')
$IntroText = "$($data.UserId) has added $($data.ObjectId) to the $(($data.'Role.DisplayName')) role. The information about the role can be found in the table below.
$Table"
if ($ActionResults) { $IntroText = $IntroText + "Based on the rule, the following actions have been taken: $($ActionResults -join '
' )
" }
@@ -147,7 +148,7 @@ function New-CIPPAlertTemplate {
}
'Disable account.' {
- $Title = "$($TenantFilter) - $($data.ObjectId) has been disabled"
+ $Title = "$($Tenant) - $($data.ObjectId) has been disabled"
$IntroText = "$($data.ObjectId) has been disabled by $($data.UserId)."
if ($ActionResults) { $IntroText = $IntroText + "Based on the rule, the following actions have been taken: $($ActionResults -join '
' )
" }
if ($LocationInfo) {
@@ -159,7 +160,7 @@ function New-CIPPAlertTemplate {
$AfterButtonText = 'If this is incorrect, use the user management screen to unblock the users sign-in
'
}
'Enable account.' {
- $Title = "$($TenantFilter) - $($data.ObjectId) has been enabled"
+ $Title = "$($Tenant) - $($data.ObjectId) has been enabled"
$IntroText = "$($data.ObjectId) has been enabled by $($data.UserId)."
$ButtonUrl = "$CIPPURL/identity/administration/users?customerId=$($data.OrganizationId)"
if ($ActionResults) { $IntroText = $IntroText + "Based on the rule, the following actions have been taken: $($ActionResults -join '
' )
" }
@@ -171,7 +172,7 @@ function New-CIPPAlertTemplate {
$AfterButtonText = 'If this is incorrect, use the user management screen to unblock the users sign-in
'
}
'Update StsRefreshTokenValidFrom Timestamp.' {
- $Title = "$($TenantFilter) - $($data.ObjectId) has had all sessions revoked"
+ $Title = "$($Tenant) - $($data.ObjectId) has had all sessions revoked"
$IntroText = "$($data.ObjectId) has had their sessions revoked by $($data.UserId)."
$ButtonUrl = "$CIPPURL/identity/administration/users?customerId=$($data.OrganizationId)"
if ($ActionResults) { $IntroText = $IntroText + "Based on the rule, the following actions have been taken: $($ActionResults -join '
' )
" }
@@ -183,7 +184,7 @@ function New-CIPPAlertTemplate {
$AfterButtonText = 'If this is incorrect, use the user management screen to unblock the users sign-in
'
}
'Disable Strong Authentication.' {
- $Title = "$($TenantFilter) - $($data.ObjectId) has been MFA disabled"
+ $Title = "$($Tenant) - $($data.ObjectId) has been MFA disabled"
$IntroText = "$($data.ObjectId) MFA has been disabled by $($data.UserId)."
if ($ActionResults) { $IntroText = $IntroText + "Based on the rule, the following actions have been taken: $($ActionResults -join '
' )
" }
if ($LocationInfo) {
@@ -195,7 +196,7 @@ function New-CIPPAlertTemplate {
$AfterButtonText = 'If this is incorrect, use the user management screen to reenable MFA
'
}
'Remove Member from a role.' {
- $Title = "$($TenantFilter) - Role change detected for $($data.ObjectId)"
+ $Title = "$($Tenant) - Role change detected for $($data.ObjectId)"
$Table = ($data.CIPPModifiedProperties | ConvertFrom-Json | ConvertTo-Html -Fragment | Out-String).Replace('', ' ')
$IntroText = "$($data.UserId) has removed $($data.ObjectId) to the $(($data.ModifiedProperties | Where-Object -Property Name -EQ 'Role.DisplayName').NewValue) role. The information about the role can be found in the table below.
$Table"
if ($ActionResults) { $IntroText = $IntroText + "Based on the rule, the following actions have been taken: $($ActionResults -join '
' )
" }
@@ -210,7 +211,7 @@ function New-CIPPAlertTemplate {
}
'Reset user password.' {
- $Title = "$($TenantFilter) - $($data.ObjectId) has had their password reset"
+ $Title = "$($Tenant) - $($data.ObjectId) has had their password reset"
$IntroText = "$($data.ObjectId) has had their password reset by $($data.userId)."
if ($ActionResults) { $IntroText = $IntroText + "Based on the rule, the following actions have been taken: $($ActionResults -join '
' )
" }
if ($LocationInfo) {
@@ -224,7 +225,7 @@ function New-CIPPAlertTemplate {
}
'Add service principal.' {
if ($Appname) { $AppName = $AppName.'Application Name' } else { $appName = $data.ApplicationId }
- $Title = "$($TenantFilter) - Service Principal $($data.ObjectId) has been added."
+ $Title = "$($Tenant) - Service Principal $($data.ObjectId) has been added."
$Table = ($data.ModifiedProperties | ConvertTo-Html -Fragment | Out-String).Replace('', ' ')
if ($ActionResults) { $IntroText = $IntroText + "Based on the rule, the following actions have been taken: $($ActionResults -join '
' )
" }
if ($LocationInfo) {
@@ -237,7 +238,7 @@ function New-CIPPAlertTemplate {
}
'Remove service principal.' {
if ($Appname) { $AppName = $AppName.'Application Name' } else { $appName = $data.ApplicationId }
- $Title = "$($TenantFilter) - Service Principal $($data.ObjectId) has been removed."
+ $Title = "$($Tenant) - Service Principal $($data.ObjectId) has been removed."
