Merge pull request #770 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Clear-CIPPImmutableId.ps1

@@ -3,14 +3,69 @@ function Clear-CIPPImmutableId {
     param (
         $TenantFilter,
         $UserID,
+        $Username, # Optional - used for better logging and scheduling messages
+        $User, # Optional - if provided, will check sync status and schedule if needed
         $Headers,
         $APIName = 'Clear Immutable ID'
     )
 
     try {
+        # If User object is provided, check if we need to schedule instead of clearing immediately
+        if ($User) {
+            # User has ImmutableID but is not synced from on-premises - safe to clear immediately
+            if ($User.onPremisesSyncEnabled -ne $true -and ![string]::IsNullOrEmpty($User.onPremisesImmutableId)) {
+                $DisplayName = $Username ?? $UserID
+                Write-LogMessage -Message "User $DisplayName has an ImmutableID set but is not synced from on-premises. Proceeding to clear the ImmutableID." -TenantFilter $TenantFilter -Severity 'Warning' -APIName $APIName -headers $Headers
+                # Continue to clear below
+            }
+            # User is synced from on-premises - must schedule for after deletion
+            elseif ($User.onPremisesSyncEnabled -eq $true -and ![string]::IsNullOrEmpty($User.onPremisesImmutableId)) {
+                $DisplayName = $Username ?? $UserID
+                Write-LogMessage -Message "User $DisplayName is synced from on-premises. Scheduling an Immutable ID clear for when the user account has been soft deleted." -TenantFilter $TenantFilter -Severity 'Warning' -APIName $APIName -headers $Headers
+
+                $ScheduledTask = @{
+                    TenantFilter  = $TenantFilter
+                    Name          = "Clear Immutable ID: $DisplayName"
+                    Command       = @{ value = 'Clear-CIPPImmutableID' }
+                    Parameters    = [pscustomobject]@{
+                        UserID       = $UserID
+                        TenantFilter = $TenantFilter
+                        APIName      = $APIName
+                    }
+                    Trigger       = @{
+                        Type               = 'DeltaQuery'
+                        DeltaResource      = 'users'
+                        ResourceFilter     = @($UserID)
+                        EventType          = 'deleted'
+                        UseConditions      = $false
+                        ExecutePerResource = $true
+                        ExecutionMode      = 'once'
+                    }
+                    ScheduledTime = [int64](([datetime]::UtcNow).AddMinutes(5) - (Get-Date '1/1/1970')).TotalSeconds
+                    Recurrence    = '15m'
+                    PostExecution = @{
+                        Webhook = $false
+                        Email   = $false
+                        PSA     = $false
+                    }
+                }
+                Add-CIPPScheduledTask -Task $ScheduledTask -hidden $false -DisallowDuplicateName $true
+                return 'Scheduled Immutable ID clear task for when the user account is no longer synced in the on-premises directory.'
+            }
+            # User has no ImmutableID or is already clear
+            else {
+                $DisplayName = $Username ?? $UserID
+                $Result = "User $DisplayName does not have an ImmutableID set or it is already cleared."
+                Write-LogMessage -headers $Headers -API $APIName -message $Result -sev Info -tenant $TenantFilter
+                return $Result
+            }
+        }
+
+        # Perform the actual clear operation
         try {
-            $User = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$UserID" -tenantid $TenantFilter -ErrorAction SilentlyContinue
+            $UserObj = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$UserID" -tenantid $TenantFilter -ErrorAction SilentlyContinue
         } catch {
+            # User might be deleted, try to restore it
             $DeletedUser = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/directory/deletedItems/$UserID" -tenantid $TenantFilter
             if ($DeletedUser.id) {
                 # Restore deleted user object
@@ -22,12 +77,14 @@ function Clear-CIPPImmutableId {
         $Body = [pscustomobject]@{ onPremisesImmutableId = $null }
         $Body = ConvertTo-Json -InputObject $Body -Depth 5 -Compress
         $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$UserID" -tenantid $TenantFilter -type PATCH -body $Body
-        $Result = "Successfully cleared immutable ID for user $UserID"
+        $DisplayName = $Username ?? $UserID
+        $Result = "Successfully cleared immutable ID for user $DisplayName"
         Write-LogMessage -headers $Headers -API $APIName -message $Result -sev Info -tenant $TenantFilter
         return $Result
     } catch {
         $ErrorMessage = Get-CippException -Exception $_
-        $Result = "Failed to clear immutable ID for $($UserID). Error: $($ErrorMessage.NormalizedError)"
+        $DisplayName = $Username ?? $UserID
+        $Result = "Failed to clear immutable ID for $DisplayName. Error: $($ErrorMessage.NormalizedError)"
         Write-LogMessage -headers $Headers -API $APIName -message $Result -sev Error -tenant $TenantFilter -LogData $ErrorMessage
         throw $Result
     }

