Host 'Validation token received - query ValidationToken'
         $body = $Request.Query.ValidationToken
@@ -32,45 +24,54 @@ function Invoke-PublicWebhooks {
         Write-Host 'Validation token received - query validationCode'
         $body = $Request.Query.validationCode
         $StatusCode = [HttpStatusCode]::OK
-    } elseif ($Request.Query.CIPPID -in $Webhooks.RowKey) {
-        Write-Host 'Found matching CIPPID'
-        $url = ($Headers.'x-ms-original-url').split('/API') | Select-Object -First 1
-        $Webhookinfo = $Webhooks | Where-Object -Property RowKey -EQ $Request.Query.CIPPID
+    } elseif ($Request.Query.CIPPID) {
+        $WebhookTable = Get-CIPPTable -TableName webhookTable
+        $Webhookinfo = Get-CIPPAzDataTableEntity @WebhookTable -Filter "RowKey eq '$($Request.Query.CIPPID)'" -First 1
+        if (-not $Webhookinfo) {
+            Write-Host "No matching CIPPID found: $($Request.Query.CIPPID)"
+            $Body = 'This webhook is not authorized.'
+            $StatusCode = [HttpStatusCode]::Forbidden
+        } elseif ($Webhookinfo.Resource -eq 'M365AuditLogs') {
+            Write-Host "Found M365AuditLogs - This is an old entry, we'll deny so Microsoft stops sending it."
+            $Body = 'This webhook is not authorized, its an old entry.'
+            $StatusCode = [HttpStatusCode]::Forbidden
+        } else {
+            Write-Host 'Found matching CIPPID'
+            $WebhookIncoming = Get-CIPPTable -TableName WebhookIncoming
 
-        if ($Request.Query.Type -eq 'GraphSubscription') {
-            # Graph Subscriptions
-            [pscustomobject]$ReceivedItem = $Request.Body.value
-            $Entity = [PSCustomObject]@{
-                PartitionKey = 'Webhook'
-                RowKey       = [string](New-Guid).Guid
-                Type         = $Request.Query.Type
-                Data         = [string]($ReceivedItem | ConvertTo-Json -Depth 10)
-                CIPPID       = $Request.Query.CIPPID
-                WebhookInfo  = [string]($WebhookInfo | ConvertTo-Json -Depth 10)
-                FunctionName = 'PublicWebhookProcess'
-            }
-            Add-CIPPAzDataTableEntity @WebhookIncoming -Entity $Entity
-            ## Push webhook data to queue
-            #Invoke-CippGraphWebhookProcessing -Data $ReceivedItem -CIPPID $request.Query.CIPPID -WebhookInfo $Webhookinfo
+            if ($Request.Query.Type -eq 'GraphSubscription') {
+                # Graph Subscriptions
+                [pscustomobject]$ReceivedItem = $Request.Body.value
+                $Entity = [PSCustomObject]@{
+                    PartitionKey = 'Webhook'
+                    RowKey       = [string](New-Guid).Guid
+                    Type         = $Request.Query.Type
+                    Data         = [string]($ReceivedItem | ConvertTo-Json -Depth 10)
+                    CIPPID       = $Request.Query.CIPPID
+                    WebhookInfo  = [string]($WebhookInfo | ConvertTo-Json -Depth 10)
+                    FunctionName = 'PublicWebhookProcess'
+                }
+                Add-CIPPAzDataTableEntity @WebhookIncoming -Entity $Entity
 
-        } elseif ($Request.Query.Type -eq 'PartnerCenter') {
-            [pscustomobject]$ReceivedItem = $Request.Body
-            $Entity = [PSCustomObject]@{
-                PartitionKey = 'Webhook'
-                RowKey       = [string](New-Guid).Guid
-                Type         = $Request.Query.Type
-                Data         = [string]($ReceivedItem | ConvertTo-Json -Depth 10)
-                CIPPID       = $Request.Query.CIPPID
-                WebhookInfo  = [string]($WebhookInfo | ConvertTo-Json -Depth 10)
-                FunctionName = 'PublicWebhookProcess'
+            } elseif ($Request.Query.Type -eq 'PartnerCenter') {
+                [pscustomobject]$ReceivedItem = $Request.Body
+                $Entity = [PSCustomObject]@{
+                    PartitionKey = 'Webhook'
+                    RowKey       = [string](New-Guid).Guid
+                    Type         = $Request.Query.Type
+                    Data         = [string]($ReceivedItem | ConvertTo-Json -Depth 10)
+                    CIPPID       = $Request.Query.CIPPID
+                    WebhookInfo  = [string]($WebhookInfo | ConvertTo-Json -Depth 10)
+                    FunctionName = 'PublicWebhookProcess'
+                }
+                Add-CIPPAzDataTableEntity @WebhookIncoming -Entity $Entity
+            } else {
+                $Body = 'This webhook is not authorized.'
+                $StatusCode = [HttpStatusCode]::Forbidden
             }
-            Add-CIPPAzDataTableEntity @WebhookIncoming -Entity $Entity
-        } else {
-            $Body = 'This webhook is not authorized.'
-            $StatusCode = [HttpStatusCode]::Forbidden
+            $Body = 'Webhook Received'
+            $StatusCode = [HttpStatusCode]::OK
         }
-        $Body = 'Webhook Received'
-        $StatusCode = [HttpStatusCode]::OK
 
     } else {
         $Body = 'This webhook is not authorized.'

Modules/CIPPHTTP/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-ListTenantAlignment.ps1

@@ -92,6 +92,7 @@ function Invoke-ListTenantAlignment {
                     alignmentScore           = $_.AlignmentScore
                     LicenseMissingPercentage = $_.LicenseMissingPercentage
                     combinedAlignmentScore   = $_.CombinedScore
+                    currentDeviationsCount   = $_.CurrentDeviationsCount
                     latestDataCollection     = $_.LatestDataCollection
                 }
             }

Modules/CippExtensions/Public/NinjaOne/Invoke-NinjaOneExtensionScheduler.ps1

@@ -76,7 +76,7 @@ function Invoke-NinjaOneExtensionScheduler {
                     $_ | Add-Member -NotePropertyName lastStartTime -NotePropertyValue $Null -Force
                 }
             }
-            $CatchupTenants = $TenantsToProcess | Where-Object { (((($_.lastEndTime -eq $Null) -or ($_.lastStartTime -gt $_.lastEndTime)) -and ($_.lastStartTime -lt (Get-Date).AddMinutes(-30)))) -or ($_.lastStartTime -lt $LastRunTime) }
+            $CatchupTenants = $TenantsToProcess | Where-Object { ((($_.lastEndTime -eq $Null) -or ($_.lastStartTime -gt $_.lastEndTime)) -and ($_.lastStartTime -lt (Get-Date).AddHours(-3))) -or (($_.lastStartTime -lt $LastRunTime) -and ($Null -eq $_.lastEndTime -or $_.lastEndTime -lt $LastRunTime)) }
             $Batch = foreach ($Tenant in $CatchupTenants) {
                 [PSCustomObject]@{
                     NinjaAction  = 'SyncTenant'

version_latest.txt

@@ -1 +1 @@
-10.4.1
+10.4.2