$Table = ($data.CIPPModifiedProperties | ConvertFrom-Json | ConvertTo-Html -Fragment | Out-String).Replace('', ' ')
if ($ActionResults) { $IntroText = $IntroText + "Based on the rule, the following actions have been taken: $($ActionResults -join '
' )
" }
if ($LocationInfo) {
@@ -251,7 +252,7 @@ function New-CIPPAlertTemplate {
'UserLoggedIn' {
$Table = ($data | ConvertTo-Html -Fragment -As List | Out-String).Replace('', ' ')
if ($Appname) { $AppName = $AppName.'Application Name' } else { $appName = $data.ApplicationId }
- $Title = "$($TenantFilter) - a user has logged on from a location you've set up to receive alerts for."
+ $Title = "$($Tenant) - a user has logged on from a location you've set up to receive alerts for."
$IntroText = "$($data.UserId) ($($data.Userkey)) has logged on from IP $($data.ClientIP) to the application $($Appname). According to our database this is located in $($LocationInfo.Country) - $($LocationInfo.City).
You have set up alerts to be notified when this happens. See the table below for more info.$Table"
if ($ActionResults) { $IntroText = $IntroText + "Based on the rule, the following actions have been taken: $($ActionResults -join '
' )
" }
if ($LocationInfo) {
@@ -277,6 +278,10 @@ function New-CIPPAlertTemplate {
}
}
+ if (![string]::IsNullOrWhiteSpace($CustomSubject)) {
+ $Title = '{0} - {1}' -f $Tenant, $CustomSubject
+ }
+
if ($Format -eq 'html') {
return [pscustomobject]@{
title = $Title
diff --git a/Modules/CIPPCore/Public/Remove-CIPPUserMFA.ps1 b/Modules/CIPPCore/Public/Remove-CIPPUserMFA.ps1
index 722d0b73a616..bb0c2b64f93f 100644
--- a/Modules/CIPPCore/Public/Remove-CIPPUserMFA.ps1
+++ b/Modules/CIPPCore/Public/Remove-CIPPUserMFA.ps1
@@ -4,7 +4,7 @@ function Remove-CIPPUserMFA {
Remove MFA methods for a user
.DESCRIPTION
- Remove MFA methods for a user using bulk requests to the Microsoft Graph API
+ Remove MFA methods for a user using individual requests to the Microsoft Graph API
.PARAMETER UserPrincipalName
UserPrincipalName of the user to remove MFA methods for
@@ -17,7 +17,7 @@ function Remove-CIPPUserMFA {
#>
[CmdletBinding(SupportsShouldProcess = $true)]
- Param(
+ param(
[Parameter(Mandatory = $true)]
[string]$UserPrincipalName,
[Parameter(Mandatory = $true)]
@@ -38,42 +38,49 @@ function Remove-CIPPUserMFA {
throw $Message
}
- $Requests = [System.Collections.Generic.List[object]]::new()
- foreach ($Method in $AuthMethods) {
- if ($Method.'@odata.type' -and $Method.'@odata.type' -ne '#microsoft.graph.passwordAuthenticationMethod') {
- $MethodType = ($Method.'@odata.type' -split '\.')[-1] -replace 'Authentication', ''
- $Requests.Add(@{
- id = "$MethodType-$($Method.id)"
- method = 'DELETE'
- url = ('users/{0}/authentication/{1}s/{2}' -f $UserPrincipalName, $MethodType, $Method.id)
- })
- }
- }
+ $RemovableMethods = $AuthMethods | Where-Object { $_.'@odata.type' -and $_.'@odata.type' -ne '#microsoft.graph.passwordAuthenticationMethod' }
- if (($Requests | Measure-Object).Count -eq 0) {
+ if (($RemovableMethods | Measure-Object).Count -eq 0) {
$Results = "No MFA methods found for user $UserPrincipalName"
Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Results -sev 'Info'
return $Results
- } else {
- if ($PSCmdlet.ShouldProcess("Remove MFA methods for $UserPrincipalName")) {
- try {
- $Results = New-GraphBulkRequest -Requests $Requests -tenantid $TenantFilter -asapp $true -ErrorAction Stop
- if ($Results.status -eq 204) {
- $Message = "Successfully removed MFA methods for user $UserPrincipalName. User must supply MFA at next logon"
- Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Message -sev 'Info'
- return $Message
- } else {
- $FailedAuthMethods = (($Results | Where-Object { $_.status -ne 204 }).id -split '-')[0] -join ', '
- $Message = "Failed to remove MFA methods for $FailedAuthMethods on user $UserPrincipalName"
- Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Message -sev 'Error'
- throw $Message
+ }
+
+ if ($PSCmdlet.ShouldProcess("Remove MFA methods for $UserPrincipalName")) {
+ $Failed = [System.Collections.Generic.List[string]]::new()
+ $Succeeded = [System.Collections.Generic.List[string]]::new()
+ foreach ($Method in $RemovableMethods) {
+ $MethodType = ($Method.'@odata.type' -split '\.')[-1] -replace 'Authentication', ''
+ switch ($MethodType) {
+ 'qrCodePinMethod' {
+ $Uri = 'https://graph.microsoft.com/beta/users/{0}/authentication/{1}' -f $UserPrincipalName, $MethodType
+ break
}
+ default {
+ $Uri = 'https://graph.microsoft.com/v1.0/users/{0}/authentication/{1}s/{2}' -f $UserPrincipalName, $MethodType, $Method.id
+ }
+ }
+ try {
+ $null = New-GraphPOSTRequest -uri $Uri -tenantid $TenantFilter -type DELETE -AsApp $true
+ $Succeeded.Add($MethodType)
} catch {
$ErrorMessage = Get-CippException -Exception $_
- $Message = "Failed to remove MFA methods for user $UserPrincipalName. Error: $($ErrorMessage.NormalizedError)"
- Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Message -sev 'Error' -LogData $ErrorMessage
- throw $Message
+ Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message "Failed to remove $MethodType for $UserPrincipalName. Error: $($ErrorMessage.NormalizedError)" -sev 'Error' -LogData $ErrorMessage
+ $Failed.Add($MethodType)
}
}
+
+ if ($Failed.Count -gt 0) {
+ $Message = if ($Succeeded.Count -gt 0) {
+ "Successfully removed MFA methods ($($Succeeded -join ', ')) for user $UserPrincipalName. However, failed to remove ($($Failed -join ', ')). User may still have MFA methods assigned."
