Merge pull request #15 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecOnboardTenantQueue.ps1

@@ -443,38 +443,75 @@ function Push-ExecOnboardTenantQueue {
 
         if ($OnboardingSteps.Step4.Status -eq 'succeeded') {
             if ($Item.StandardsExcludeAllTenants -eq $true) {
-                $AddExclusionObj = [PSCustomObject]@{
-                    label       = '{0} ({1})' -f $Tenant.displayName, $Tenant.defaultDomainName
-                    value       = $Tenant.defaultDomainName
-                    addedFields = @{
-                        customerId        = $Tenant.customerId
-                        defaultDomainName = $Tenant.defaultDomainName
+                $GroupTable = Get-CIPPTable -tablename 'TenantGroups'
+                $MembersTable = Get-CIPPTable -tablename 'TenantGroupMembers'
+                $ExclusionGroupName = 'Excluded onboarded tenants'
+
+                # Find existing exclusion group
+                $ExclusionGroup = Get-CIPPAzDataTableEntity @GroupTable -Filter "PartitionKey eq 'TenantGroup'" | Where-Object { $_.Name -eq $ExclusionGroupName }
+                if (-not $ExclusionGroup) {
+                    $ExclusionGroupId = [guid]::NewGuid().ToString()
+                    $ExclusionGroup = @{
+                        PartitionKey = 'TenantGroup'
+                        RowKey       = $ExclusionGroupId
+                        Name         = $ExclusionGroupName
+                        Description  = 'Tenants excluded from top-level standards during onboarding'
+                        GroupType    = 'static'
                     }
+                    Add-CIPPAzDataTableEntity @GroupTable -Entity $ExclusionGroup -Force
+                    $Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = "Created tenant group '$ExclusionGroupName'" })
+                } else {
+                    $ExclusionGroupId = $ExclusionGroup.RowKey
+                }
+
+                # Add tenant to the exclusion group if not already a member
+                $MemberRowKey = '{0}-{1}' -f $ExclusionGroupId, $Tenant.customerId
+                $ExistingMember = Get-CIPPAzDataTableEntity @MembersTable -Filter "PartitionKey eq 'Member' and RowKey eq '$MemberRowKey'"
+                if (-not $ExistingMember) {
+                    Add-CIPPAzDataTableEntity @MembersTable -Entity @{
+                        PartitionKey = 'Member'
+                        RowKey       = $MemberRowKey
+                        GroupId      = $ExclusionGroupId
+                        customerId   = $Tenant.customerId
+                    } -Force
+                }
+
+                # Ensure the group is in excludedTenants of all AllTenants templates
+                $GroupExclusionObj = [PSCustomObject]@{
+                    label = $ExclusionGroupName
+                    value = $ExclusionGroupId
+                    type  = 'Group'
                 }
-                $Table = Get-CIPPTable -tablename 'templates'
-                $ExistingTemplates = Get-CIPPAzDataTableEntity @Table -Filter "PartitionKey eq 'StandardsTemplateV2'" | Where-Object { $_.JSON -match 'AllTenants' }
+                $TemplatesTable = Get-CIPPTable -tablename 'templates'
+                $ExistingTemplates = Get-CIPPAzDataTableEntity @TemplatesTable -Filter "PartitionKey eq 'StandardsTemplateV2'" | Where-Object { $_.JSON -match 'AllTenants' }
                 foreach ($AllTenantsTemplate in $ExistingTemplates) {
                     $object = $AllTenantsTemplate.JSON | ConvertFrom-Json
-                    $NewExcludedTenants = [System.Collections.Generic.List[object]]::new()
-                    if (!$object.excludedTenants) {
+                    if (-not $object.excludedTenants) {
                         $object | Add-Member -MemberType NoteProperty -Name 'excludedTenants' -Value @() -Force
                     }
-                    foreach ($ExcludedStandardsTenant in $object.excludedTenants) {
-                        $NewExcludedTenants.Add($ExcludedStandardsTenant)
-                    }
-                    $NewExcludedTenants.Add($AddExclusionObj)
-                    $object.excludedTenants = $NewExcludedTenants
-                    $JSON = ConvertTo-Json -InputObject $object -Compress -Depth 10
-                    $Table.Force = $true
-                    Add-CIPPAzDataTableEntity @Table -Entity @{
-                        JSON         = "$JSON"
-                        RowKey       = $AllTenantsTemplate.RowKey
-                        GUID         = $AllTenantsTemplate.GUID
-                        PartitionKey = 'StandardsTemplateV2'
+                    $AlreadyHasGroup = $object.excludedTenants | Where-Object { $_.value -eq $ExclusionGroupId -and $_.type -eq 'Group' }
+                    if (-not $AlreadyHasGroup) {
+                        $NewExcludedTenants = [System.Collections.Generic.List[object]]::new()
+                        foreach ($ExcludedEntry in $object.excludedTenants) {
+                            $NewExcludedTenants.Add($ExcludedEntry)
+                        }
+                        $NewExcludedTenants.Add($GroupExclusionObj)
+                        $object.excludedTenants = $NewExcludedTenants
+                        $JSON = ConvertTo-Json -InputObject $object -Compress -Depth 10
+                        $TemplatesTable.Force = $true
+                        Add-CIPPAzDataTableEntity @TemplatesTable -Entity @{
+                            JSON         = "$JSON"
+                            RowKey       = $AllTenantsTemplate.RowKey
+                            GUID         = $AllTenantsTemplate.GUID
+                            PartitionKey = 'StandardsTemplateV2'
+                        }
                     }
                 }
 
