fix: audit log lookups and timer calculations

JohnDuprey · JohnDuprey · commit 13adf2e09e67 · 2026-04-06T15:19:37.000-04:00
Improve Get-CIPPTimerFunctions: add a warning when Cronos.dll fails to load, use a separate DueOccurrence variable for determining due runs, compute a safe NextOccurrenceUtc via the next future occurrence (DateTimeOffset) and use UtcDateTime in comparisons to avoid incorrect timezone conversions.

Improve Test-CIPPAuditLogRules: prefer cached directory data from CippReportingDB (New-CIPPDbRequest) and fall back to a Graph bulk request only when the DB is empty/unavailable; avoid repeated Graph calls by caching partner users in the cacheauditloglookups table (PartitionKey '_partner', RowKey 'users') and add informational logging for these code paths.
diff --git a/Modules/CIPPCore/Public/Get-CIPPTimerFunctions.ps1 b/Modules/CIPPCore/Public/Get-CIPPTimerFunctions.ps1
@@ -50,7 +50,9 @@ function Get-CIPPTimerFunctions {
         try {
             $Cronos = Join-Path -Path $CIPPCoreModuleRoot -ChildPath 'lib\Cronos.dll'
             Add-Type -Path $Cronos
-        } catch {}
+        } catch {
+            Write-Warning "Failed to load Cronos.dll from '$Cronos': $_"
+        }
     }
 
     $CIPPRoot = (Get-Item $CIPPCoreModuleRoot).Parent.Parent
@@ -111,26 +113,27 @@ function Get-CIPPTimerFunctions {
 
             $Now = [DateTime]::UtcNow
             if ($ListAllTasks.IsPresent) {
-                $NextOccurrence = $Cron.GetNextOccurrence($Now, $ScheduleTimeZone)
+                $DueOccurrence = $Cron.GetNextOccurrence($Now, $ScheduleTimeZone)
             } else {
                 $NextOccurrences = $Cron.GetOccurrences($Now.AddMinutes(-15), $Now.AddMinutes(15), $ScheduleTimeZone)
                 if (!$Status -or $Status.LastOccurrence -eq 'Never') {
-                    $NextOccurrence = $NextOccurrences | Where-Object { $_ -le [DateTime]::UtcNow } | Select-Object -First 1
+                    $DueOccurrence = $NextOccurrences | Where-Object { $_ -le [DateTime]::UtcNow } | Select-Object -First 1
                 } else {
-                    $NextOccurrence = $NextOccurrences | Where-Object { $_ -gt $Status.LastOccurrence.DateTime.ToUniversalTime() -and $_ -le [DateTime]::UtcNow } | Select-Object -First 1
+                    $DueOccurrence = $NextOccurrences | Where-Object { $_ -gt $Status.LastOccurrence.UtcDateTime -and $_ -le [DateTime]::UtcNow } | Select-Object -First 1
                 }
             }
 