+ } else {
+ "Failed to remove MFA methods ($($Failed -join ', ')) for user $UserPrincipalName"
+ }
+ throw $Message
+ }
+
+ $Message = "Successfully removed MFA methods ($($Succeeded -join ', ')) for user $UserPrincipalName. User must supply MFA at next logon"
+ Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Message -sev 'Info'
+ return $Message
}
}
diff --git a/Modules/CIPPCore/Public/Set-CIPPDBCacheMDEOnboarding.ps1 b/Modules/CIPPCore/Public/Set-CIPPDBCacheMDEOnboarding.ps1
new file mode 100644
index 000000000000..867563c0871e
--- /dev/null
+++ b/Modules/CIPPCore/Public/Set-CIPPDBCacheMDEOnboarding.ps1
@@ -0,0 +1,45 @@
+function Set-CIPPDBCacheMDEOnboarding {
+ <#
+ .SYNOPSIS
+ Caches MDE onboarding status for a tenant
+ .PARAMETER TenantFilter
+ The tenant to cache MDE onboarding status for
+ .PARAMETER QueueId
+ The queue ID to update with total tasks (optional)
+ #>
+ [CmdletBinding()]
+ param(
+ [Parameter(Mandatory = $true)]
+ [String]$TenantFilter,
+ [String]$QueueId
+ )
+
+ try {
+ Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching MDE onboarding status' -sev Debug
+
+ $ConnectorId = 'fc780465-2017-40d4-a0c5-307022471b92'
+ $ConnectorUri = "https://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectors/$ConnectorId"
+ try {
+ $ConnectorState = New-GraphGetRequest -uri $ConnectorUri -tenantid $TenantFilter
+ $PartnerState = $ConnectorState.partnerState
+ } catch {
+ $PartnerState = 'unavailable'
+ }
+
+ $Result = @(
+ [PSCustomObject]@{
+ Tenant = $TenantFilter
+ partnerState = $PartnerState
+ RowKey = 'MDEOnboarding'
+ PartitionKey = $TenantFilter
+ }
+ )
+
+ Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'MDEOnboarding' -Data @($Result)
+ Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'MDEOnboarding' -Data @($Result) -Count
+
+ Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Cached MDE onboarding status successfully' -sev Debug
+ } catch {
+ Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Failed to cache MDE onboarding status: $($_.Exception.Message)" -sev Error -LogData (Get-CippException -Exception $_)
+ }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeployCheckChromeExtension.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeployCheckChromeExtension.ps1
index 921fe6d5db0f..3e2c62816a4e 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeployCheckChromeExtension.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeployCheckChromeExtension.ps1
@@ -169,11 +169,71 @@ function Invoke-CIPPStandardDeployCheckChromeExtension {
)
} | ConvertTo-Json -Depth 20
+ # Compares OMA-URI settings between expected and existing policy.
+ # The 'value' field of omaSettingString is itself a JSON string, so we parse it
+ # before calling Compare-CIPPIntuneObject to avoid false positives from whitespace
+ # or key-ordering differences introduced by Intune's API response serialization.
