[pull] master from KelvinTegelaar:master

.github/workflows/dev_clouduptest.yml

@@ -0,0 +1,32 @@
+# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action
+# More GitHub Actions for Azure: https://github.com/Azure/actions
+
+name: Build and deploy Powershell project to Azure Function App - clouduptest
+
+on:
+  push:
+    branches:
+      - dev
+  workflow_dispatch:
+
+env:
+  AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@v4
+
+      - name: 'Run Azure Functions Action'
+        uses: Azure/functions-action@v1
+        id: fa
+        with:
+          app-name: 'clouduptest'
+          slot-name: 'Production'
+          package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
+          publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_9B9E8B9A9BBE446188BCA9F126A1B646 }}
+          sku: 'flexconsumption'
+

Modules/CIPPCore/Public/Add-CIPPScheduledTask.ps1

@@ -19,6 +19,9 @@ function Add-CIPPScheduledTask {
         [Parameter(Mandatory = $true, ParameterSetName = 'RunNow')]
         [string]$RowKey,
 
+        [Parameter(Mandatory = $false, ParameterSetName = 'Default')]
+        [string]$DesiredStartTime = $null,
+
         [Parameter(Mandatory = $false, ParameterSetName = 'Default')]
         [Parameter(Mandatory = $false, ParameterSetName = 'RunNow')]
         $Headers
@@ -119,8 +122,24 @@ function Add-CIPPScheduledTask {
                 $task.Recurrence.value
             }
 
-            if ([int64]$task.ScheduledTime -eq 0 -or [string]::IsNullOrEmpty($task.ScheduledTime)) {
-                $task.ScheduledTime = [int64](([datetime]::UtcNow) - (Get-Date '1/1/1970')).TotalSeconds
+            if ($DesiredStartTime) {
+                try {
+                    # Parse the epoch time
+                    $epochSeconds = [int64]$DesiredStartTime
+                    # Set ScheduledTime to the desired time
+                    $task.ScheduledTime = $epochSeconds
+                } catch {
+                    Write-Warning "Failed to parse DesiredStartTime: $DesiredStartTime. Using provided ScheduledTime."
+                    # Fall back to default
+                    if ([int64]$task.ScheduledTime -eq 0 -or [string]::IsNullOrEmpty($task.ScheduledTime)) {
+                        $task.ScheduledTime = [int64](([datetime]::UtcNow) - (Get-Date '1/1/1970')).TotalSeconds
+                    }
+                }
+            } else {
+                # No DesiredStartTime - use current behavior (immediate execution)
+                if ([int64]$task.ScheduledTime -eq 0 -or [string]::IsNullOrEmpty($task.ScheduledTime)) {
+                    $task.ScheduledTime = [int64](([datetime]::UtcNow) - (Get-Date '1/1/1970')).TotalSeconds
+                }
             }
             $excludedTenants = if ($task.excludedTenants.value) {
                 $task.excludedTenants.value -join ','
@@ -166,6 +185,10 @@ function Add-CIPPScheduledTask {
                 Hidden               = [bool]$Hidden
                 Results              = 'Planned'
             }
+            # Always store DesiredStartTime if provided
+            if ($DesiredStartTime) {
+                $entity['DesiredStartTime'] = [string]$DesiredStartTime
+            }
 
             # Store the original tenant filter for group expansion during execution
             if ($originalTenantFilter -is [PSCustomObject] -and $originalTenantFilter.type -eq 'Group') {
@@ -190,6 +213,7 @@ function Add-CIPPScheduledTask {
                 $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
                 return "Could not add task: $ErrorMessage"
             }
+            Write-LogMessage -headers $Headers -API 'ScheduledTask' -message "Added task $($entity.Name) with ID $($entity.RowKey)" -Sev 'Info' -Tenant $tenantFilter
             return "Successfully added task: $($entity.Name)"
         }
     } catch {