-                $Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = 'Set All Tenant Standards Exclusion' })
+                # Bust the tenant groups cache so standards pick up the new member
+                $null = Get-TenantGroups -SkipCache
+
+                $Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = 'Set All Tenant Standards Exclusion via group' })
             }
             $Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = "Testing API access for $($Tenant.defaultDomainName)" })
             $OnboardingSteps.Step5.Status = 'running'

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/Autopilot/Invoke-AddAPDevice.ps1

@@ -51,9 +51,36 @@ function Invoke-AddAPDevice {
         if ($NewStatus.status -ne 'finished') { throw 'Could not retrieve status of import - This job might still be running. Check the autopilot device list in 10 minutes for the latest status.' }
         Write-LogMessage -headers $Request.Headers -API $APIName -tenant $($Request.body.TenantFilter.value) -message "Created Autopilot devices group. Group ID is $GroupName" -Sev 'Info'
 
+        # Apply group tags from CSV if any devices have them
+        $DevicesWithGroupTags = @($rawDevices | Where-Object { $_.groupTag -and $_.groupTag.Trim() -ne '' })
+        $GroupTagResults = [System.Collections.Generic.List[string]]::new()
+        if ($DevicesWithGroupTags.Count -gt 0) {
+            $TenantFilter = $Request.Body.TenantFilter.value
+            try {
+                $AutopilotDevices = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeviceIdentities?$top=999' -tenantid $TenantFilter
+                foreach ($Device in $DevicesWithGroupTags) {
+                    try {
+                        $APDevice = $AutopilotDevices | Where-Object { $_.serialNumber -eq $Device.SerialNumber } | Select-Object -First 1
+                        if ($APDevice) {
+                            $body = @{ groupTag = $Device.groupTag } | ConvertTo-Json
+                            New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeviceIdentities/$($APDevice.id)/UpdateDeviceProperties" -tenantid $TenantFilter -body $body -method POST | Out-Null
+                            $GroupTagResults.Add("Set group tag '$($Device.groupTag)' for device '$($Device.SerialNumber)'")
+                        } else {
+                            $GroupTagResults.Add("Could not find Autopilot device for serial '$($Device.SerialNumber)' to set group tag - device may still be syncing")
+                        }
+                    } catch {
+                        $GroupTagResults.Add("Failed to set group tag for device '$($Device.SerialNumber)': $($_.Exception.Message)")
+                    }
+                }
+            } catch {
+                $GroupTagResults.Add("Failed to retrieve Autopilot devices for group tag assignment: $($_.Exception.Message)")
+            }
+        }
+
         [PSCustomObject]@{
-            Status  = 'Import Job Completed'
-            Devices = @($NewStatus.devicesStatus)
+            Status         = 'Import Job Completed'
+            Devices        = @($NewStatus.devicesStatus)
+            GroupTagStatus = $GroupTagResults
         }
         $StatusCode = [HttpStatusCode]::OK
     } catch {