+ function Compare-OMAURISettings {
+ param(
+ [Parameter(Mandatory = $true)]$ExpectedSettings,
+ [Parameter(Mandatory = $true)]$ExistingConfig
+ )
+ $diffs = [System.Collections.Generic.List[PSCustomObject]]::new()
+ if ($null -eq $ExistingConfig -or $null -eq $ExistingConfig.omaSettings) { return $diffs }
+
+ foreach ($expectedSetting in $ExpectedSettings) {
+ $existingSetting = $ExistingConfig.omaSettings | Where-Object { $_.omaUri -eq $expectedSetting.omaUri }
+ if (-not $existingSetting) {
+ $diffs.Add([PSCustomObject]@{ Property = $expectedSetting.omaUri; ExpectedValue = 'present'; ReceivedValue = 'missing' })
+ continue
+ }
+ try {
+ $expectedValue = $expectedSetting.value | ConvertFrom-Json -Depth 20
+ $existingValue = $existingSetting.value | ConvertFrom-Json -Depth 20
+ $valueDiffs = Compare-CIPPIntuneObject -ReferenceObject $expectedValue -DifferenceObject $existingValue -CompareType 'Device'
+ foreach ($diff in $valueDiffs) {
+ $diffs.Add([PSCustomObject]@{ Property = "$($expectedSetting.omaUri).$($diff.Property)"; ExpectedValue = $diff.ExpectedValue; ReceivedValue = $diff.ReceivedValue })
+ }
+ } catch {
+ # Fall back to string comparison if either value is not valid JSON
+ if ($expectedSetting.value -ne $existingSetting.value) {
+ $diffs.Add([PSCustomObject]@{ Property = $expectedSetting.omaUri; ExpectedValue = '[expected value]'; ReceivedValue = '[current value differs]' })
+ }
+ }
+ }
+ return $diffs
+ }
+
try {
- # Check if the policies already exist
- $ExistingPolicies = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations' -tenantid $Tenant
- $ChromePolicyExists = $ExistingPolicies.value | Where-Object { $_.displayName -eq $ChromePolicyName }
- $EdgePolicyExists = $ExistingPolicies.value | Where-Object { $_.displayName -eq $EdgePolicyName }
+ # Fetch existing policies with full configuration details for OMA-URI drift detection
+ $ExistingChromePolicy = Get-CIPPIntunePolicy -TemplateType 'Device' -DisplayName $ChromePolicyName -tenantFilter $Tenant
+ $ExistingEdgePolicy = Get-CIPPIntunePolicy -TemplateType 'Device' -DisplayName $EdgePolicyName -tenantFilter $Tenant
+
+ $ChromePolicyExists = $null -ne $ExistingChromePolicy
+ $EdgePolicyExists = $null -ne $ExistingEdgePolicy
+
+ # Build expected OMA-URI settings from the generated policy JSON for comparison
+ $ExpectedChromeSettings = ($ChromePolicyJSON | ConvertFrom-Json).omaSettings
+ $ExpectedEdgeSettings = ($EdgePolicyJSON | ConvertFrom-Json).omaSettings
+
+ # Detect configuration drift in existing policies
+ $ChromeDifferences = [System.Collections.Generic.List[PSCustomObject]]::new()
+ $EdgeDifferences = [System.Collections.Generic.List[PSCustomObject]]::new()
+
+ if ($ExistingChromePolicy) {
+ # omaSettingString values are encrypted by Intune; decrypt before comparing
+ $DecryptedChromePolicy = Get-CIPPOmaSettingDecryptedValue -DeviceConfiguration ($ExistingChromePolicy.cippconfiguration | ConvertFrom-Json) -DeviceConfigurationId $ExistingChromePolicy.id -TenantFilter $Tenant
+ $ChromeDifferences = Compare-OMAURISettings -ExpectedSettings $ExpectedChromeSettings -ExistingConfig $DecryptedChromePolicy
+ }
+
+ if ($ExistingEdgePolicy) {
+ # omaSettingString values are encrypted by Intune; decrypt before comparing
+ $DecryptedEdgePolicy = Get-CIPPOmaSettingDecryptedValue -DeviceConfiguration ($ExistingEdgePolicy.cippconfiguration | ConvertFrom-Json) -DeviceConfigurationId $ExistingEdgePolicy.id -TenantFilter $Tenant
+ $EdgeDifferences = Compare-OMAURISettings -ExpectedSettings $ExpectedEdgeSettings -ExistingConfig $DecryptedEdgePolicy
+ }
+
+ $ChromePolicyCompliant = $ChromePolicyExists -and ($ChromeDifferences.Count -eq 0)
+ $EdgePolicyCompliant = $EdgePolicyExists -and ($EdgeDifferences.Count -eq 0)
if ($Settings.remediate -eq $true) {
# Handle assignment configuration
@@ -185,46 +245,63 @@ function Invoke-CIPPStandardDeployCheckChromeExtension {
$AssignTo = $Settings.customGroup
}
- # Deploy Chrome policy
+ # Deploy or remediate Chrome policy (create if missing, update if drifted)
if (-not $ChromePolicyExists) {
$Result = Set-CIPPIntunePolicy -TemplateType 'Device' -Description 'Deploys and configures the Check Chrome extension for Google Chrome browsers' -DisplayName $ChromePolicyName -RawJSON $ChromePolicyJSON -AssignTo $AssignTo -ExcludeGroup $ExcludeGroup -tenantFilter $Tenant
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Successfully created Check Chrome Extension policy for Chrome: $ChromePolicyName" -sev Info
+ } elseif ($ChromeDifferences.Count -gt 0) {
+ $Result = Set-CIPPIntunePolicy -TemplateType 'Device' -Description 'Deploys and configures the Check Chrome extension for Google Chrome browsers' -DisplayName $ChromePolicyName -RawJSON $ChromePolicyJSON -AssignTo $AssignTo -ExcludeGroup $ExcludeGroup -tenantFilter $Tenant
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Successfully corrected $($ChromeDifferences.Count) drifted OMA-URI setting(s) in Check Chrome Extension policy for Chrome" -sev Info
} else {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Check Chrome Extension policy for Chrome already exists, skipping creation' -sev Info
