Merge pull request #769 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecJITAdminListAllTenants.ps1

@@ -13,27 +13,26 @@ function Push-ExecJITAdminListAllTenants {
         # Get schema extensions
         $Schema = Get-CIPPSchemaExtensions | Where-Object { $_.id -match '_cippUser' } | Select-Object -First 1
 
-        # Query users with JIT Admin enabled
-        $Query = @{
-            TenantFilter = $DomainName # Use $DomainName for the current tenant
-            Endpoint     = 'users'
-            Parameters   = @{
-                '$count'  = 'true'
-                '$select' = "id,accountEnabled,displayName,userPrincipalName,$($Schema.id)"
-                '$filter' = "$($Schema.id)/jitAdminEnabled eq true or $($Schema.id)/jitAdminEnabled eq false" # Fetches both states to cache current status
-            }
-        }
-        $Users = Get-GraphRequestList @Query | Where-Object { $_.id }
+        # Query users with JIT Admin enabled using bulk request
+        $BulkRequests = [System.Collections.Generic.List[object]]::new()
+        $BulkRequests.Add(@{
+                id     = 'users'
+                method = 'GET'
+                url    = "users?`$count=true&`$select=id,accountEnabled,displayName,userPrincipalName,$($Schema.id)&`$filter=$($Schema.id)/jitAdminEnabled eq true or $($Schema.id)/jitAdminEnabled eq false&`$top=999"
+            })
+
+        $BulkResults = New-GraphBulkRequest -tenantid $DomainName -Requests $BulkRequests
+        $Users = ($BulkResults | Where-Object { $_.id -eq 'users' }).body.value | Where-Object { $_.id }
 
         if ($Users) {
             # Get role memberships
-            $BulkRequests = $Users | ForEach-Object { @(
-                    @{
-                        id     = $_.id
+            $BulkRequests.Clear()
+            foreach ($User in $Users) {
+                $BulkRequests.Add(@{
+                        id     = $User.id
                         method = 'GET'
-                        url    = "users/$($_.id)/memberOf/microsoft.graph.directoryRole/?`$select=id,displayName"
-                    }
-                )
+                        url    = "users/$($User.id)/memberOf/microsoft.graph.directoryRole/?`$select=id,displayName"
+                    })
             }
             # Ensure $BulkRequests is not empty or null before making the bulk request
             if ($BulkRequests -and $BulkRequests.Count -gt 0) {

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecOnboardTenantQueue.ps1

@@ -47,7 +47,10 @@ function Push-ExecOnboardTenantQueue {
             @{ Name = 'SharePoint Administrator'; Id = 'f28a1f50-f6e7-4571-818b-6a12f2af6b6c' },
             @{ Name = 'Authentication Policy Administrator'; Id = '0526716b-113d-4c15-b2c8-68e3c22b9f80' },
             @{ Name = 'Privileged Role Administrator'; Id = 'e8611ab8-c189-46e8-94e1-60213ab1f814' },
-            @{ Name = 'Privileged Authentication Administrator'; Id = '7be44c8a-adaf-4e2a-84d6-ab2649e08a13' }
+            @{ Name = 'Privileged Authentication Administrator'; Id = '7be44c8a-adaf-4e2a-84d6-ab2649e08a13' },
+            @{ Name = 'Billing Administrator'; Id = 'b0f54661-2d74-4c50-afa3-1ec803f12efe'; Optional = $true },
+            @{ Name = 'Global Reader'; Id = 'f2ef992c-3afb-46b9-b7cf-a126ee74c451'; Optional = $true },
+            @{ Name = 'Domain Name Administrator'; Id = '8329153b-31d0-4727-b945-745eb3bc5f31'; Optional = $true }
         )
 
         if ($OnboardingSteps.Step1.Status -ne 'succeeded') {
@@ -99,14 +102,16 @@ function Push-ExecOnboardTenantQueue {
             }
             if (($MissingRoles | Measure-Object).Count -gt 0) {
                 $Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = 'Missing roles for relationship' })
-                if ($Item.IgnoreMissingRoles -ne $true) {
+                $RequiredMissingRoles = $ExpectedRoles | Where-Object { $_.Optional -ne $true -and $MissingRoles -contains $_.Name }
+                if ($Item.IgnoreMissingRoles -ne $true -and ($RequiredMissingRoles | Measure-Object).Count -gt 0) {
+                    $Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = "Missing the following required roles: $($MissingRoles -join ', ')" })
                     $TenantOnboarding.Status = 'failed'
                     $OnboardingSteps.Step2.Status = 'failed'
                     $OnboardingSteps.Step2.Message = "Your GDAP relationship is missing the following roles: $($MissingRoles -join ', ')"
                 } else {
                     $Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = 'Ignoring missing roles' })
                     $OnboardingSteps.Step2.Status = 'succeeded'
-                    $OnboardingSteps.Step2.Message = 'Your GDAP relationship is missing some roles, but the onboarding will continue'
+                    $OnboardingSteps.Step2.Message = "Your GDAP relationship is missing some roles, but the onboarding will continue. Missing roles: $($MissingRoles -join ', ')"
                 }
             } else {
                 $Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = 'Required roles found' })
@@ -121,6 +126,7 @@ function Push-ExecOnboardTenantQueue {
         if ($OnboardingSteps.Step2.Status -eq 'succeeded') {
             $Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = 'Checking group mapping' })
             $AccessAssignments = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships/$Id/accessAssignments"
+            $AccessAssignments = $AccessAssignments | Where-Object { $_.status -notin @('deleted', 'deleting') }
             if ($AccessAssignments.id -and $Item.AutoMapRoles -ne $true) {
                 $Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = 'Groups mapped' })
                 $OnboardingSteps.Step3.Status = 'succeeded'
@@ -223,6 +229,7 @@ function Push-ExecOnboardTenantQueue {
 
             do {
                 $AccessAssignments = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships/$Id/accessAssignments"
+                $AccessAssignments = $AccessAssignments | Where-Object { $_.status -notin @('deleted', 'deleting') }
                 Start-Sleep -Seconds 15
             } while ($AccessAssignments.status -contains 'pending' -and (Get-Date) -lt $Start.AddMinutes(8))
 