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-CIPPOffboardingComplete.ps1

@@ -0,0 +1,120 @@
+function Push-CIPPOffboardingComplete {
+    <#
+    .SYNOPSIS
+        Post-execution handler for offboarding orchestration completion
+
+    .DESCRIPTION
+        Updates the scheduled task state when offboarding completes
+
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    param($Item)
+
+    $TaskInfo = $Item.Parameters.TaskInfo
+    $TenantFilter = $Item.Parameters.TenantFilter
+    $Username = $Item.Parameters.Username
+    $Results = $Item.Results  # Results come from orchestrator, not Parameters
+
+    try {
+        Write-Information "Completing offboarding orchestration for $Username in tenant $TenantFilter"
+        Write-Information "Raw results from orchestrator: $($Results | ConvertTo-Json -Depth 10)"
+
+        # Flatten nested arrays from orchestrator results
+        # Activity functions may return arrays like [result, "status message"]
+        $FlattenedResults = @(
+            foreach ($BatchResult in $Results) {
+                if ($BatchResult -is [array] -and $BatchResult.Count -gt 0) {
+                    Write-Information "Result is array with $($BatchResult.Count) elements, extracting elements"
+                    # Output all elements from the array
+                    foreach ($element in $BatchResult) {
+                        if ($null -ne $element -and $element -ne '') {
+                            $element
+                        }
+                    }
+                } elseif ($null -ne $BatchResult -and $BatchResult -ne '') {
+                    # Single item - output it
+                    $BatchResult
+                }
+            }
+        )
+
+        # Process results in the same way as Push-ExecScheduledCommand
+        if ($FlattenedResults.Count -eq 0) {
+            $ProcessedResults = "Offboarding completed successfully for $Username"
+        } else {
+            Write-Information "Processing $($FlattenedResults.Count) flattened results: $($FlattenedResults | ConvertTo-Json -Depth 10)"
+
+            # Normalize results format
+            if ($FlattenedResults -is [string]) {
+                $ProcessedResults = @{ Results = $FlattenedResults }
+            } elseif ($FlattenedResults -is [array]) {
+                # Filter and process string or resultText items
+                $StringResults = $FlattenedResults | Where-Object { $_ -is [string] -or $_.resultText -is [string] }
+                if ($StringResults) {
+                    $ProcessedResults = $StringResults | ForEach-Object {
+                        $Message = if ($_ -is [string]) { $_ } else { $_.resultText }
+                        @{ Results = $Message }
+                    }
+                } else {
+                    # Keep structured results as-is
+                    $ProcessedResults = $FlattenedResults
+                }
+            } else {
+                $ProcessedResults = $FlattenedResults
+            }
+        }
+
+        Write-Information "Results after processing: $($ProcessedResults | ConvertTo-Json -Depth 10)"
+
+        # Prepare results for storage
+        if ($ProcessedResults -is [string]) {
+            $StoredResults = $ProcessedResults
+        } else {
+            $ProcessedResults = $ProcessedResults | Select-Object * -ExcludeProperty RowKey, PartitionKey
+            $StoredResults = $ProcessedResults | ConvertTo-Json -Compress -Depth 20 | Out-String
+        }
+
+        if ($TaskInfo) {
+            # Update scheduled task to completed state
+            $Table = Get-CippTable -tablename 'ScheduledTasks'
+            $currentUnixTime = [int64](([datetime]::UtcNow) - (Get-Date '1/1/1970')).TotalSeconds
+
+            # Check if results are too large and need separate storage
+            if ($StoredResults.Length -gt 64000) {
+                Write-Information 'Results exceed 64KB limit. Storing in ScheduledTaskResults table.'
+                $TaskResultsTable = Get-CippTable -tablename 'ScheduledTaskResults'
+                $TaskResults = @{
+                    PartitionKey = $TaskInfo.RowKey
+                    RowKey       = $TenantFilter
+                    Results      = [string](ConvertTo-Json -Compress -Depth 20 $ProcessedResults)
+                }
+                $null = Add-CIPPAzDataTableEntity @TaskResultsTable -Entity $TaskResults -Force
+                $StoredResults = @{ Results = 'Offboarding completed, details are available in the More Info pane' } | ConvertTo-Json -Compress
+            }
+
+            $null = Update-AzDataTableEntity -Force @Table -Entity @{
+                PartitionKey = $TaskInfo.PartitionKey
+                RowKey       = $TaskInfo.RowKey
+                Results      = "$StoredResults"
+                ExecutedTime = "$currentUnixTime"
+                TaskState    = 'Completed'
+            }
+
+            Write-LogMessage -API 'Offboarding' -tenant $TenantFilter -message "Offboarding completed successfully for $Username" -sev Info
+
+            # Send post-execution alerts if configured
+            if ($TaskInfo.PostExecution -and $ProcessedResults) {
+                Send-CIPPScheduledTaskAlert -Results $ProcessedResults -TaskInfo $TaskInfo -TenantFilter $TenantFilter
+            }
+        }
+
+        return "Offboarding completed for $Username"
+
+    } catch {
+        $ErrorMsg = "Failed to complete offboarding for $Username : $($_.Exception.Message)"
+        Write-LogMessage -API 'Offboarding' -tenant $TenantFilter -message $ErrorMsg -sev Error
+        throw $ErrorMsg
+    }
+}

