Merge pull request #540 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecScheduledCommand.ps1

@@ -18,6 +18,16 @@ function Push-ExecScheduledCommand {
     # We don't need to expand groups here as that's handled in the orchestrator
     $TenantInfo = Get-Tenants -TenantFilter $Tenant
 
+    $CurrentTask = Get-AzDataTableEntity @Table -Filter "PartitionKey eq '$($task.PartitionKey)' and RowKey eq '$($task.RowKey)'"
+    if (!$CurrentTask) {
+        Write-Information "The task $($task.Name) for tenant $($task.Tenant) does not exist in the ScheduledTasks table. Exiting."
+        return
+    }
+    if ($CurrentTask.TaskState -eq 'Completed') {
+        Write-Information "The task $($task.Name) for tenant $($task.Tenant) is already completed. Skipping execution."
+        return
+    }
+
     if ($task.Trigger) {
         # Extract trigger data from the task and process
         $Trigger = if (Test-Json -Json $task.Trigger) { $task.Trigger | ConvertFrom-Json } else { $task.Trigger }
@@ -276,7 +286,7 @@ function Push-ExecScheduledCommand {
     Write-Information 'Sent the results to the target. Updating the task state.'
 
     try {
-        if ($task.Recurrence -eq '0' -or [string]::IsNullOrEmpty($task.Recurrence) -or $Trigger.ExecutionMode.value -eq 'once') {
+        if ($task.Recurrence -eq '0' -or [string]::IsNullOrEmpty($task.Recurrence) -or $Trigger.ExecutionMode.value -eq 'once' -or $Trigger.ExecutionMode -eq 'once') {
             Write-Information 'Recurrence empty or 0. Task is not recurring. Setting task state to completed.'
             Update-AzDataTableEntity -Force @Table -Entity @{
                 PartitionKey = $task.PartitionKey

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Standards/Push-CIPPStandard.ps1

@@ -20,7 +20,15 @@ function Push-CIPPStandard {
         Write-Information "Rerun is set to false. We'll be running $FunctionName"
     }
     try {
-        & $FunctionName -Tenant $Item.Tenant -Settings $Item.Settings -ErrorAction Stop
+        # Convert settings to JSON, replace %variables%, then convert back to object
+        $SettingsJSON = $Item.Settings | ConvertTo-Json -Depth 10 -Compress
+        if ($SettingsJSON -match '%') {
+            $Settings = Get-CIPPTextReplacement -TenantFilter $Item.Tenant -Text $SettingsJSON | ConvertFrom-Json
+        } else {
+            $Settings = $Item.Settings
+        }
+
+        & $FunctionName -Tenant $Item.Tenant -Settings $Settings -ErrorAction Stop
         Write-Information "Standard $($Standard) completed for tenant $($Tenant)"
     } catch {
         Write-LogMessage -API 'Standards' -tenant $Tenant -message "Error running standard $($Standard) for tenant $($Tenant) - $($_.Exception.Message)" -sev Error -LogData (Get-CippException -Exception $_)

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Groups/Invoke-AddGroupTeam.ps1