-
-            if ($NextOccurrence -or $ListAllTasks.IsPresent) {
+            if ($DueOccurrence -or $ListAllTasks.IsPresent) {
+                $NextFutureOccurrence = $Cron.GetNextOccurrence([DateTime]::UtcNow, $ScheduleTimeZone)
+                $NextOccurrenceUtc = if ($NextFutureOccurrence) { [DateTimeOffset]::new($NextFutureOccurrence.ToUniversalTime()) } else { $null }
                 if (!$Status) {
                     $Status = [pscustomobject]@{
                         PartitionKey       = 'Timer'
                         RowKey             = $Orchestrator.Id
                         Command            = $Orchestrator.Command
                         Cron               = $CronString
                         LastOccurrence     = 'Never'
-                        NextOccurrence     = $NextOccurrence.ToUniversalTime()
+                        NextOccurrence     = $NextOccurrenceUtc
                         Status             = 'Not Scheduled'
                         OrchestratorId     = ''
                         RunOnProcessor     = $RunOnProcessor
@@ -143,7 +146,7 @@ function Get-CIPPTimerFunctions {
                     if ($Orchestrator.IsSystem -eq $true -or $ResetToDefault.IsPresent) {
                         $Status.Cron = $Orchestrator.Cron
                     }
-                    $Status.NextOccurrence = $NextOccurrence.ToUniversalTime()
+                    $Status.NextOccurrence = $NextOccurrenceUtc
                     $PreferredProcessor = $Orchestrator.PreferredProcessor ?? ''
                     if ($Status.PSObject.Properties.Name -notcontains 'PreferredProcessor') {
                         $Status | Add-Member -MemberType NoteProperty -Name 'PreferredProcessor' -Value $PreferredProcessor -Force
@@ -159,7 +162,7 @@ function Get-CIPPTimerFunctions {
                     Command            = $Orchestrator.Command
                     Parameters         = $Orchestrator.Parameters ?? @{}
                     Cron               = $CronString
-                    NextOccurrence     = $NextOccurrence.ToUniversalTime()
+                    NextOccurrence     = $NextOccurrenceUtc
                     LastOccurrence     = $Status.LastOccurrence
                     Status             = $Status.Status
                     OrchestratorId     = $Status.OrchestratorId
diff --git a/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1 b/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1
@@ -187,34 +187,59 @@ function Test-CIPPAuditLogRules {
         }
 
         if (!$Lookups -or $NeedsRefresh) {
-            # Collect bulk data for users/groups/devices/applications
-            $Requests = @(
-                @{
-                    id     = 'users'
-                    url    = '/users?$select=id,displayName,userPrincipalName,accountEnabled&$top=999'
-                    method = 'GET'
-                }
-                @{
-                    id     = 'groups'
-                    url    = '/groups?$select=id,displayName,mailEnabled,securityEnabled&$top=999'
-                    method = 'GET'
-                }
-                @{
-                    id     = 'devices'
-                    url    = '/devices?$select=id,displayName,deviceId&$top=999'
-                    method = 'GET'
-                }
-                @{
-                    id     = 'servicePrincipals'
-                    url    = '/servicePrincipals?$select=id,displayName&$top=999'
-                    method = 'GET'
+            # Try CippReportingDB first (pre-populated by timer, same pattern as Add-CIPPApplicationPermission)
+            Write-Information "Checking CippReportingDB for directory data for tenant $TenantFilter"
+            try {
+                $Users = @(New-CIPPDbRequest -TenantFilter $TenantFilter -Type 'Users')
+                $ServicePrincipals = @(New-CIPPDbRequest -TenantFilter $TenantFilter -Type 'ServicePrincipals')
+            } catch {
+                Write-Information "CippReportingDB query failed for ${TenantFilter}: $($_.Exception.Message)"
+                $Users = @()
+                $ServicePrincipals = @()
+            }
+
+            if (!$Users -or !$ServicePrincipals) {
+                # DB cache is empty or unavailable, fall back to Graph bulk request
+                Write-Information "CippReportingDB has no data for $TenantFilter, falling back to Graph bulk request"
+                $Requests = @(
+                    @{
+                        id     = 'users'
+                        url    = '/users?$select=id,displayName,userPrincipalName,accountEnabled&$top=999'
+                        method = 'GET'
+                    }
+                    @{
+                        id     = 'groups'
+                        url    = '/groups?$select=id,displayName,mailEnabled,securityEnabled&$top=999'
+                        method = 'GET'
+                    }
+                    @{
+                        id     = 'devices'
+                        url    = '/devices?$select=id,displayName,deviceId&$top=999'
+                        method = 'GET'
+                    }
+                    @{
+                        id     = 'servicePrincipals'
+                        url    = '/servicePrincipals?$select=id,displayName&$top=999'
+                        method = 'GET'
+                    }
+                )
+                $Response = New-GraphBulkRequest -TenantId $TenantFilter -Requests $Requests
+                $Users = ($Response | Where-Object { $_.id -eq 'users' }).body.value ?? @()
+                $Groups = ($Response | Where-Object { $_.id -eq 'groups' }).body.value ?? @()
+                $Devices = ($Response | Where-Object { $_.id -eq 'devices' }).body.value ?? @()
+                $ServicePrincipals = ($Response | Where-Object { $_.id -eq 'servicePrincipals' }).body.value ?? @()
+                $Response = $null
+            } else {
+                try {
+                    $Groups = @(New-CIPPDbRequest -TenantFilter $TenantFilter -Type 'Groups')
+                    $Devices = @(New-CIPPDbRequest -TenantFilter $TenantFilter -Type 'Devices')
+                } catch {
+                    Write-Information "CippReportingDB Groups/Devices query failed for ${TenantFilter}: $($_.Exception.Message)"
+                    $Groups = @()
+                    $Devices = @()
                 }
-            )
-            $Response = New-GraphBulkRequest -TenantId $TenantFilter -Requests $Requests
-            $Users = ($Response | Where-Object { $_.id -eq 'users' }).body.value ?? @()
-            $Groups = ($Response | Where-Object { $_.id -eq 'groups' }).body.value ?? @()
-            $Devices = ($Response | Where-Object { $_.id -eq 'devices' }).body.value ?? @()
-            $ServicePrincipals = ($Response | Where-Object { $_.id -eq 'servicePrincipals' }).body.value ?? @()
+                Write-Information "Loaded from CippReportingDB: $($Users.Count) users, $($Groups.Count) groups, $($Devices.Count) devices, $($ServicePrincipals.Count) service principals"
+            }
 