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDepTokenExpiry.ps1

@@ -4,7 +4,7 @@ function Get-CIPPAlertDepTokenExpiry {
         Entrypoint
     #>
     [CmdletBinding()]
-    Param (
+    param (
         [Parameter(Mandatory = $false)]
         [Alias('input')]
         $InputValue,
@@ -13,7 +13,7 @@ function Get-CIPPAlertDepTokenExpiry {
 
     try {
         try {
-            $DepTokens = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings' -tenantid $TenantFilter).value
+            $DepTokens = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings' -tenantid $TenantFilter
             $AlertData = foreach ($Dep in $DepTokens) {
                 if ($Dep.tokenExpirationDateTime -lt (Get-Date).AddDays(30) -and $Dep.tokenExpirationDateTime -gt (Get-Date).AddDays(-7)) {
                     $Message = 'Apple Device Enrollment Program token expiring on {0}' -f $Dep.tokenExpirationDateTime

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNoCAConfig.ps1

@@ -12,8 +12,13 @@ function Get-CIPPAlertNoCAConfig {
     )
 
     try {
-        $CAAvailable = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/subscribedSkus' -tenantid $TenantFilter -ErrorAction Stop).serviceplans
-        if ('AAD_PREMIUM' -in $CAAvailable.servicePlanName) {
+        # Only consider CA available when a SKU that grants it has enabled seats (> 0)
+        $SubscribedSkus = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/subscribedSkus?`$select=prepaidUnits,servicePlans" -tenantid $TenantFilter -ErrorAction Stop
+        $CAAvailable = foreach ($sku in $SubscribedSkus) {
+            if ([int]$sku.prepaidUnits.enabled -gt 0) { $sku.servicePlans }
+        }
+
+        if (('AAD_PREMIUM' -in $CAAvailable.servicePlanName) -or ('AAD_PREMIUM_P2' -in $CAAvailable.servicePlanName)) {
             $CAPolicies = (New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies' -tenantid $TenantFilter)
             if (!$CAPolicies.id) {
                 $AlertData = 'Conditional Access is available, but no policies could be found.'

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertVppTokenExpiry.ps1

@@ -4,21 +4,20 @@ function Get-CIPPAlertVppTokenExpiry {
         Entrypoint
     #>
     [CmdletBinding()]
-    Param (
+    param (
         [Parameter(Mandatory = $false)]
         [Alias('input')]
         $InputValue,
         $TenantFilter
     )
     try {
         try {
-            $VppTokens = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceAppManagement/vppTokens' -tenantid $TenantFilter).value
+            $VppTokens = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceAppManagement/vppTokens' -tenantid $TenantFilter
             $AlertData = foreach ($Vpp in $VppTokens) {
                 if ($Vpp.state -ne 'valid') {
                     $Message = 'Apple Volume Purchase Program Token is not valid, new token required'
                     $Vpp | Select-Object -Property organizationName, appleId, vppTokenAccountType, @{Name = 'Message'; Expression = { $Message } }
-                }
-                if ($Vpp.expirationDateTime -lt (Get-Date).AddDays(30) -and $Vpp.expirationDateTime -gt (Get-Date).AddDays(-7)) {
+                } elseif ($Vpp.expirationDateTime -lt (Get-Date).AddDays(30).ToUniversalTime() -and $Vpp.expirationDateTime -gt (Get-Date).AddDays(-7).ToUniversalTime()) {
                     $Message = 'Apple Volume Purchase Program token expiring on {0}' -f $Vpp.expirationDateTime
                     $Vpp | Select-Object -Property organizationName, appleId, vppTokenAccountType, @{Name = 'Message'; Expression = { $Message } }
                 }

Modules/CIPPCore/Public/Authentication/Get-CippAllowedPermissions.ps1

@@ -70,7 +70,6 @@ function Get-CippAllowedPermissions {
 
     # For admin and superadmin: Compute permissions from base role include/exclude rules
     if ($PrimaryRole -in @('admin', 'superadmin')) {
-        Write-Information "Computing permissions for $PrimaryRole using base role rules"
 
         if ($BaseRole) {
             # Start with all permissions and apply include/exclude rules
@@ -143,7 +142,19 @@ function Get-CippAllowedPermissions {
                 }
 