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-ExecUpdateDriftDeviation.ps1

@@ -9,7 +9,7 @@ function Invoke-ExecUpdateDriftDeviation {
     param($Request, $TriggerMetadata)
 
     $APIName = $TriggerMetadata.FunctionName
-    Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug'
+    Write-LogMessage -Headers $Request.Headers -API $APINAME -message 'Accessed this API' -Sev 'Debug'
 
     try {
         $TenantFilter = $Request.Body.TenantFilter
@@ -25,7 +25,7 @@ function Invoke-ExecUpdateDriftDeviation {
                     success = $true
                     result  = "All drift customizations removed for tenant $TenantFilter"
                 })
-            Write-LogMessage -tenant $TenantFilter -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Removed all drift customizations for tenant $TenantFilter" -Sev 'Info'
+            Write-LogMessage -tenant $TenantFilter -Headers $Request.Headers -API $APINAME -message "Removed all drift customizations for tenant $TenantFilter" -Sev 'Info'
         } else {
             $Deviations = $Request.Body.deviations
             $Reason = $Request.Body.reason
@@ -39,7 +39,7 @@ function Invoke-ExecUpdateDriftDeviation {
                         success = $true
                         result  = $Result
                     }
-                    Write-LogMessage -tenant $TenantFilter -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Updated drift deviation status for $($Deviation.standardName) to $($Deviation.status) with reason: $Reason" -Sev 'Info'
+                    Write-LogMessage -tenant $TenantFilter -Headers $Request.Headers -API $APINAME -message "Updated drift deviation status for $($Deviation.standardName) to $($Deviation.status) with reason: $Reason" -Sev 'Info'
                     if ($Deviation.status -eq 'DeniedRemediate') {
                         $Setting = $Deviation.standardName -replace 'standards\.', ''
                         $StandardTemplate = Get-CIPPTenantAlignment -TenantFilter $TenantFilter | Where-Object -Property standardType -EQ 'drift'
@@ -62,7 +62,7 @@ function Invoke-ExecUpdateDriftDeviation {
                                 }
                             }
                             if (-not $MatchedTemplate) {
-                                Write-LogMessage -tenant $TenantFilter -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Could not find IntuneTemplate $TemplateId in drift standard settings for remediation" -Sev 'Warn'
+                                Write-LogMessage -tenant $TenantFilter -Headers $Request.Headers -API $APINAME -message "Could not find IntuneTemplate $TemplateId in drift standard settings for remediation" -Sev 'Warn'
                             } else {
                                 $MatchedTemplate | Add-Member -MemberType NoteProperty -Name 'remediate' -Value $true -Force
                                 $MatchedTemplate | Add-Member -MemberType NoteProperty -Name 'report' -Value $true -Force
@@ -132,7 +132,7 @@ function Invoke-ExecUpdateDriftDeviation {
                                 }
                             }
                             Add-CIPPScheduledTask -Task $PersistentTaskBody -hidden $false
-                            Write-LogMessage -tenant $TenantFilter -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Scheduled persistent drift remediation task (12h recurrence) for $Setting" -Sev 'Info'
+                            Write-LogMessage -tenant $TenantFilter -Headers $Request.Headers -API $APINAME -message "Scheduled persistent drift remediation task (12h recurrence) for $Setting" -Sev 'Info'
                         }
                     }
                     if ($Deviation.status -eq 'deniedDelete') {
@@ -148,10 +148,10 @@ function Invoke-ExecUpdateDriftDeviation {
                             Write-Host "Going to delete Policy with ID $($Policy.ID) Deviation Name is $($Deviation.standardName)"
                             $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/$($URLName)/$($ID)" -type DELETE -tenant $TenantFilter
                             "Deleted Policy $($ID)"
-                            Write-LogMessage -tenant $TenantFilter -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Deleted Policy with ID $($ID)" -Sev 'Info'
+                            Write-LogMessage -tenant $TenantFilter -Headers $Request.Headers -API $APINAME -message "Deleted Policy with ID $($ID)" -Sev 'Info'
                         } else {
                             "could not find policy with ID $($ID)"
-                            Write-LogMessage -tenant $TenantFilter -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Could not find Policy with ID $($ID) to delete for remediation" -sev 'Warn'
+                            Write-LogMessage -tenant $TenantFilter -Headers $Request.Headers -API $APINAME -message "Could not find Policy with ID $($ID) to delete for remediation" -sev 'Warn'
                         }
 