             # Build hashtables for O(1) GUID lookups
             Write-Information "Building hashtable lookups for tenant $TenantFilter"
@@ -342,17 +367,28 @@ function Test-CIPPAuditLogRules {
             }
         }
 
-        # partner users
-        $PartnerUsers = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$select=id,displayName,userPrincipalName,accountEnabled&`$top=999" -AsApp $true -NoAuthCheck $true
-
-        # Build partner user hashtable
-        $PartnerUserLookup = @{}
-        foreach ($PartnerUser in $PartnerUsers) {
-            if (![string]::IsNullOrEmpty($PartnerUser.id)) {
-                $PartnerUserLookup[$PartnerUser.id] = $PartnerUser
+        # Partner users - cache in cacheauditloglookups (PartitionKey '_partner') to avoid a fresh Graph fetch every invocation
+        $PartnerUsersCache = Get-CIPPAzDataTableEntity @Table -Filter "PartitionKey eq '_partner' and RowKey eq 'users' and Timestamp gt datetime'$1dayago'"
+        if ($PartnerUsersCache -and $PartnerUsersCache.Format -eq 'hashtable') {
+            Write-Information 'Loading partner user hashtable from cache'
+            $PartnerUserLookup = ($PartnerUsersCache.Data | ConvertFrom-Json -ErrorAction SilentlyContinue -AsHashtable) ?? @{}
+        } else {
+            $PartnerUsers = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$select=id,displayName,userPrincipalName,accountEnabled&`$top=999" -AsApp $true -NoAuthCheck $true
+            $PartnerUserLookup = @{}
+            foreach ($PartnerUser in $PartnerUsers) {
+                if (![string]::IsNullOrEmpty($PartnerUser.id)) {
+                    $PartnerUserLookup[$PartnerUser.id] = $PartnerUser
+                }
             }
+            Add-CIPPAzDataTableEntity @Table -Entity @{
+                PartitionKey = '_partner'
+                RowKey       = 'users'
+                Data         = [string]($PartnerUserLookup | ConvertTo-Json -Compress)
+                Format       = 'hashtable'
+            } -Force
+            $PartnerUsers = $null
         }
-        Write-Information "Built partner user hashtable: $($PartnerUserLookup.Count) partner users"
+        Write-Information "Partner user hashtable: $($PartnerUserLookup.Count) partner users"
 
         Write-Warning '## Audit Log Configuration ##'
         Write-Information ($Configuration | ConvertTo-Json -Depth 10)