                 # Restrict base permissions to only those allowed by custom roles
-                $RestrictedPermissions = $BasePermissions | Where-Object { $CustomRolePermissions -contains $_ }
+                # Include Read permissions when ReadWrite permissions are present
+                $RestrictedPermissions = $BasePermissions | Where-Object {
+                    $Permission = $_
+                    if ($CustomRolePermissions -contains $Permission) {
+                        $true
+                    } elseif ($Permission -match 'Read$') {
+                        # Check if there's a corresponding ReadWrite permission
+                        $ReadWritePermission = $Permission -replace 'Read', 'ReadWrite'
+                        $CustomRolePermissions -contains $ReadWritePermission
+                    } else {
+                        $false
+                    }
+                }
                 foreach ($Permission in $RestrictedPermissions) {
                     if ($null -ne $Permission -and $Permission -is [string]) {
                         $AllowedPermissions.Add($Permission)
@@ -161,8 +172,6 @@ function Get-CippAllowedPermissions {
     }
     # Handle users with only custom roles (no base role)
     elseif ($CustomRoles.Count -gt 0) {
-        Write-Information 'Computing permissions for custom roles only'
-
         foreach ($CustomRole in $CustomRoles) {
             try {
                 $RolePermissions = Get-CIPPRolePermissions -RoleName $CustomRole

Modules/CIPPCore/Public/CippQueue/Invoke-ListCippQueue.ps1

@@ -15,10 +15,10 @@ function Invoke-ListCippQueue {
     $CippQueue = Get-CippTable -TableName 'CippQueue'
     $CippQueueTasks = Get-CippTable -TableName 'CippQueueTasks'
     $3HoursAgo = (Get-Date).ToUniversalTime().AddHours(-3).ToString('yyyy-MM-ddTHH:mm:ssZ')
-    $CippQueueData = Get-CIPPAzDataTableEntity @CippQueue -Filter "Timestamp ge datetime'$3HoursAgo'" | Sort-Object -Property Timestamp -Descending
+    $CippQueueData = Get-CIPPAzDataTableEntity @CippQueue -Filter "PartitionKey eq 'CippQueue' and Timestamp ge datetime'$3HoursAgo'" | Sort-Object -Property Timestamp -Descending
 
     $QueueData = foreach ($Queue in $CippQueueData) {
-        $Tasks = Get-CIPPAzDataTableEntity @CippQueueTasks -Filter "QueueId eq '$($Queue.RowKey)'" | Where-Object { $_.Name } | Select-Object @{n = 'Timestamp'; exp = { $_.Timestamp.DateTime.ToUniversalTime() } }, Name, Status
+        $Tasks = Get-CIPPAzDataTableEntity @CippQueueTasks -Filter "PartitionKey eq 'Task' and QueueId eq '$($Queue.RowKey)'" | Where-Object { $_.Name } | Select-Object @{n = 'Timestamp'; exp = { $_.Timestamp.DateTime.ToUniversalTime() } }, Name, Status
         $TaskStatus = @{}
         $Tasks | Group-Object -Property Status | ForEach-Object {
             $TaskStatus.$($_.Name) = $_.Count

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-ListGraphRequest.ps1

@@ -33,6 +33,10 @@ function Invoke-ListGraphRequest {
         $Parameters.'$expand' = $Request.Query.'$expand'
     }
 
+    if ($Request.Query.expand) {
+        $Parameters.'expand' = $Request.Query.expand
+    }
+
     if ($Request.Query.'$top') {
         $Parameters.'$top' = $Request.Query.'$top'
     }
@@ -120,13 +124,13 @@ function Invoke-ListGraphRequest {
 
     try {
         $Results = Get-GraphRequestList @GraphRequestParams
-        if ($Results.nextLink) {
-            Write-Host "NextLink: $($Results.nextLink | Select-Object -Last 1)"
-            if ($Request.Query.TenantFilter -ne 'AllTenants') {
-                $Metadata['nextLink'] = $Results.nextLink | Select-Object -Last 1
+        if ($Results | Where-Object { $_.PSObject.Properties.Name -contains 'nextLink' }) {
+            if (![string]::IsNullOrEmpty($Results.nextLink) -and $Request.Query.TenantFilter -ne 'AllTenants') {
+                Write-Host "NextLink: $($Results.nextLink | Where-Object { $_ } | Select-Object -Last 1)"
+                $Metadata['nextLink'] = $Results.nextLink | Where-Object { $_ } | Select-Object -Last 1
             }
-            #Results is an array of objects, so we need to remove the last object before returning
-            $Results = $Results | Select-Object -First ($Results.Count - 1)
+            # Remove nextLink trailing object only if it’s the last item
+            $Results = $Results | Where-Object { $_.PSObject.Properties.Name -notcontains 'nextLink' }
         }
         if ($Request.Query.ListProperties) {
             $Columns = ($Results | Select-Object -First 1).PSObject.Properties.Name