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Check Chrome Extension policy for Chrome is compliant, no changes needed' -sev Info
}
- # Deploy Edge policy
+ # Deploy or remediate Edge policy (create if missing, update if drifted)
if (-not $EdgePolicyExists) {
$Result = Set-CIPPIntunePolicy -TemplateType 'Device' -Description 'Deploys and configures the Check Chrome extension for Microsoft Edge browsers' -DisplayName $EdgePolicyName -RawJSON $EdgePolicyJSON -AssignTo $AssignTo -ExcludeGroup $ExcludeGroup -tenantFilter $Tenant
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Successfully created Check Chrome Extension policy for Edge: $EdgePolicyName" -sev Info
+ } elseif ($EdgeDifferences.Count -gt 0) {
+ $Result = Set-CIPPIntunePolicy -TemplateType 'Device' -Description 'Deploys and configures the Check Chrome extension for Microsoft Edge browsers' -DisplayName $EdgePolicyName -RawJSON $EdgePolicyJSON -AssignTo $AssignTo -ExcludeGroup $ExcludeGroup -tenantFilter $Tenant
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Successfully corrected $($EdgeDifferences.Count) drifted OMA-URI setting(s) in Check Chrome Extension policy for Edge" -sev Info
} else {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Check Chrome Extension policy for Edge already exists, skipping creation' -sev Info
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Check Chrome Extension policy for Edge is compliant, no changes needed' -sev Info
}
}
if ($Settings.alert -eq $true) {
- $BothPoliciesExist = $ChromePolicyExists -and $EdgePolicyExists
- if ($BothPoliciesExist) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Check Chrome Extension policies are deployed for both Chrome and Edge' -sev Info
+ if ($ChromePolicyCompliant -and $EdgePolicyCompliant) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Check Chrome Extension policies are deployed and correctly configured for both Chrome and Edge' -sev Info
} else {
- $MissingPolicies = @()
- if (-not $ChromePolicyExists) { $MissingPolicies += 'Chrome' }
- if (-not $EdgePolicyExists) { $MissingPolicies += 'Edge' }
- Write-StandardsAlert -message "Check Chrome Extension policies are missing for: $($MissingPolicies -join ', ')" -object @{ 'Missing Policies' = $MissingPolicies -join ',' } -tenant $Tenant -standardName 'DeployCheckChromeExtension' -standardId $Settings.standardId
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Check Chrome Extension policies are missing for: $($MissingPolicies -join ', ')" -sev Alert
+ $Issues = [System.Collections.Generic.List[string]]::new()
+ if (-not $ChromePolicyExists) {
+ $Issues.Add('Chrome policy is missing')
+ } elseif ($ChromeDifferences.Count -gt 0) {
+ $Issues.Add("Chrome policy OMA-URI settings differ ($($ChromeDifferences.Count) difference(s))")
+ }
+ if (-not $EdgePolicyExists) {
+ $Issues.Add('Edge policy is missing')
+ } elseif ($EdgeDifferences.Count -gt 0) {
+ $Issues.Add("Edge policy OMA-URI settings differ ($($EdgeDifferences.Count) difference(s))")
+ }
+ Write-StandardsAlert -message "Check Chrome Extension issues: $($Issues -join '; ')" -object @{ Issues = ($Issues -join '; '); ChromeDifferences = $ChromeDifferences; EdgeDifferences = $EdgeDifferences } -tenant $Tenant -standardName 'DeployCheckChromeExtension' -standardId $Settings.standardId
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Check Chrome Extension issues: $($Issues -join '; ')" -sev Alert
}
}
if ($Settings.report -eq $true) {
- $StateIsCorrect = $ChromePolicyExists -and $EdgePolicyExists
+ $StateIsCorrect = $ChromePolicyCompliant -and $EdgePolicyCompliant
$ExpectedValue = [PSCustomObject]@{
- ChromePolicyDeployed = $true
- EdgePolicyDeployed = $true
+ ChromePolicyDeployed = $true
+ ChromePolicyCompliant = $true
+ EdgePolicyDeployed = $true
+ EdgePolicyCompliant = $true
}
$CurrentValue = [PSCustomObject]@{
- ChromePolicyDeployed = $ChromePolicyExists
- EdgePolicyDeployed = $EdgePolicyExists
+ ChromePolicyDeployed = [bool]$ChromePolicyExists
+ ChromePolicyCompliant = [bool]$ChromePolicyCompliant
+ EdgePolicyDeployed = [bool]$EdgePolicyExists
+ EdgePolicyCompliant = [bool]$EdgePolicyCompliant
}
Set-CIPPStandardsCompareField -FieldName 'standards.DeployCheckChromeExtension' -CurrentValue $CurrentValue -ExpectedValue $ExpectedValue -TenantFilter $Tenant
Add-CIPPBPAField -FieldName 'DeployCheckChromeExtension' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyEmailReportAddins.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyEmailReportAddins.ps1
index 0876db936f1a..5d36441ec634 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyEmailReportAddins.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyEmailReportAddins.ps1
@@ -46,7 +46,7 @@ function Invoke-CIPPStandardLegacyEmailReportAddins {
)
try {
- $CurrentApps = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/applications&select=addins" -TenantID $Tenant
+ $CurrentApps = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/applications?`$select=id,addIns" -TenantID $Tenant