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-CIPPOffboardingTask.ps1

@@ -0,0 +1,38 @@
+function Push-CIPPOffboardingTask {
+    <#
+    .SYNOPSIS
+        Generic wrapper to execute individual offboarding task cmdlets
+
+    .DESCRIPTION
+        Executes the specified cmdlet with the provided parameters as part of user offboarding
+
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    param($Item)
+
+    $Cmdlet = $Item.Cmdlet
+    $Parameters = $Item.Parameters | ConvertTo-Json -Depth 5 | ConvertFrom-Json -AsHashtable
+
+    try {
+        Write-Information "Executing offboarding cmdlet: $Cmdlet"
+
+        # Check if cmdlet exists
+        $CmdletInfo = Get-Command -Name $Cmdlet -ErrorAction SilentlyContinue
+        if (-not $CmdletInfo) {
+            throw "Cmdlet $Cmdlet does not exist"
+        }
+
+        # Execute the cmdlet with splatting
+        $Result = & $Cmdlet @Parameters
+
+        Write-Information "Completed $Cmdlet successfully"
+        return $Result
+
+    } catch {
+        $ErrorMsg = "Failed to execute $Cmdlet : $($_.Exception.Message)"
+        Write-Information $ErrorMsg
+        return $ErrorMsg
+    }
+}

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecScheduledCommand.ps1

@@ -7,6 +7,9 @@ function Push-ExecScheduledCommand {
     $item = $Item | ConvertTo-Json -Depth 100 | ConvertFrom-Json
     Write-Information "We are going to be running a scheduled task: $($Item.TaskInfo | ConvertTo-Json -Depth 10)"
 
