bmsimp · pull · Nov 11, 2025 · Nov 11, 2025 · Nov 11, 2025 · Nov 11, 2025
diff --git a/Modules/CIPPCore/Public/Get-CIPPTimerFunctions.ps1 b/Modules/CIPPCore/Public/Get-CIPPTimerFunctions.ps1
@@ -10,9 +10,11 @@ function Get-CIPPTimerFunctions {
 
     # Check running nodes
     $VersionTable = Get-CIPPTable -tablename 'Version'
-    $Nodes = Get-CIPPAzDataTableEntity @VersionTable -Filter "PartitionKey eq 'Version' and RowKey ne 'Version'" | Where-Object { $_.RowKey -match '-' }
-    $AvailableNodes = $Nodes.RowKey | ForEach-Object { ($_ -split '-')[1] }
+    $Nodes = Get-CIPPAzDataTableEntity @VersionTable -Filter "PartitionKey eq 'Version' and RowKey ne 'Version'"
+
     $FunctionName = $env:WEBSITE_SITE_NAME
+    $MainFunctionVersion = ($Nodes | Where-Object { $_.RowKey -eq $FunctionName }).Version
+    $AvailableNodes = $Nodes.RowKey | Where-Object { $_.RowKey -match '-' -and $_.Version -eq $MainFunctionVersion } | ForEach-Object { ($_ -split '-')[1] }
 
     # Get node name
     if ($FunctionName -match '-') {
@@ -22,7 +24,7 @@ function Get-CIPPTimerFunctions {
     }
 
     $RunOnProcessor = $true
-    if ($Config -and $Config.state -eq $true) {
+    if ($Config -and $Config.state -eq $true -and $AvailableNodes.Count -gt 0) {
         if ($env:CIPP_PROCESSOR -ne 'true') {
             $RunOnProcessor = $false
         }

diff --git a/Modules/CIPPCore/Public/Remove-CIPPGroupMember.ps1 b/Modules/CIPPCore/Public/Remove-CIPPGroupMember.ps1
@@ -7,13 +7,22 @@ function Remove-CIPPGroupMember(
     [string]$APIName = 'Remove Group Member'
 ) {
     try {
-        if ($Member -like '*#EXT#*') { $Member = [System.Web.HttpUtility]::UrlEncode($Member) }
-        # $MemberIDs = 'https://graph.microsoft.com/v1.0/directoryObjects/' + (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($Member)" -tenantid $TenantFilter).id
-        # $AddMemberBody = "{ `"members@odata.bind`": $(ConvertTo-Json @($MemberIDs)) }"
         if ($GroupType -eq 'Distribution list' -or $GroupType -eq 'Mail-Enabled Security') {
             $Params = @{ Identity = $GroupId; Member = $Member; BypassSecurityGroupManagerCheck = $true }
             $null = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Remove-DistributionGroupMember' -cmdParams $Params -UseSystemMailbox $true
         } else {
+            if ($Member -match '^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$') {
+                Write-Information "Member $Member is a GUID, proceeding with removal."
+            } else {
+                Write-Information "Member $Member is not a GUID, attempting to resolve to object ID."
+                if ($Member -like '*#EXT#*') { $Member = [System.Web.HttpUtility]::UrlEncode($Member) }
+                $UserObject = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users/$($Member)?`$select=id" -tenantid $TenantFilter
+                if ($null -eq $UserObject.id) {
+                    throw "Could not resolve user $Member to an object ID."
+                }
+                $Member = $UserObject.id
+                Write-Information "Resolved member to object ID: $Member"
+            }
             $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($GroupId)/members/$($Member)/`$ref" -tenantid $TenantFilter -type DELETE -body '{}' -Verbose
         }
         $Results = "Successfully removed user $($Member) from $($GroupId)."

diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMalwareFilterPolicy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMalwareFilterPolicy.ps1
@@ -75,10 +75,9 @@ function Invoke-CIPPStandardMalwareFilterPolicy {
 
     try {
         $CurrentState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MalwareFilterPolicy' |
-        Where-Object -Property Name -EQ $PolicyName |
-        Select-Object Name, EnableFileFilter, FileTypeAction, FileTypes, ZapEnabled, QuarantineTag, EnableInternalSenderAdminNotifications, InternalSenderAdminAddress, EnableExternalSenderAdminNotifications, ExternalSenderAdminAddress
-    }
-    catch {
+            Where-Object -Property Name -EQ $PolicyName |
+            Select-Object Name, EnableFileFilter, FileTypeAction, FileTypes, ZapEnabled, QuarantineTag, EnableInternalSenderAdminNotifications, InternalSenderAdminAddress, EnableExternalSenderAdminNotifications, ExternalSenderAdminAddress
+    } catch {
         $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
         Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Could not get the MalwareFilterPolicy state for $Tenant. Error: $ErrorMessage" -Sev Error
         return
@@ -92,27 +91,29 @@ function Invoke-CIPPStandardMalwareFilterPolicy {
         $ExpectedFileTypes = $DefaultFileTypes + @($Settings.OptionalFileTypes.Split(',').Trim())
     }
 