# Filter to only applications that have the legacy add-ins we're looking for
$LegacyProductIds = $LegacyAddins | ForEach-Object { $_.ProductId }
@@ -108,7 +108,7 @@ function Invoke-CIPPStandardLegacyEmailReportAddins {
# If we performed remediation and need to report/alert, get fresh state
if ($RemediationPerformed -and ($Settings.alert -eq $true -or $Settings.report -eq $true)) {
try {
- $FreshApps = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/applications&select=addins" -TenantID $Tenant
+ $FreshApps = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/applications?`$select=addIns" -TenantID $Tenant
$LegacyProductIds = $LegacyAddins | ForEach-Object { $_.ProductId }
$FreshInstalledApps = $FreshApps | Where-Object {
$app = $_
diff --git a/Modules/CIPPCore/Public/TenantGroups/Update-CIPPDynamicTenantGroups.ps1 b/Modules/CIPPCore/Public/TenantGroups/Update-CIPPDynamicTenantGroups.ps1
index 185018453aa2..2d2d6ea3e29d 100644
--- a/Modules/CIPPCore/Public/TenantGroups/Update-CIPPDynamicTenantGroups.ps1
+++ b/Modules/CIPPCore/Public/TenantGroups/Update-CIPPDynamicTenantGroups.ps1
@@ -62,115 +62,10 @@ function Update-CIPPDynamicTenantGroups {
try {
Write-LogMessage -API 'TenantGroups' -message "Processing dynamic group: $($Group.Name)" -sev Info
$Rules = @($Group.DynamicRules | ConvertFrom-Json)
- # Build a single Where-Object string for AND logic
- $WhereConditions = foreach ($Rule in $Rules) {
- $Property = $Rule.property
- $Operator = $Rule.operator
- $Value = $Rule.value
-
- switch ($Property) {
- 'delegatedAccessStatus' {
- "`$_.delegatedPrivilegeStatus -$Operator '$($Value.value)'"
- }
- 'availableLicense' {
- if ($Operator -in @('in', 'notin')) {
- $arrayValues = if ($Value -is [array]) { $Value.guid } else { @($Value.guid) }
- $arrayAsString = $arrayValues | ForEach-Object { "'$_'" }
- if ($Operator -eq 'in') {
- "(`$_.skuId | Where-Object { `$_ -in @($($arrayAsString -join ', ')) }).Count -gt 0"
- } else {
- "(`$_.skuId | Where-Object { `$_ -in @($($arrayAsString -join ', ')) }).Count -eq 0"
- }
- } else {
- "`$_.skuId -$Operator '$($Value.guid)'"
- }
- }
- 'availableServicePlan' {
- if ($Operator -in @('in', 'notin')) {
- $arrayValues = if ($Value -is [array]) { $Value.value } else { @($Value.value) }
- $arrayAsString = $arrayValues | ForEach-Object { "'$_'" }
- if ($Operator -eq 'in') {
- # Keep tenants with ANY of the provided plans
- "(`$_.servicePlans | Where-Object { `$_ -in @($($arrayAsString -join ', ')) }).Count -gt 0"
- } else {
- # Exclude tenants with ANY of the provided plans
- "(`$_.servicePlans | Where-Object { `$_ -in @($($arrayAsString -join ', ')) }).Count -eq 0"
- }
- } else {
- "`$_.servicePlans -$Operator '$($Value.value)'"
- }
- }
- 'tenantGroupMember' {
- # Get members of the referenced tenant group(s)
- if ($Operator -in @('in', 'notin')) {
- # Handle array of group IDs
- $ReferencedGroupIds = @($Value.value)
-
- # Collect all unique member customerIds from all referenced groups
- $AllMembers = [System.Collections.Generic.HashSet[string]]::new()
- foreach ($GroupId in $ReferencedGroupIds) {
- if ($script:TenantGroupMembersCache.ContainsKey($GroupId)) {
- foreach ($MemberId in $script:TenantGroupMembersCache[$GroupId]) {
- [void]$AllMembers.Add($MemberId)
- }
- }
- }
-
- # Convert to array string for condition
- $MemberArray = $AllMembers | ForEach-Object { "'$_'" }
- $MemberArrayString = $MemberArray -join ', '
-
- if ($Operator -eq 'in') {
- "`$_.customerId -in @($MemberArrayString)"
- } else {
- "`$_.customerId -notin @($MemberArrayString)"
- }
- } else {
- # Single value with other operators
- $ReferencedGroupId = $Value.value
- "`$_.customerId -$Operator `$script:TenantGroupMembersCache['$ReferencedGroupId']"
- }
- }
- 'customVariable' {
- # Custom variable matching - value contains variable name and expected value
- # Handle case where variableName might be an object (autocomplete option) or a string
- $VariableName = if ($Value.variableName -is [string]) {
- $Value.variableName
- } elseif ($Value.variableName.value) {
- $Value.variableName.value
- } else {
- $Value.variableName
- }
- $ExpectedValue = $Value.value
- # Escape single quotes in expected value for the condition string
- $EscapedExpectedValue = $ExpectedValue -replace "'", "''"
-
- switch ($Operator) {
- 'eq' {
- "(`$_.customVariables.ContainsKey('$VariableName') -and `$_.customVariables['$VariableName'].Value -eq '$EscapedExpectedValue')"
- }
- 'ne' {
- "(-not `$_.customVariables.ContainsKey('$VariableName') -or `$_.customVariables['$VariableName'].Value -ne '$EscapedExpectedValue')"
- }
- 'like' {
- "(`$_.customVariables.ContainsKey('$VariableName') -and `$_.customVariables['$VariableName'].Value -like '*$EscapedExpectedValue*')"
- }
- 'notlike' {
- "(-not `$_.customVariables.ContainsKey('$VariableName') -or `$_.customVariables['$VariableName'].Value -notlike '*$EscapedExpectedValue*')"
- }
- }
- }
- default {
- Write-LogMessage -API 'TenantGroups' -message "Unknown property type: $Property" -sev Warning
- $null
- }
- }
-
+ if (!$Rules -or $Rules.Count -eq 0) {
+ throw 'No rules found for dynamic group.'
