[pull] dev from KelvinTegelaar:dev

Config/CIPPDBCacheTypes.json

@@ -363,5 +363,10 @@
     "type": "CopilotUserCountTrend",
     "friendlyName": "Copilot User Count Trend",
     "description": "Daily Copilot active user count trend (7-day period)"
+  },
+  {
+    "type": "ExoTransportConfig",
+    "friendlyName": "Exchange Transport Config",
+    "description": "Exchange Online transport configuration including SMTP authentication settings"
   }
 ]

Config/CIPPTimers.json

@@ -17,14 +17,6 @@
     "RunOnProcessor": true,
     "PreferredProcessor": "usertasks"
   },
-  {
-    "Id": "168decf3-7ddd-471e-ab46-8b40be0f18ae",
-    "Command": "Start-CIPPProcessorQueue",
-    "Description": "Timer to handle user initiated tasks",
-    "Cron": "0 */15 * * * *",
-    "Priority": 1,
-    "RunOnProcessor": true
-  },
   {
     "Id": "44a40668-ed71-403c-8c26-b32e320086ad",
     "Command": "Start-AuditLogOrchestrator",
@@ -273,5 +265,14 @@
     "Priority": 30,
     "RunOnProcessor": false,
     "IsSystem": true
+  },
+  {
+    "Id": "7e2a9b4c-1d5f-4a8e-b3c6-0f9d2e7a4b1c",
+    "Command": "Start-UserSyncTimer",
+    "Description": "Sync partner tenant users and group-based roles into allowedUsers table",
+    "Cron": "0 */15 * * * *",
+    "Priority": 11,
+    "RunOnProcessor": false,
+    "IsSystem": true
   }
 ]

Config/FeatureFlags.json

@@ -32,15 +32,16 @@
     "Endpoints": [
       "ExecCIPPUsers",
       "ListCIPPUsers",
-      "ExecSSOSetup",
       "ExecContainerManagement",
-      "ListContainerLogs"
+      "ListContainerLogs",
+      "ListWorkerHealth"
     ],
     "Pages": [
       "/cipp/advanced/super-admin/cipp-users",
       "/cipp/advanced/super-admin/sso",
       "/cipp/advanced/super-admin/container",
-      "/cipp/advanced/container-logs"
+      "/cipp/advanced/container-logs",
+      "/cipp/advanced/worker-health"
     ],
     "Hidden": true
   }

Modules/CIPPActivityTriggers/Public/Entrypoints/Activity Triggers/Applications/Push-UploadApplication.ps1

@@ -11,15 +11,11 @@ function Push-UploadApplication {
         $Filter = "PartitionKey eq 'apps' and RowKey eq '$($Item.Name)'"
 
         $AppConfig = (Get-CIPPAzDataTableEntity @Table -filter $Filter).JSON | ConvertFrom-Json
-        $intuneBody = $AppConfig.IntuneBody
         $tenants = if ($AppConfig.tenant -eq 'AllTenants') {
             (Get-Tenants -IncludeErrors).defaultDomainName
         } else {
             $AppConfig.tenant
         }
-        $assignTo = $AppConfig.assignTo
-        $AssignToIntent = $AppConfig.InstallationIntent
-        $ExcludeGroup = $AppConfig.excludeGroup
         $ClearRow = Get-CIPPAzDataTableEntity @Table -Filter $Filter
         if ($AppConfig.tenant -ne 'AllTenants') {
             $null = Remove-AzDataTableEntity -Force @Table -Entity $clearRow
@@ -33,142 +29,9 @@ function Push-UploadApplication {
             }
         }
 