@@ -0,0 +1,78 @@
+function Invoke-AddGroupTeam {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    .ROLE
+        Identity.Group.ReadWrite
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $APIName = $Request.Params.CIPPEndpoint
+    $TenantFilter = $Request.Body.TenantFilter
+    $GroupId = $Request.Body.GroupId
+
+    $Results = [System.Collections.Generic.List[string]]@()
+
+    try {
+        # Default team settings - can be customized via request body
+        $TeamSettings = if ($Request.Body.TeamSettings) {
+            $Request.Body.TeamSettings
+        } else {
+            @{
+                memberSettings    = @{
+                    allowCreatePrivateChannels = $true
+                    allowCreateUpdateChannels  = $true
+                }
+                messagingSettings = @{
+                    allowUserEditMessages   = $true
+                    allowUserDeleteMessages = $true
+                }
+                funSettings       = @{
+                    allowGiphy         = $true
+                    giphyContentRating = 'strict'
+                }
+            }
+        }
+
+        # Create team from group using PUT request
+        $GraphParams = @{
+            uri      = "https://graph.microsoft.com/beta/groups/$GroupId/team"
+            tenantid = $TenantFilter
+            type     = 'PUT'
+            body     = ($TeamSettings | ConvertTo-Json -Depth 10)
+            AsApp    = $true
+        }
+        $null = New-GraphPOSTRequest @GraphParams
+
+        $Results.Add("Successfully created team from group $GroupId")
+        Write-LogMessage -API $APIName -tenant $TenantFilter -message "Created team from group $GroupId" -Sev 'Info'
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        $RawMessage = $_.Exception.Message
+
+        # Determine if this is a likely replication delay 404 (exclude owner/membership related 404s)
+        $Is404 = ($RawMessage -match '404|Not Found' -or $ErrorMessage.NormalizedError -match '404|Not Found')
+        $IsOwnerRelated = ($RawMessage -match 'owner' -or $ErrorMessage.NormalizedError -match 'owner')
+        $IsMembershipRelated = ($RawMessage -match 'member' -or $ErrorMessage.NormalizedError -match 'member')
+
+        $IsReplicationDelay = $Is404 -and -not ($IsOwnerRelated -or $IsMembershipRelated)
+
+        if ($IsReplicationDelay) {
+            $Results.Add('Failed to create team: The group may have been created too recently. If it was created less than 15 minutes ago, wait and retry. Groups need time to fully replicate before a team can be created.')
+            Write-LogMessage -API $APIName -tenant $TenantFilter -message "Failed to create team from group $GroupId - probable replication delay (404). Error: $($ErrorMessage.NormalizedError)" -Sev 'Error' -LogData $ErrorMessage
+        } else {
+            $Results.Add("Failed to create team: $($ErrorMessage.NormalizedError)")
+            Write-LogMessage -API $APIName -tenant $TenantFilter -message "Failed to create team from group $GroupId. Error: $($ErrorMessage.NormalizedError)" -Sev 'Error' -LogData $ErrorMessage
+        }
+    }
+
+    $Body = @{
+        Results = @($Results)
+    }
+
+    return ([HttpResponseContext]@{
+            StatusCode = [HttpStatusCode]::OK
+            Body       = $Body
+        })
+}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Groups/Invoke-AddGroupTemplate.ps1

@@ -29,7 +29,7 @@ function Invoke-AddGroupTemplate {
             '*unified*' { 'm365'; break }
             '*m365*' { 'm365'; break }
             '*generic*' { 'generic'; break }
-            '*security*' { 'generic'; break }
+            '*security*' { 'security'; break }
             '*distribution*' { 'distribution'; break }
             '*mail*' { 'distribution'; break }
             default { $Request.Body.groupType }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Groups/Invoke-ListGroups.ps1