}
- if (!$WhereConditions) {
- throw 'Generating the conditions failed. The conditions seem to be empty.'
- }
- Write-Information "Generated where conditions: $($WhereConditions | ConvertTo-Json )"
+ Write-Information "Processing $($Rules.Count) rules for group '$($Group.Name)'"
$TenantObj = $AllTenants | ForEach-Object {
if ($Rules.property -contains 'availableLicense') {
if ($SkuHashtable.ContainsKey($_.customerId)) {
@@ -221,10 +116,26 @@ function Update-CIPPDynamicTenantGroups {
customVariables = $TenantVariables
}
}
- # Combine all conditions with the specified logic (AND or OR)
- $LogicOperator = if ($Group.RuleLogic -eq 'or') { ' -or ' } else { ' -and ' }
+ # Evaluate rules safely using Test-CIPPDynamicGroupFilter with AND/OR logic
+ $RuleLogic = if ($Group.RuleLogic -eq 'or') { 'or' } else { 'and' }
+
+ # Build sanitized condition strings from validated rules
+ $WhereConditions = foreach ($rule in $Rules) {
+ $condition = Test-CIPPDynamicGroupFilter -Rule $rule -TenantGroupMembersCache $script:TenantGroupMembersCache
+ if ($null -eq $condition) {
+ Write-Warning "Skipping invalid rule: $($rule | ConvertTo-Json -Compress)"
+ continue
+ }
+ $condition
+ }
+
+ if (!$WhereConditions) {
+ throw 'Generating the conditions failed. All rules were invalid or empty.'
+ }
+
+ $LogicOperator = if ($RuleLogic -eq 'or') { ' -or ' } else { ' -and ' }
$WhereString = $WhereConditions -join $LogicOperator
- Write-Information "Evaluating tenants with condition: $WhereString"
+ Write-Information "Evaluating tenants with sanitized condition: $WhereString"
Write-LogMessage -API 'TenantGroups' -message "Evaluating tenants for group '$($Group.Name)' with condition: $WhereString" -sev Info
$ScriptBlock = [ScriptBlock]::Create($WhereString)
diff --git a/Modules/CIPPCore/Public/Webhooks/Invoke-CIPPWebhookProcessing.ps1 b/Modules/CIPPCore/Public/Webhooks/Invoke-CIPPWebhookProcessing.ps1
index 90257fe4a22d..4ece756421d6 100644
--- a/Modules/CIPPCore/Public/Webhooks/Invoke-CIPPWebhookProcessing.ps1
+++ b/Modules/CIPPCore/Public/Webhooks/Invoke-CIPPWebhookProcessing.ps1
@@ -77,10 +77,19 @@ function Invoke-CippWebhookProcessing {
}
}
+ $CustomSubject = $null
+ if ($Data.CIPPRuleId) {
+ $WebhookRulesTable = Get-CIPPTable -TableName 'WebhookRules'
+ $WebhookRule = Get-CIPPAzDataTableEntity @WebhookRulesTable -Filter "PartitionKey eq 'WebhookRule' and RowKey eq '$($Data.CIPPRuleId)'"
+ if (![string]::IsNullOrEmpty($WebhookRule.CustomSubject)) {
+ $CustomSubject = $WebhookRule.CustomSubject
+ }
+ }
+
# Save audit log entry to table
$LocationInfo = $Data.CIPPLocationInfo | ConvertFrom-Json -ErrorAction SilentlyContinue
$AuditRecord = $Data.AuditRecord | ConvertFrom-Json -ErrorAction SilentlyContinue
- $GenerateJSON = New-CIPPAlertTemplate -format 'json' -data $Data -ActionResults $ActionResults -CIPPURL $CIPPURL -AlertComment $AlertComment
+ $GenerateJSON = New-CIPPAlertTemplate -format 'json' -data $Data -ActionResults $ActionResults -CIPPURL $CIPPURL -AlertComment $WebhookRule.AlertComment -CustomSubject $CustomSubject -Tenant $Tenant.defaultDomainName
$JsonContent = @{
Title = $GenerateJSON.Title
ActionUrl = $GenerateJSON.ButtonUrl
diff --git a/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1 b/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1
index 94b7c876fef7..4d35b2a94548 100644
--- a/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1
+++ b/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1
@@ -520,57 +520,82 @@ function Test-CIPPAuditLogRules {
if ($TenantFilter -in $Config.Excluded.value) {
continue
}
- $conditions = $Config.Conditions | ConvertFrom-Json | Where-Object { $Config.Input.value -ne '' }
+ $conditions = $Config.Conditions | ConvertFrom-Json | Where-Object { $_.Input.value -ne '' }
$actions = $Config.Actions
- $conditionStrings = [System.Collections.Generic.List[string]]::new()
$CIPPClause = [System.Collections.Generic.List[string]]::new()
- $AddedLocationCondition = $false
+
+ # Build excluded user keys for location-based conditions
+ $LocationExcludedUserKeys = @()
+ $HasGeoCondition = $false
foreach ($condition in $conditions) {
- if ($condition.Property.label -eq 'CIPPGeoLocation' -and !$AddedLocationCondition) {
- $conditionStrings.Add("`$_.HasLocationData -eq `$true")
- $CIPPClause.Add('HasLocationData is true')
- $ExcludedUsers = $ExcludedUsers | Where-Object { $_.Type -eq 'Location' }
- # Build single -notin condition against all excluded user keys