-        # Determine app type (default to 'Choco' if not specified)
-        $AppType = if ($AppConfig.type) { $AppConfig.type } else { 'Choco' }
-
-        # Load files based on app type (only for types that need them)
-        $Intunexml = $null
-        $Infile = $null
-        if ($AppType -eq 'MSPApp') {
-            [xml]$Intunexml = Get-Content (Join-Path $env:CIPPRootPath "AddMSPApp\$($AppConfig.MSPAppName).app.xml")
-            $Infile = Join-Path $env:CIPPRootPath "AddMSPApp\$($AppConfig.MSPAppName).intunewin"
-        } elseif ($AppType -in @('Choco', 'Win32ScriptApp')) {
-            [xml]$Intunexml = Get-Content (Join-Path $env:CIPPRootPath 'AddChocoApp\Choco.App.xml')
-            $Infile = Join-Path $env:CIPPRootPath "AddChocoApp\$($Intunexml.ApplicationInfo.FileName)"
-        }
-
-
-        $baseuri = 'https://graph.microsoft.com/beta/deviceAppManagement/mobileApps'
         foreach ($tenant in $tenants) {
             try {
-                # Check if app already exists
-                $ApplicationList = New-GraphGetRequest -Uri $baseuri -tenantid $tenant | Where-Object { $_.DisplayName -eq $AppConfig.Applicationname -and ($_.'@odata.type' -eq '#microsoft.graph.win32LobApp' -or $_.'@odata.type' -eq '#microsoft.graph.winGetApp') }
-                if ($ApplicationList.displayname.count -ge 1) {
-                    Write-LogMessage -api 'AppUpload' -tenant $tenant -message "$($AppConfig.Applicationname) exists. Skipping this application" -Sev 'Info'
-                    continue
-                }
-
-                # Route to appropriate handler based on app type
-                $NewApp = $null
-                switch ($AppType) {
-                    'WinGet' {
-                        $NewApp = Add-CIPPWinGetApp -AppBody $intuneBody -TenantFilter $tenant
-                    }
-                    'Choco' {
-                        # Prepare encryption info from XML
-                        $EncryptionInfo = @{
-                            EncryptionKey        = $Intunexml.ApplicationInfo.EncryptionInfo.EncryptionKey
-                            MacKey               = $Intunexml.ApplicationInfo.EncryptionInfo.MacKey
-                            InitializationVector = $Intunexml.ApplicationInfo.EncryptionInfo.InitializationVector
-                            Mac                  = $Intunexml.ApplicationInfo.EncryptionInfo.Mac
-                            ProfileIdentifier    = $Intunexml.ApplicationInfo.EncryptionInfo.ProfileIdentifier
-                            FileDigest           = $Intunexml.ApplicationInfo.EncryptionInfo.FileDigest
-                            FileDigestAlgorithm  = $Intunexml.ApplicationInfo.EncryptionInfo.FileDigestAlgorithm
-                        }
-
-                        # Build parameters dynamically
-                        $Params = @{
-                            AppBody         = $intuneBody
-                            TenantFilter    = $tenant
-                            FilePath        = $Infile
-                            FileName        = $Intunexml.ApplicationInfo.FileName
-                            UnencryptedSize = [int64]$Intunexml.ApplicationInfo.UnencryptedContentSize
-                            EncryptionInfo  = $EncryptionInfo
-                        }
-                        if ($AppConfig.Applicationname) { $Params.DisplayName = $AppConfig.Applicationname }
-
-                        $NewApp = Add-CIPPPackagedApplication @Params
-                    }
-                    'MSPApp' {
-                        # Prepare encryption info from XML
-                        $EncryptionInfo = @{
-                            EncryptionKey        = $Intunexml.ApplicationInfo.EncryptionInfo.EncryptionKey
-                            MacKey               = $Intunexml.ApplicationInfo.EncryptionInfo.MacKey
-                            InitializationVector = $Intunexml.ApplicationInfo.EncryptionInfo.InitializationVector
-                            Mac                  = $Intunexml.ApplicationInfo.EncryptionInfo.Mac
-                            ProfileIdentifier    = $Intunexml.ApplicationInfo.EncryptionInfo.ProfileIdentifier
-                            FileDigest           = $Intunexml.ApplicationInfo.EncryptionInfo.FileDigest
-                            FileDigestAlgorithm  = $Intunexml.ApplicationInfo.EncryptionInfo.FileDigestAlgorithm
-                        }
-
-                        # Build parameters dynamically
-                        $Params = @{
-                            AppBody         = $intuneBody
-                            TenantFilter    = $tenant
-                            FilePath        = $Infile
-                            FileName        = $Intunexml.ApplicationInfo.FileName