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Scheduler/Invoke-AddScheduledItem.ps1

@@ -31,7 +31,7 @@ function Invoke-AddScheduledItem {
             $Result = "Error scheduling task: $($_.Exception.Message)"
         }
     } else {
-        $Result = Add-CIPPScheduledTask -Task $Request.Body -Headers $Request.Headers -hidden $hidden -DisallowDuplicateName $Request.Query.DisallowDuplicateName
+        $Result = Add-CIPPScheduledTask -Task $Request.Body -Headers $Request.Headers -hidden $hidden -DisallowDuplicateName $Request.Query.DisallowDuplicateName -DesiredStartTime $Request.Body.DesiredStartTime
         Write-LogMessage -headers $Request.Headers -API $APINAME -message $Result -Sev 'Info'
     }
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecRestoreBackup.ps1

@@ -17,7 +17,7 @@ function Invoke-ExecRestoreBackup {
 
         if ($Request.Body.BackupName -like 'CippBackup_*') {
             $Table = Get-CippTable -tablename 'CIPPBackup'
-            $Backup = Get-CippAzDataTableEntity @Table -Filter "RowKey eq '$($Request.Body.BackupName)'"
+            $Backup = Get-CippAzDataTableEntity @Table -Filter "RowKey eq '$($Request.Body.BackupName)' or OriginalEntityId eq '$($Request.Body.BackupName)'"
             if ($Backup) {
                 $BackupData = $Backup.Backup | ConvertFrom-Json -ErrorAction SilentlyContinue | Select-Object * -ExcludeProperty ETag, Timestamp
                 $BackupData | ForEach-Object {

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecTenantGroup.ps1

@@ -43,7 +43,7 @@ function Invoke-ExecTenantGroup {
                 Add-CIPPAzDataTableEntity @Table -Entity $GroupEntity -Force
             }
 
-            $CurrentMembers = Get-CIPPAzDataTableEntity @MembersTable -Filter "GroupId eq '$groupId'"
+            $CurrentMembers = Get-CIPPAzDataTableEntity @MembersTable -Filter "PartitionKey eq 'Member' and GroupId eq '$groupId'"
 
             $Adds = [System.Collections.Generic.List[string]]::new()
             $Removes = [System.Collections.Generic.List[string]]::new()

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/MEM/Invoke-AddPolicy.ps1

@@ -1,6 +1,6 @@
 using namespace System.Net
 
-Function Invoke-AddPolicy {
+function Invoke-AddPolicy {
     <#
     .FUNCTIONALITY
         Entrypoint
@@ -14,8 +14,8 @@ Function Invoke-AddPolicy {
     $Headers = $Request.Headers
     Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
 
-    $Tenants = ($Request.Body.tenantFilter.value)
-    if ('AllTenants' -in $Tenants) { $Tenants = (Get-Tenants).defaultDomainName }
+    $Tenants = $Request.Body.tenantFilter.value ? $Request.Body.tenantFilter.value : $Request.Body.tenantFilter
+    if ('AllTenants' -in $Tenants) { $Tetnants = (Get-Tenants).defaultDomainName }
     $displayname = $Request.Body.displayName
     $description = $Request.Body.Description
     $AssignTo = if ($Request.Body.AssignTo -ne 'on') { $Request.Body.AssignTo }
@@ -25,7 +25,7 @@ Function Invoke-AddPolicy {
 
     $results = foreach ($Tenant in $tenants) {
         if ($Request.Body.replacemap.$tenant) {
-        ([pscustomobject]$Request.Body.replacemap.$tenant).psobject.properties | ForEach-Object { $RawJson = $RawJson -replace $_.name, $_.value }
+            ([pscustomobject]$Request.Body.replacemap.$tenant).psobject.properties | ForEach-Object { $RawJson = $RawJson -replace $_.name, $_.value }
         }
         try {
             Write-Host 'Calling Adding policy'