@@ -87,13 +87,21 @@ function Invoke-ListGroups {
             $GraphRequest = [PSCustomObject]@{
                 groupInfo              = ($RawGraphRequest | Where-Object { $_.id -eq 1 }).body | Select-Object *, @{ Name = 'primDomain'; Expression = { $_.mail -split '@' | Select-Object -Last 1 } },
                 @{Name = 'teamsEnabled'; Expression = { if ($_.resourceProvisioningOptions -like '*Team*') { $true } else { $false } } },
-                @{Name = 'calculatedGroupType'; Expression = {
+                @{Name = 'groupType'; Expression = {
                         if ($_.groupTypes -contains 'Unified') { 'Microsoft 365' }
                         elseif ($_.mailEnabled -and $_.securityEnabled) { 'Mail-Enabled Security' }
                         elseif (-not $_.mailEnabled -and $_.securityEnabled) { 'Security' }
                         elseif (([string]::isNullOrEmpty($_.groupTypes)) -and ($_.mailEnabled) -and (-not $_.securityEnabled)) { 'Distribution List' }
                     }
-                }, @{Name = 'dynamicGroupBool'; Expression = { if ($_.groupTypes -contains 'DynamicMembership') { $true } else { $false } } }
+                },
+                @{Name = 'calculatedGroupType'; Expression = {
+                        if ($_.groupTypes -contains 'Unified') { 'm365' }
+                        elseif ($_.mailEnabled -and $_.securityEnabled) { 'security' }
+                        elseif (-not $_.mailEnabled -and $_.securityEnabled) { 'generic' }
+                        elseif (([string]::isNullOrEmpty($_.groupTypes)) -and ($_.mailEnabled) -and (-not $_.securityEnabled)) { 'distributionList' }
+                    }
+                },
+                @{Name = 'dynamicGroupBool'; Expression = { if ($_.groupTypes -contains 'DynamicMembership') { $true } else { $false } } }
                 members                = ($RawGraphRequest | Where-Object { $_.id -eq 2 }).body.value
                 owners                 = ($RawGraphRequest | Where-Object { $_.id -eq 3 }).body.value
                 allowExternal          = (!$OnlyAllowInternal)
@@ -104,13 +112,20 @@ function Invoke-ListGroups {
             $GraphRequest = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/groups/$($GroupID)/$($members)?`$top=999&select=$SelectString" -tenantid $TenantFilter | Select-Object *, @{ Name = 'primDomain'; Expression = { $_.mail -split '@' | Select-Object -Last 1 } },
             @{Name = 'membersCsv'; Expression = { $_.members.userPrincipalName -join ',' } },
             @{Name = 'teamsEnabled'; Expression = { if ($_.resourceProvisioningOptions -like '*Team*') { $true }else { $false } } },
-            @{Name = 'calculatedGroupType'; Expression = {
+            @{Name = 'groupType'; Expression = {
                     if ($_.groupTypes -contains 'Unified') { 'Microsoft 365' }
                     elseif ($_.mailEnabled -and $_.securityEnabled) { 'Mail-Enabled Security' }
                     elseif (-not $_.mailEnabled -and $_.securityEnabled) { 'Security' }
                     elseif (([string]::isNullOrEmpty($_.groupTypes)) -and ($_.mailEnabled) -and (-not $_.securityEnabled)) { 'Distribution List' }
                 }
             },
+            @{Name = 'calculatedGroupType'; Expression = {
+                    if ($_.groupTypes -contains 'Unified') { 'm365' }
+                    elseif ($_.mailEnabled -and $_.securityEnabled) { 'security' }
+                    elseif (-not $_.mailEnabled -and $_.securityEnabled) { 'generic' }
+                    elseif (([string]::isNullOrEmpty($_.groupTypes)) -and ($_.mailEnabled) -and (-not $_.securityEnabled)) { 'distributionList' }
+                }
+            },
             @{Name = 'dynamicGroupBool'; Expression = { if ($_.groupTypes -contains 'DynamicMembership') { $true } else { $false } } }
             $GraphRequest = @($GraphRequest | Sort-Object displayName)
         }

Modules/CIPPCore/Public/New-CIPPGroup.ps1

@@ -43,6 +43,7 @@ function New-CIPPGroup {
     try {
         # Normalize group type for consistent handling (accept camelCase from templates)
         $NormalizedGroupType = switch -Wildcard ($GroupObject.groupType.ToLower()) {
+            'mail-enabled security' { 'Security'; break }
             '*dynamicdistribution*' { 'DynamicDistribution'; break }  # Check this first before *dynamic* and *distribution*
             '*dynamic*' { 'Dynamic'; break }
             '*generic*' { 'Generic'; break }
@@ -57,7 +58,7 @@ function New-CIPPGroup {
         }
 
         # Determine if this group type needs an email address
-        $GroupTypesNeedingEmail = @('M365', 'Distribution', 'DynamicDistribution')
+        $GroupTypesNeedingEmail = @('M365', 'Distribution', 'DynamicDistribution', 'Security')
         $NeedsEmail = $NormalizedGroupType -in $GroupTypesNeedingEmail
 