-                            UnencryptedSize = [int64]$Intunexml.ApplicationInfo.UnencryptedContentSize
-                            EncryptionInfo  = $EncryptionInfo
-                        }
-                        if ($AppConfig.Applicationname) { $Params.DisplayName = $AppConfig.Applicationname }
-
-                        $NewApp = Add-CIPPPackagedApplication @Params
-                    }
-                    'Win32ScriptApp' {
-                        # Prepare encryption info from XML
-                        $EncryptionInfo = @{
-                            EncryptionKey        = $Intunexml.ApplicationInfo.EncryptionInfo.EncryptionKey
-                            MacKey               = $Intunexml.ApplicationInfo.EncryptionInfo.MacKey
-                            InitializationVector = $Intunexml.ApplicationInfo.EncryptionInfo.InitializationVector
-                            Mac                  = $Intunexml.ApplicationInfo.EncryptionInfo.Mac
-                            ProfileIdentifier    = $Intunexml.ApplicationInfo.EncryptionInfo.ProfileIdentifier
-                            FileDigest           = $Intunexml.ApplicationInfo.EncryptionInfo.FileDigest
-                            FileDigestAlgorithm  = $Intunexml.ApplicationInfo.EncryptionInfo.FileDigestAlgorithm
-                        }
-
-                        # Build properties dynamically
-                        $Properties = @{
-                            displayName   = $AppConfig.Applicationname
-                            installScript = $AppConfig.installScript
-                        }
-
-                        # A few of these are probably mandatory
-                        if ($AppConfig.description) { $Properties['description'] = $AppConfig.description }
-                        if ($AppConfig.publisher) { $Properties['publisher'] = $AppConfig.publisher }
-                        if ($AppConfig.uninstallScript) { $Properties['uninstallScript'] = $AppConfig.uninstallScript }
-                        if ($AppConfig.detectionScript) { $Properties['detectionScript'] = $AppConfig.detectionScript }
-                        if ($AppConfig.detectionPath) { $Properties['detectionPath'] = $AppConfig.detectionPath }
-                        if ($AppConfig.detectionFile) { $Properties['detectionFile'] = $AppConfig.detectionFile }
-                        if ($AppConfig.runAsAccount) { $Properties['runAsAccount'] = $AppConfig.runAsAccount }
-                        if ($AppConfig.deviceRestartBehavior) { $Properties['deviceRestartBehavior'] = $AppConfig.deviceRestartBehavior }
-                        if ($null -ne $AppConfig.runAs32Bit) { $Properties['runAs32Bit'] = $AppConfig.runAs32Bit }
-                        if ($null -ne $AppConfig.enforceSignatureCheck) { $Properties['enforceSignatureCheck'] = $AppConfig.enforceSignatureCheck }
-
-                        $NewApp = Add-CIPPW32ScriptApplication -TenantFilter $tenant -Properties ([PSCustomObject]$Properties)
-                    }
-                    'WinGetNew' {
-                        # I think we don't need a separate WinGetNew type, just use WinGet?
-                    }
-                    default {
-                        throw "Unsupported app type: $($AppConfig.type)"
-                    }
-                }
-
-                # Log success and assign app if requested
-                if ($NewApp) {
-                    Write-LogMessage -api 'AppUpload' -tenant $tenant -message "$($AppConfig.Applicationname) Successfully created" -Sev 'Info'
-
-                    if ($assignTo -and $assignTo -ne 'On') {
-                        $intent = if ($AssignToIntent) { 'Uninstall' } else { 'Required' }
-                        $AppTypeForAssignment = switch ($AppType) {
-                            'WinGet' { 'WinGet' }
-                            'WinGetNew' { 'WinGet' }
-                            default { 'Win32Lob' }
-                        }
-                        Start-Sleep -Milliseconds 200
-                        Set-CIPPAssignedApplication -ApplicationId $NewApp.Id -TenantFilter $tenant -groupName $assignTo -ExcludeGroup $ExcludeGroup -Intent $intent -AppType $AppTypeForAssignment -APIName 'AppUpload'
-                    }
-                }
+                $NewApp = New-CIPPIntuneAppDeployment -AppConfig $AppConfig -TenantFilter $tenant -APIName 'AppUpload'
             } catch {
                 "Failed to add Application for $tenant : $($_.Exception.Message)"
                 Write-LogMessage -api 'AppUpload' -tenant $tenant -message "Failed adding Application $($AppConfig.Applicationname). Error: $($_.Exception.Message)" -LogData (Get-CippException -Exception $_) -Sev 'Error'