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Groups/Invoke-ListGroups.ps1

@@ -19,7 +19,14 @@ function Invoke-ListGroups {
     $GroupType = $Request.Query.groupType
     $Members = $Request.Query.members
     $Owners = $Request.Query.owners
-    $SelectString = 'id,createdDateTime,displayName,description,mail,mailEnabled,mailNickname,resourceProvisioningOptions,securityEnabled,visibility,organizationId,onPremisesSamAccountName,membershipRule,groupTypes,onPremisesSyncEnabled,resourceProvisioningOptions,userPrincipalName&$expand=members($select=userPrincipalName)'
+
+    $ExpandMembers = $Request.Query.expandMembers ?? $false
+
+    $SelectString = 'id,createdDateTime,displayName,description,mail,mailEnabled,mailNickname,resourceProvisioningOptions,securityEnabled,visibility,organizationId,onPremisesSamAccountName,membershipRule,groupTypes,onPremisesSyncEnabled,resourceProvisioningOptions,userPrincipalName'
+    if ($ExpandMembers -ne $false) {
+        $SelectString = '{0}&$expand=members($select=userPrincipalName)' -f $SelectString
+    }
+
 
     $BulkRequestArrayList = [System.Collections.Generic.List[object]]::new()
 
@@ -86,7 +93,7 @@ function Invoke-ListGroups {
             $RawGraphRequest = New-GraphBulkRequest -tenantid $TenantFilter -scope 'https://graph.microsoft.com/.default' -Requests @($BulkRequestArrayList) -asapp $true
             $GraphRequest = [PSCustomObject]@{
                 groupInfo              = ($RawGraphRequest | Where-Object { $_.id -eq 1 }).body | Select-Object *, @{ Name = 'primDomain'; Expression = { $_.mail -split '@' | Select-Object -Last 1 } },
-                @{Name = 'teamsEnabled'; Expression = { if ($_.resourceProvisioningOptions -Like '*Team*') { $true } else { $false } } },
+                @{Name = 'teamsEnabled'; Expression = { if ($_.resourceProvisioningOptions -like '*Team*') { $true } else { $false } } },
                 @{Name = 'calculatedGroupType'; Expression = {
                         if ($_.mailEnabled -and $_.securityEnabled) { 'Mail-Enabled Security' }
                         if (!$_.mailEnabled -and $_.securityEnabled) { 'Security' }
@@ -129,4 +136,4 @@ function Invoke-ListGroups {
             Body       = $GraphRequest
         })
 
-}
+}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1

@@ -134,19 +134,21 @@ function Invoke-ExecJITAdmin {
         if ($Request.Body.useraction -eq 'Create') {
             Write-LogMessage -Headers $User -API $APIName -tenant $TenantFilter -message "Creating JIT Admin user $($Request.Body.Username)" -Sev 'Info'
             Write-Information "Creating JIT Admin user $($Request.Body.username)"
+            $Domain = $Request.Body.Domain.value ? $Request.Body.Domain.value : $Request.Body.Domain
+
             $JITAdmin = @{
                 User         = @{
                     'FirstName'         = $Request.Body.FirstName
                     'LastName'          = $Request.Body.LastName
-                    'UserPrincipalName' = "$($Request.Body.Username)@$($Request.Body.Domain.value)"
+                    'UserPrincipalName' = "$($Request.Body.Username)@$($Domain)"
                 }
                 Expiration   = $Expiration
                 Action       = 'Create'
                 TenantFilter = $TenantFilter
             }
             $CreateResult = Set-CIPPUserJITAdmin @JITAdmin
-            $Username = "$($Request.Body.Username)@$($Request.Body.Domain.value)"
-            $Results.Add("Created User: $($Request.Body.Username)@$($Request.Body.Domain.value)")
+            $Username = "$($Request.Body.Username)@$($Domain)"
+            $Results.Add("Created User: $Username")
             if (!$Request.Body.UseTAP) {
                 $Results.Add("Password: $($CreateResult.password)")
             }