+    # Define orchestrator-based commands that handle their own post-execution and state updates
+    $OrchestratorBasedCommands = @('Invoke-CIPPOffboardingJob')
+
     # Initialize AsyncLocal storage for thread-safe per-invocation context
     if (-not $script:CippScheduledTaskIdStorage) {
         $script:CippScheduledTaskIdStorage = [System.Threading.AsyncLocal[string]]::new()
@@ -225,6 +228,12 @@ function Push-ExecScheduledCommand {
     try {
         if (-not $Trigger.ExecutePerResource) {
             try {
+                # For orchestrator-based commands, add TaskInfo to enable post-execution updates
+                if ($Item.Command -eq 'Invoke-CIPPOffboardingJob') {
+                    Write-Information 'Adding TaskInfo to command parameters for orchestrator-based offboarding'
+                    $commandParameters['TaskInfo'] = $task
+                }
+
                 Write-Information "Starting task: $($Item.Command) for tenant: $Tenant with parameters: $($commandParameters | ConvertTo-Json)"
                 $results = & $Item.Command @commandParameters
             } catch {
@@ -310,43 +319,24 @@ function Push-ExecScheduledCommand {
     }
     Write-Information 'Sending task results to target. Updating the task state.'
 
-    if ($Results) {
-        $TableDesign = '<style>table.adaptiveTable{border:1px solid currentColor;background-color:transparent;width:100%;text-align:left;border-collapse:collapse;opacity:0.9}table.adaptiveTable td,table.adaptiveTable th{border:1px solid currentColor;padding:8px 6px;opacity:0.8}table.adaptiveTable tbody td{font-size:13px}table.adaptiveTable tr:nth-child(even){background-color:rgba(128,128,128,0.1)}table.adaptiveTable thead{background-color:rgba(128,128,128,0.2);border-bottom:2px solid currentColor}table.adaptiveTable thead th{font-size:15px;font-weight:700;border-left:1px solid currentColor}table.adaptiveTable thead th:first-child{border-left:none}table.adaptiveTable tfoot{font-size:14px;font-weight:700;background-color:rgba(128,128,128,0.1);border-top:2px solid currentColor}table.adaptiveTable tfoot td{font-size:14px}@media (prefers-color-scheme: dark){table.adaptiveTable{opacity:0.95}table.adaptiveTable tr:nth-child(even){background-color:rgba(255,255,255,0.05)}table.adaptiveTable thead{background-color:rgba(255,255,255,0.1)}table.adaptiveTable tfoot{background-color:rgba(255,255,255,0.05)}}</style>'
-        $FinalResults = if ($results -is [array] -and $results[0] -is [string]) { $Results | ConvertTo-Html -Fragment -Property @{ l = 'Text'; e = { $_ } } } else { $Results | ConvertTo-Html -Fragment }
-        $HTML = $FinalResults -replace '<table>', "This alert is for tenant $Tenant. <br /><br /> $TableDesign<table class=adaptiveTable>" | Out-String
-
-        # Add alert comment if available
-        if ($task.AlertComment) {
-            if ($task.AlertComment -match '%resultcount%') {
-                $resultCount = if ($Results -is [array]) { $Results.Count } else { 1 }
-                $task.AlertComment = $task.AlertComment -replace '%resultcount%', "$resultCount"
-            }
-            $task.AlertComment = Get-CIPPTextReplacement -Text $task.AlertComment -TenantFilter $Tenant
-            $HTML += "<div style='background-color: transparent; border-left: 4px solid #007bff; padding: 15px; margin: 15px 0;'><h4 style='margin-top: 0; color: #007bff;'>Alert Information</h4><p style='margin-bottom: 0;'>$($task.AlertComment)</p></div>"
-        }
-
-        $title = "$TaskType - $Tenant - $($task.Name)$(if ($task.Reference) { " - Reference: $($task.Reference)" })"
-        Write-Information 'Scheduler: Sending the results to the target.'
-        Write-Information "The content of results is: $Results"
-        switch -wildcard ($task.PostExecution) {
-            '*psa*' { Send-CIPPAlert -Type 'psa' -Title $title -HTMLContent $HTML -TenantFilter $Tenant }
-            '*email*' { Send-CIPPAlert -Type 'email' -Title $title -HTMLContent $HTML -TenantFilter $Tenant }
-            '*webhook*' {
-                $Webhook = [PSCustomObject]@{
-                    'tenantId'     = $TenantInfo.customerId
-                    'Tenant'       = $Tenant
-                    'TaskInfo'     = $Item.TaskInfo
-                    'Results'      = $Results
-                    'AlertComment' = $task.AlertComment
-                }
-                Send-CIPPAlert -Type 'webhook' -Title $title -TenantFilter $Tenant -JSONContent $($Webhook | ConvertTo-Json -Depth 20)
-            }
-        }
+    # For orchestrator-based commands, skip post-execution alerts as they will be handled by the orchestrator's post-execution function
+    if ($Results -and $Item.Command -notin $OrchestratorBasedCommands) {
+        Send-CIPPScheduledTaskAlert -Results $Results -TaskInfo $task -TenantFilter $Tenant -TaskType $TaskType
     }
     Write-Information 'Sent the results to the target. Updating the task state.'
 