Modules/CIPPActivityTriggers/Public/Entrypoints/Activity Triggers/BPA/Push-BPACollectData.ps1

@@ -5,7 +5,7 @@ function Push-BPACollectData {
     #>
     param($Item)
 
-    $TenantName = Get-Tenants | Where-Object -Property defaultDomainName -EQ $Item.Tenant
+    $TenantName = Get-Tenants -TenantFilter $Item.Tenant
     $BPATemplateTable = Get-CippTable -tablename 'templates'
     $Filter = "PartitionKey eq 'BPATemplate'"
     $TemplatesLoc = (Get-CIPPAzDataTableEntity @BPATemplateTable -Filter $Filter).JSON | ConvertFrom-Json

Modules/CIPPActivityTriggers/Public/Entrypoints/Activity Triggers/CIPPDBCache/Push-ExecCIPPDBCache.ps1

@@ -44,8 +44,6 @@ function Push-ExecCIPPDBCache {
 
         # Build the full function name
         $FullFunctionName = "Set-CIPPDBCache$Name"
-
-        # Check if function exists
         $Function = Get-Command -Name $FullFunctionName -ErrorAction SilentlyContinue
         if (-not $Function) {
             throw "Function $FullFunctionName does not exist"

Modules/CIPPActivityTriggers/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserTenant.ps1

@@ -99,8 +99,8 @@ function Push-DomainAnalyserTenant {
                             }
 
                             if ($OldDomain) {
-                                $DomainObject.DkimSelectors = $OldDomain.DkimSelectors
-                                $DomainObject.MailProviders = $OldDomain.MailProviders
+                                $Domain.DkimSelectors = $OldDomain.DkimSelectors
+                                $Domain.MailProviders = $OldDomain.MailProviders
                             }
                         } else {
                             $Domain.TenantDetails = $TenantDetails

Modules/CIPPActivityTriggers/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-GetTenantDomains.ps1

@@ -2,6 +2,6 @@ function Push-GetTenantDomains {
     Param($Item)
     $DomainTable = Get-CippTable -tablename 'Domains'
     $Filter = "PartitionKey eq 'TenantDomains' and TenantGUID eq '{0}'" -f $Item.TenantGUID
-    $Domains = Get-CIPPAzDataTableEntity @DomainTable -Filter $Filter -Property PartitionKey, RowKey | Select-Object RowKey, @{n = 'FunctionName'; exp = { 'DomainAnalyserDomain' } }
+    $Domains = Get-CIPPAzDataTableEntity @DomainTable -Filter $Filter -Property PartitionKey, RowKey, TenantId | Select-Object RowKey, @{n = 'FunctionName'; exp = { 'DomainAnalyserDomain' } }, @{n = 'TenantFilter'; exp = { $_.TenantId } }
     return @($Domains)
 }

Modules/CIPPActivityTriggers/Public/Entrypoints/Activity Triggers/Push-CIPPDBCacheApplyBatch.ps1

@@ -35,8 +35,9 @@ function Push-CIPPDBCacheApplyBatch {
         Write-Information "Aggregated $($AllTasks.Count) cache tasks from all tenants"
 