 
@@ -162,7 +162,7 @@ function Invoke-ExecUpdateDriftDeviation {
                         success      = $false
                         error        = $_.Exception.Message
                     }
-                    Write-LogMessage -tenant $TenantFilter -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Failed to update drift deviation for $($Deviation.standardName): $($_.Exception.Message)" -Sev 'Error'
+                    Write-LogMessage -tenant $TenantFilter -Headers $Request.Headers -API $APINAME -message "Failed to update drift deviation for $($Deviation.standardName): $($_.Exception.Message)" -Sev 'Error'
                 }
             }
         }
@@ -175,7 +175,7 @@ function Invoke-ExecUpdateDriftDeviation {
             })
 
     } catch {
-        Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Failed to update drift deviation: $($_.Exception.Message)" -Sev 'Error'
+        Write-LogMessage -Headers $Request.Headers -API $APINAME -message "Failed to update drift deviation: $($_.Exception.Message)" -Sev 'Error'
         return ([HttpResponseContext]@{
                 StatusCode = [HttpStatusCode]::BadRequest
                 Body       = @{error = $_.Exception.Message }

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutopilotStatusPage.ps1

@@ -93,22 +93,29 @@ function Invoke-CIPPStandardAutopilotStatusPage {
 
     # Remediate if the state is not correct
     if ($Settings.remediate -eq $true) {
-        try {
-            $Parameters = @{
-                TenantFilter          = $Tenant
-                ShowProgress          = $Settings.ShowProgress
-                BlockDevice           = $Settings.BlockDevice
-                InstallWindowsUpdates = $InstallWindowsUpdates
-                AllowReset            = $Settings.AllowReset
-                EnableLog             = $Settings.EnableLog
-                ErrorMessage          = $Settings.ErrorMessage
-                TimeOutInMinutes      = $Settings.TimeOutInMinutes
-                AllowFail             = $Settings.AllowFail
-                OBEEOnly              = $Settings.OBEEOnly
-            }
+        if ($StateIsCorrect -eq $true) {
+            Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Autopilot Enrollment Status Page is already configured correctly.' -sev Info
+        } else {
+            try {
+                $Parameters = @{
+                    TenantFilter          = $Tenant
+                    ShowProgress          = $Settings.ShowProgress
+                    BlockDevice           = $Settings.BlockDevice
+                    InstallWindowsUpdates = $InstallWindowsUpdates
+                    AllowReset            = $Settings.AllowReset
+                    EnableLog             = $Settings.EnableLog
+                    ErrorMessage          = $Settings.ErrorMessage
+                    TimeOutInMinutes      = $Settings.TimeOutInMinutes
+                    AllowFail             = $Settings.AllowFail
+                    OBEEOnly              = $Settings.OBEEOnly
+                }
 
-            Set-CIPPDefaultAPEnrollment @Parameters
-        } catch {
+                Set-CIPPDefaultAPEnrollment @Parameters
+                Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Autopilot Enrollment Status Page settings have been updated.' -sev Info
+            } catch {
+                $ErrorMessage = Get-CippException -Exception $_
+                Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to update Autopilot Enrollment Status Page: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+            }
         }
     }
 

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1

@@ -121,7 +121,7 @@ function Invoke-CIPPStandardDisableGuests {
                 Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to process bulk disable guests request: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
             }
         } else {
-            Write-LogMessage -API 'Standards' -tenant $tenant -message "No guests accounts with a login longer than $checkDays days ago." -sev Info
+            Write-LogMessage -API 'Standards' -tenant $tenant -message "No guests accounts with a login longer than $checkDays days ago - all guest accounts are already compliant." -sev Info
         }
     }
     if ($Settings.alert -eq $true) {