     try {
-        if ($task.Recurrence -eq '0' -or [string]::IsNullOrEmpty($task.Recurrence) -or $Trigger.ExecutionMode.value -eq 'once' -or $Trigger.ExecutionMode -eq 'once') {
+        # For orchestrator-based commands, skip task state update as it will be handled by post-execution
+        if ($Item.Command -in $OrchestratorBasedCommands) {
+            Write-Information "Command $($Item.Command) is orchestrator-based. Skipping task state update - will be handled by post-execution."
+            # Update task state to 'Running' to indicate orchestration is in progress
+            Update-AzDataTableEntity -Force @Table -Entity @{
+                PartitionKey = $task.PartitionKey
+                RowKey       = $task.RowKey
+                Results      = 'Orchestration in progress'
+                TaskState    = 'Processing'
+            }
+        } elseif ($task.Recurrence -eq '0' -or [string]::IsNullOrEmpty($task.Recurrence) -or $Trigger.ExecutionMode.value -eq 'once' -or $Trigger.ExecutionMode -eq 'once') {
             Write-Information 'Recurrence empty or 0. Task is not recurring. Setting task state to completed.'
             Update-AzDataTableEntity -Force @Table -Entity @{
                 PartitionKey = $task.PartitionKey

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/Applications/Invoke-AddChocoApp.ps1

@@ -1,7 +1,7 @@
-Function Invoke-AddChocoApp {
+function Invoke-AddChocoApp {
     <#
     .FUNCTIONALITY
-        Entrypoint
+        Entrypoint,AnyTenant
     .ROLE
         Endpoint.Application.ReadWrite
     #>
@@ -30,7 +30,9 @@ Function Invoke-AddChocoApp {
     $intuneBody.detectionRules[0].path = "$($ENV:SystemDrive)\programdata\chocolatey\lib"
     $intuneBody.detectionRules[0].fileOrFolderName = "$($ChocoApp.PackageName)"
 
-    $Tenants = $Request.Body.selectedTenants.defaultDomainName
+    $AllowedTenants = Test-CIPPAccess -Request $Request -TenantList
+    $Tenants = ($Request.Body.selectedTenants | Where-Object { $AllowedTenants -contains $_.customerId -or $AllowedTenants -contains 'AllTenants' }).defaultDomainName
+
     $Results = foreach ($Tenant in $Tenants) {
         try {
             # Apply CIPP text replacement for tenant-specific variables

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/Applications/Invoke-AddMSPApp.ps1

@@ -1,7 +1,7 @@
 function Invoke-AddMSPApp {
     <#
     .FUNCTIONALITY
-        Entrypoint
+        Entrypoint,AnyTenant
     .ROLE
         Endpoint.Application.ReadWrite
     #>
@@ -17,7 +17,8 @@ function Invoke-AddMSPApp {
     $intuneBody = Get-Content "AddMSPApp\$($RMMApp.RMMName.value).app.json" | ConvertFrom-Json
     $intuneBody.displayName = $RMMApp.DisplayName
 
-    $Tenants = $Request.Body.selectedTenants
+    $AllowedTenants = Test-CIPPAccess -Request $Request -TenantList
+    $Tenants = $Request.Body.selectedTenants | Where-Object { $AllowedTenants -contains $_.customerId -or $AllowedTenants -contains 'AllTenants' }
     $Results = foreach ($Tenant in $Tenants) {
         $InstallParams = [PSCustomObject]$RMMApp.params
         switch ($RMMApp.RMMName.value) {