         # Start a single flat orchestrator to execute all cache tasks
+        $TenantSuffix = if ($Item.Parameters.TenantFilter) { "_$($Item.Parameters.TenantFilter)" } else { '' }
         $InputObject = [PSCustomObject]@{
-            OrchestratorName = 'CIPPDBCacheExecute'
+            OrchestratorName = "CIPPDBCacheExecute$TenantSuffix"
             Batch            = @($AllTasks)
             SkipLog          = $true
         }

Modules/CIPPActivityTriggers/Public/Entrypoints/Activity Triggers/Push-ExecScheduledCommand.ps1

@@ -161,10 +161,10 @@ function Push-ExecScheduledCommand {
         }
     }
 
-    if ($Item.Command -in (Get-CIPPSchedulerBlockedCommands)) {
-        $Results = "Task blocked: '$($Item.Command)' is not permitted to run as a scheduled task."
+    $Command = Get-Command -Name $Item.Command -ErrorAction SilentlyContinue
+    if ($null -eq $Command) {
+        $Results = "Task Failed: The command $($Item.Command) does not exist."
         $State = 'Failed'
-        Write-LogMessage -API 'Scheduler_UserTasks' -tenant $Tenant -tenantid $TenantInfo.customerId -message "Blocked execution of restricted command '$($Item.Command)' in task $($task.Name)" -sev Warning
         if (!$IsMultiTenantExecution) {
             Update-AzDataTableEntity -Force @Table -Entity @{
                 PartitionKey = $task.PartitionKey
@@ -173,14 +173,16 @@ function Push-ExecScheduledCommand {
                 TaskState    = $State
             }
         }
+
+        Write-LogMessage -API 'Scheduler_UserTasks' -tenant $Tenant -tenantid $TenantInfo.customerId -message "Failed to execute task $($task.Name): The command $($Item.Command) does not exist." -sev Error
         Remove-Variable -Name ScheduledTaskId -Scope Script -ErrorAction SilentlyContinue
         return
     }
 
-    $Function = Get-Command -Name $Item.Command
-    if ($null -eq $Function) {
-        $Results = "Task Failed: The command $($Item.Command) does not exist."
+    if ($Command.Module -notin @('CIPPCore', 'CIPPAlerts', 'CIPPStandards', 'CIPPTests', 'CIPPDB')) {
         $State = 'Failed'
+        Write-LogMessage -headers $Headers -API 'ScheduledTask' -message "Blocked attempt to schedule command from unauthorized module: $($Command.ModuleName)\$($Item.Command)" -Sev 'Warning'
+        $Results = "Task blocked: The command '$($Item.Command)' is not permitted to run as a scheduled task."
         if (!$IsMultiTenantExecution) {
             Update-AzDataTableEntity -Force @Table -Entity @{
                 PartitionKey = $task.PartitionKey
@@ -189,11 +191,26 @@ function Push-ExecScheduledCommand {
                 TaskState    = $State
             }
         }
-
-        Write-LogMessage -API 'Scheduler_UserTasks' -tenant $Tenant -tenantid $TenantInfo.customerId -message "Failed to execute task $($task.Name): The command $($Item.Command) does not exist." -sev Error
         Remove-Variable -Name ScheduledTaskId -Scope Script -ErrorAction SilentlyContinue
         return
     }
+    if ($Item.Command -in (Get-CIPPSchedulerBlockedCommands)) {
+        $Results = "Task blocked: '$($Item.Command)' is not permitted to run as a scheduled task."
+        $State = 'Failed'
+        Write-LogMessage -API 'Scheduler_UserTasks' -tenant $Tenant -tenantid $TenantInfo.customerId -message "Blocked execution of restricted command '$($Item.Command)' in task $($task.Name)" -sev Warning
+        if (!$IsMultiTenantExecution) {
+            Update-AzDataTableEntity -Force @Table -Entity @{
+                PartitionKey = $task.PartitionKey
+                RowKey       = $task.RowKey
+                Results      = "$Results"
+                TaskState    = $State
+            }
+        }
+        Remove-Variable -Name ScheduledTaskId -Scope Script -ErrorAction SilentlyContinue
+        return
+    }
+
+    $Function = $Command
 
     try {
         $PossibleParams = $Function.Parameters.Keys