+    $FileTypeAction = $Settings.FileTypeAction.value ?? $Settings.FileTypeAction ?? 'Quarantine'
+
     $StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and
-                      ($CurrentState.EnableFileFilter -eq $true) -and
-                      ($CurrentState.FileTypeAction -eq $Settings.FileTypeAction) -and
-                      (!(Compare-Object -ReferenceObject $CurrentState.FileTypes -DifferenceObject $ExpectedFileTypes)) -and
-                      ($CurrentState.ZapEnabled -eq $true) -and
-                      ($CurrentState.QuarantineTag -eq $Settings.QuarantineTag) -and
-                      ($CurrentState.EnableInternalSenderAdminNotifications -eq $Settings.EnableInternalSenderAdminNotifications) -and
-                      (($null -eq $Settings.InternalSenderAdminAddress) -or ($CurrentState.InternalSenderAdminAddress -eq $Settings.InternalSenderAdminAddress)) -and
-                      ($CurrentState.EnableExternalSenderAdminNotifications -eq $Settings.EnableExternalSenderAdminNotifications) -and
-                      (($null -eq $Settings.ExternalSenderAdminAddress) -or ($CurrentState.ExternalSenderAdminAddress -eq $Settings.ExternalSenderAdminAddress))
+    ($CurrentState.EnableFileFilter -eq $true) -and
+    ($CurrentState.FileTypeAction -eq $FileTypeAction) -and
+    (!(Compare-Object -ReferenceObject $CurrentState.FileTypes -DifferenceObject $ExpectedFileTypes)) -and
+    ($CurrentState.ZapEnabled -eq $true) -and
+    ($CurrentState.QuarantineTag -eq $Settings.QuarantineTag) -and
+    ($CurrentState.EnableInternalSenderAdminNotifications -eq $Settings.EnableInternalSenderAdminNotifications) -and
+    (($null -eq $Settings.InternalSenderAdminAddress) -or ($CurrentState.InternalSenderAdminAddress -eq $Settings.InternalSenderAdminAddress)) -and
+    ($CurrentState.EnableExternalSenderAdminNotifications -eq $Settings.EnableExternalSenderAdminNotifications) -and
+    (($null -eq $Settings.ExternalSenderAdminAddress) -or ($CurrentState.ExternalSenderAdminAddress -eq $Settings.ExternalSenderAdminAddress))
 
     $AcceptedDomains = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AcceptedDomain'
 
     $RuleState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MalwareFilterRule' |
-    Where-Object -Property Name -EQ $RuleName |
-    Select-Object Name, MalwareFilterPolicy, Priority, RecipientDomainIs
+        Where-Object -Property Name -EQ $RuleName |
+        Select-Object Name, MalwareFilterPolicy, Priority, RecipientDomainIs
 
     $RuleStateIsCorrect = ($RuleState.Name -eq $RuleName) -and
-                          ($RuleState.MalwareFilterPolicy -eq $PolicyName) -and
-                          ($RuleState.Priority -eq 0) -and
-                          (!(Compare-Object -ReferenceObject $RuleState.RecipientDomainIs -DifferenceObject $AcceptedDomains.Name))
+    ($RuleState.MalwareFilterPolicy -eq $PolicyName) -and
+    ($RuleState.Priority -eq 0) -and
+    (!(Compare-Object -ReferenceObject $RuleState.RecipientDomainIs -DifferenceObject $AcceptedDomains.Name))
 
     if ($Settings.remediate -eq $true) {
 
@@ -122,7 +123,7 @@ function Invoke-CIPPStandardMalwareFilterPolicy {
             $cmdParams = @{
                 EnableFileFilter                       = $true
                 FileTypes                              = $ExpectedFileTypes
-                FileTypeAction                         = $Settings.FileTypeAction
+                FileTypeAction                         = $FileTypeAction
                 ZapEnabled                             = $true
                 QuarantineTag                          = $Settings.QuarantineTag
                 EnableInternalSenderAdminNotifications = $Settings.EnableInternalSenderAdminNotifications

diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1
@@ -44,15 +44,16 @@ function Invoke-CIPPStandardSpoofWarn {
 
     try {
         $CurrentInfo = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-ExternalInOutlook')
-    }
-    catch {
+    } catch {
         $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
         Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Could not get the SpoofWarn state for $Tenant. Error: $ErrorMessage" -Sev Error
         return
     }
 
     # Get state value using null-coalescing operator
     $state = $Settings.state.value ?? $Settings.state
+
+    $IsEnabled = $state -eq 'enabled'
     $AllowListAdd = $Settings.AllowListAdd.value ?? $Settings.AllowListAdd
 
     # Test if all entries in the AllowListAdd variable are in the AllowList
@@ -131,7 +132,7 @@ function Invoke-CIPPStandardSpoofWarn {
     if ($Settings.report -eq $true) {
         Add-CIPPBPAField -FieldName 'SpoofingWarnings' -FieldValue $CurrentInfo.Enabled -StoreAs bool -Tenant $Tenant
 
-        if ($AllowListCorrect -eq $true -and $CurrentInfo.Enabled -eq $status) {
+        if ($AllowListCorrect -eq $true -and $CurrentInfo.Enabled -eq $IsEnabled) {
             $FieldValue = $true
         } else {
             $FieldValue = $CurrentInfo | Select-Object Enabled, AllowList