- $ExcludedUserKeys = @($ExcludedUsers.RowKey)
- if ($ExcludedUserKeys.Count -gt 0) {
- $conditionStrings.Add("`$(`$_.CIPPUserKey) -notin @('$($ExcludedUserKeys -join "', '")')")
- $CIPPClause.Add("CIPPUserKey not in [$($ExcludedUserKeys -join ', ')]")
- }
- $AddedLocationCondition = $true
+ if ($condition.Property.label -eq 'CIPPGeoLocation') {
+ $HasGeoCondition = $true
+ $LocationExcludedUsers = $ExcludedUsers | Where-Object { $_.Type -eq 'Location' }
+ $LocationExcludedUserKeys = @($LocationExcludedUsers.RowKey)
}
- $value = if ($condition.Input.value -is [array]) {
- $arrayAsString = $condition.Input.value | ForEach-Object {
- "'$_'"
- }
- "@($($arrayAsString -join ', '))"
- } else { "'$($condition.Input.value)'" }
-
- $conditionStrings.Add("`$(`$_.$($condition.Property.label)) -$($condition.Operator.value) $value")
- $CIPPClause.Add("$($condition.Property.label) is $($condition.Operator.label) $value")
+ $CIPPClause.Add("$($condition.Property.label) is $($condition.Operator.label) $($condition.Input.value)")
}
- $finalCondition = $conditionStrings -join ' -AND '
[PSCustomObject]@{
- clause = $finalCondition
- expectedAction = $actions
- CIPPClause = $CIPPClause
- AlertComment = $Config.AlertComment
+ conditions = $conditions
+ expectedAction = $actions
+ CIPPClause = $CIPPClause
+ AlertComment = $Config.AlertComment
+ HasGeoCondition = $HasGeoCondition
+ ExcludedUserKeys = $LocationExcludedUserKeys
}
}
} catch {
Write-Warning "Error creating where clause: $($_.Exception.Message)"
Write-Information $_.InvocationInfo.PositionMessage
- #Write-LogMessage -API 'Webhooks' -message 'Error creating where clause' -LogData (Get-CippException -Exception $_) -sev Error -tenant $TenantFilter
throw $_
}
$MatchedRules = [System.Collections.Generic.List[string]]::new()
+ $UnsafeValueRegex = [regex]'[;|`\$\{\}]'
$DataToProcess = foreach ($clause in $Where) {
try {
$ClauseStartTime = Get-Date
- Write-Warning "Webhook: Processing clause: $($clause.clause)"
+ Write-Warning "Webhook: Processing conditions: $($clause.CIPPClause -join ' and ')"
Write-Information "Webhook: Available operations in data: $(($ProcessedData.Operation | Select-Object -Unique) -join ', ')"
- $ReturnedData = $ProcessedData | Where-Object { Invoke-Expression $clause.clause }
+
+ # Build sanitized condition strings instead of direct evaluation
+ $conditionStrings = [System.Collections.Generic.List[string]]::new()
+ $validClause = $true
+ foreach ($condition in $clause.conditions) {
+ # Add geo-location prerequisites before the condition itself
+ if ($condition.Property.label -eq 'CIPPGeoLocation') {
+ $conditionStrings.Add('$_.HasLocationData -eq $true')
+ if ($clause.ExcludedUserKeys.Count -gt 0) {
+ $sanitizedKeys = foreach ($key in $clause.ExcludedUserKeys) {
+ $keyStr = [string]$key
+ if ($UnsafeValueRegex.IsMatch($keyStr)) {
+ Write-Warning "Blocked unsafe excluded user key: '$keyStr'"
+ $validClause = $false
+ break
+ }
+ "'{0}'" -f ($keyStr -replace "'", "''")
+ }
+ if (-not $validClause) { break }
+ $conditionStrings.Add("`$_.CIPPUserKey -notin @($($sanitizedKeys -join ', '))")
+ }
+ }
+ $sanitized = Test-CIPPConditionFilter -Condition $condition
+ if ($null -eq $sanitized) {
+ Write-Warning "Skipping rule due to invalid condition for property '$($condition.Property.label)'"
+ $validClause = $false
+ break
+ }
+ $conditionStrings.Add($sanitized)
+ }
+
+ if (-not $validClause -or $conditionStrings.Count -eq 0) {
+ continue
+ }
+
+ $WhereString = $conditionStrings -join ' -and '
+ $WhereBlock = [ScriptBlock]::Create($WhereString)
+ $ReturnedData = $ProcessedData | Where-Object $WhereBlock
if ($ReturnedData) {
Write-Warning "Webhook: There is matching data: $(($ReturnedData.operation | Select-Object -Unique) -join ', ')"
$ReturnedData = foreach ($item in $ReturnedData) {
@@ -583,10 +608,10 @@ function Test-CIPPAuditLogRules {
}
$ClauseEndTime = Get-Date
$ClauseSeconds = ($ClauseEndTime - $ClauseStartTime).TotalSeconds
- Write-Warning "Task took $ClauseSeconds seconds for clause: $($clause.clause)"
+ Write-Warning "Task took $ClauseSeconds seconds for conditions: $($clause.CIPPClause -join ' and ')"
$ReturnedData
} catch {
- Write-Warning "Error processing clause: $($clause.clause): $($_.Exception.Message)"
+ Write-Warning "Error processing conditions: $($clause.CIPPClause -join ' and '): $($_.Exception.Message)"
}
}
$Results.MatchedRules = @($MatchedRules | Select-Object -Unique)