         # Determine email address only for group types that need it
@@ -95,13 +96,13 @@ function New-CIPPGroup {
         Write-LogMessage -API $APIName -tenant $TenantFilter -message "Creating group $($GroupObject.displayName) of type $NormalizedGroupType$(if ($NeedsEmail) { " with email $Email" })" -Sev Info
 
         # Handle Graph API groups (Security, Generic, AzureRole, Dynamic, M365)
-        if ($NormalizedGroupType -in @('Generic', 'Security', 'AzureRole', 'Dynamic', 'M365')) {
+        if ($NormalizedGroupType -in @('Generic', 'AzureRole', 'Dynamic', 'M365')) {
             Write-Information "Creating group $($GroupObject.displayName) of type $NormalizedGroupType$(if ($NeedsEmail) { " with email $Email" })"
             $BodyParams = [PSCustomObject]@{
                 'displayName'        = $GroupObject.displayName
                 'description'        = $GroupObject.description
                 'mailNickname'       = $MailNickname
-                'mailEnabled'        = ($NormalizedGroupType -in @('Security', 'M365'))
+                'mailEnabled'        = ($NormalizedGroupType -eq 'M365')
                 'securityEnabled'    = $true
                 'isAssignableToRole' = ($NormalizedGroupType -eq 'AzureRole')
             }
@@ -194,13 +195,17 @@ function New-CIPPGroup {
 
                 $ExoParams = @{
                     Name                               = $GroupObject.displayName
-                    Alias                              = $GroupObject.username
+                    Alias                              = $MailNickname
                     Description                        = $GroupObject.description
                     PrimarySmtpAddress                 = $Email
                     Type                               = $GroupObject.groupType
                     RequireSenderAuthenticationEnabled = [bool]!$GroupObject.allowExternal
                 }
 
+                if ($NormalizedGroupType -eq 'Security') {
+                    $ExoParams.Type = 'Security'
+                }
+
                 # Add owners
                 if ($GroupObject.owners -and $GroupObject.owners.Count -gt 0) {
                     $OwnerEmails = $GroupObject.owners | ForEach-Object {

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutopilotProfile.ps1

@@ -49,11 +49,8 @@ function Invoke-CIPPStandardAutopilotProfile {
         return $true
     } #we're done.
     try {
-        # Replace variables in displayname to prevent duplicates
-        $DisplayName = Get-CIPPTextReplacement -Text $Settings.DisplayName -TenantFilter $Tenant
-
         $CurrentConfig = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles' -tenantid $Tenant |
-            Where-Object { $_.displayName -eq $DisplayName } |
+            Where-Object { $_.displayName -eq $Settings.DisplayName } |
             Select-Object -Property displayName, description, deviceNameTemplate, locale, preprovisioningAllowed, hardwareHashExtractionEnabled, outOfBoxExperienceSetting
 
         if ($Settings.NotLocalAdmin -eq $true) { $userType = 'Standard' } else { $userType = 'Administrator' }
@@ -64,7 +61,7 @@ function Invoke-CIPPStandardAutopilotProfile {
             $DeploymentMode = 'singleUser'
         }
 
-        $StateIsCorrect = ($CurrentConfig.displayName -eq $DisplayName) -and
+        $StateIsCorrect = ($CurrentConfig.displayName -eq $Settings.DisplayName) -and
         ($CurrentConfig.description -eq $Settings.Description) -and
         ($CurrentConfig.deviceNameTemplate -eq $Settings.DeviceNameTemplate) -and
         ([string]::IsNullOrWhiteSpace($CurrentConfig.locale) -and [string]::IsNullOrWhiteSpace($Settings.Languages.value) -or $CurrentConfig.locale -eq $Settings.Languages.value) -and
@@ -84,12 +81,12 @@ function Invoke-CIPPStandardAutopilotProfile {
     # Remediate if the state is not correct
     if ($Settings.remediate -eq $true) {
         if ($StateIsCorrect -eq $true) {
-            Write-LogMessage -API 'Standards' -tenant $Tenant -message "Autopilot profile '$($DisplayName)' already exists" -sev Info
+            Write-LogMessage -API 'Standards' -tenant $Tenant -message "Autopilot profile '$($Settings.DisplayName)' already exists" -sev Info
         } else {
             try {
                 $Parameters = @{
                     tenantFilter       = $Tenant
-                    displayName        = $DisplayName
+                    displayName        = $Settings.DisplayName
                     description        = $Settings.Description
                     userType           = $userType
                     DeploymentMode     = $DeploymentMode
@@ -106,9 +103,9 @@ function Invoke-CIPPStandardAutopilotProfile {
 
                 Set-CIPPDefaultAPDeploymentProfile @Parameters
                 if ($null -eq $CurrentConfig) {
-                    Write-LogMessage -API 'Standards' -tenant $Tenant -message "Created Autopilot profile '$($DisplayName)'" -sev Info
+                    Write-LogMessage -API 'Standards' -tenant $Tenant -message "Created Autopilot profile '$($Settings.DisplayName)'" -sev Info
                 } else {
-                    Write-LogMessage -API 'Standards' -tenant $Tenant -message "Updated Autopilot profile '$($DisplayName)'" -sev Info
+                    Write-LogMessage -API 'Standards' -tenant $Tenant -message "Updated Autopilot profile '$($Settings.DisplayName)'" -sev Info
                 }
             } catch {
                 $ErrorMessage = Get-CippException -Exception $_
@@ -128,10 +125,10 @@ function Invoke-CIPPStandardAutopilotProfile {
     # Alert
     if ($Settings.alert -eq $true) {
         if ($StateIsCorrect -eq $true) {
-            Write-LogMessage -API 'Standards' -tenant $Tenant -message "Autopilot profile '$($DisplayName)' exists" -sev Info
+            Write-LogMessage -API 'Standards' -tenant $Tenant -message "Autopilot profile '$($Settings.DisplayName)' exists" -sev Info
         } else {
-            Write-StandardsAlert -message "Autopilot profile '$($DisplayName)' do not match expected configuration" -object $CurrentConfig -tenant $Tenant -standardName 'AutopilotProfile' -standardId $Settings.standardId
-            Write-LogMessage -API 'Standards' -tenant $Tenant -message "Autopilot profile '$($DisplayName)' do not match expected configuration" -sev Info
+            Write-StandardsAlert -message "Autopilot profile '$($Settings.DisplayName)' do not match expected configuration" -object $CurrentConfig -tenant $Tenant -standardName 'AutopilotProfile' -standardId $Settings.standardId
+            Write-LogMessage -API 'Standards' -tenant $Tenant -message "Autopilot profile '$($Settings.DisplayName)' do not match expected configuration" -sev Info
         }
     }
 }

Modules/CippExtensions/Public/NinjaOne/Invoke-NinjaOneTenantSync.ps1

@@ -7,9 +7,21 @@ function Invoke-NinjaOneTenantSync {
         $StartQueueTime = Get-Date
         Write-Information "$(Get-Date) - Starting NinjaOne Sync"
 
-        # Stagger start
-        # Check Global Rate Limiting
-        $CurrentMap = Get-ExtensionRateLimit -ExtensionName 'NinjaOne' -ExtensionPartitionKey 'NinjaOneMapping' -RateLimit 5 -WaitTime 10
+        $MappingTable = Get-CIPPTable -TableName CippMapping
+        $CurrentMap = (Get-CIPPAzDataTableEntity @MappingTable -Filter "PartitionKey eq 'NinjaOneMapping'")
+        $CurrentMap | ForEach-Object {
+            if ($Null -ne $_.lastEndTime -and $_.lastEndTime -ne '') {
+                $_.lastEndTime = (Get-Date($_.lastEndTime))
+            } else {
+                $_ | Add-Member -NotePropertyName lastEndTime -NotePropertyValue $Null -Force
+            }
+
+            if ($Null -ne $_.lastStartTime -and $_.lastStartTime -ne '') {
+                $_.lastStartTime = (Get-Date($_.lastStartTime))
+            } else {
+                $_ | Add-Member -NotePropertyName lastStartTime -NotePropertyValue $Null -Force
+            }
+        }
 
         $StartTime = Get-Date