@@ -231,19 +238,58 @@ function Push-ExecOnboardTenantQueue {
                 $OnboardingSteps.Step3.Status = 'succeeded'
 
                 $Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = 'Checking for missing groups for SAM user' })
-                $SamUserId = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/me?`$select=id" -NoAuthCheck $true).id
-                $CurrentMemberships = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/me/transitiveMemberOf?`$select=id,displayName" -NoAuthCheck $true
-                $ExpectedCippRoles = $Item.Roles | Where-Object { $_.roleDefinitionId -in $ExpectedRoles.roleDefinitionId }
+                $BulkRequests = @(
+                    @{
+                        id     = 'samUserId'
+                        method = 'GET'
+                        url    = "/me?`$select=id"
+                    },
+                    @{
+                        id     = 'currentMemberships'
+                        method = 'GET'
+                        url    = "/me/transitiveMemberOf?`$select=id,displayName"
+                    }
+                )
+                $BulkResults = New-GraphBulkRequest -Requests $BulkRequests -NoAuthCheck $true
+                $SamUserId = ($BulkResults | Where-Object { $_.id -eq 'samUserId' }).body.id
+                $CurrentMemberships = ($BulkResults | Where-Object { $_.id -eq 'currentMemberships' }).body.value
+                $ExpectedCippRoles = $Item.Roles | Where-Object { $_.roleDefinitionId -in $ExpectedRoles.Id }
+
+                # Build bulk requests for missing group memberships
+                $GroupMembershipRequests = [System.Collections.Generic.List[object]]::new()
+                $GroupMembershipLogs = [System.Collections.Generic.List[object]]::new()
+
                 foreach ($Role in $ExpectedCippRoles) {
                     if ($CurrentMemberships.id -notcontains $Role.GroupId) {
-                        $PostBody = @{
-                            '@odata.id' = 'https://graph.microsoft.com/v1.0/directoryObjects/{0}' -f $SamUserId
-                        } | ConvertTo-Json -Compress
-                        try {
-                            New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($Role.GroupId)/members/`$ref" -body $PostBody -AsApp $true -NoAuthCheck $true
-                            $Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = "Added SAM user to $($Role.GroupName)" })
-                        } catch {
-                            $Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = "Failed to add SAM user to $($Role.GroupName) - $($_.Exception.Message)" })
+                        $GroupMembershipRequests.Add(@{
+                                id      = "addSamUser-$($Role.GroupId)"
+                                method  = 'POST'
+                                url     = "groups/$($Role.GroupId)/members/`$ref"
+                                body    = @{
+                                    '@odata.id' = 'https://graph.microsoft.com/v1.0/directoryObjects/{0}' -f $SamUserId
+                                }
+                                headers = @{
+                                    'Content-Type' = 'application/json'
+                                }
+                            })
+                        $GroupMembershipLogs.Add(@{
+                                id        = "addSamUser-$($Role.GroupId)"
+                                GroupName = $Role.GroupName
+                            })
+                    }
+                }
+
+                # Execute bulk group membership additions if any are needed
+                if ($GroupMembershipRequests.Count -gt 0) {
+                    $GroupMembershipResults = New-GraphBulkRequest -Requests $GroupMembershipRequests -AsApp $true -NoAuthCheck $true
+
+                    foreach ($LogEntry in $GroupMembershipLogs) {
+                        $Result = $GroupMembershipResults | Where-Object { $_.id -eq $LogEntry.id }
+                        if ($Result.status -match '^2[0-9]+') {
+                            $Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = "Added SAM user to $($LogEntry.GroupName)" })
+                        } else {
+                            $ErrorMessage = if ($Result.body.error.message) { $Result.body.error.message } else { 'Unknown error' }
+                            $Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = "Failed to add SAM user to $($LogEntry.GroupName) - $ErrorMessage" })
                         }
                     }
                 }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ListJITAdmin.ps1

@@ -17,23 +17,23 @@
 
     if ($TenantFilter -ne 'AllTenants') {
         # Single tenant logic
-        $Query = @{
-            TenantFilter = $TenantFilter
-            Endpoint     = 'users'
-            Parameters   = @{
-                '$count'  = 'true'
-                '$select' = "id,accountEnabled,displayName,userPrincipalName,$($Schema.id)"
-                '$filter' = "$($Schema.id)/jitAdminEnabled eq true or $($Schema.id)/jitAdminEnabled eq false"
-            }
-        }
-        $Users = Get-GraphRequestList @Query | Where-Object { $_.id }
-        $BulkRequests = $Users | ForEach-Object { @(
-                @{
-                    id     = $_.id
+        $BulkRequests = [System.Collections.Generic.List[object]]::new()
+        $BulkRequests.Add(@{
+                id     = 'users'
+                method = 'GET'
+                url    = "users?`$count=true&`$select=id,accountEnabled,displayName,userPrincipalName,$($Schema.id)&`$filter=$($Schema.id)/jitAdminEnabled eq true or $($Schema.id)/jitAdminEnabled eq false&`$top=999"
+            })
+
+        $BulkResults = New-GraphBulkRequest -tenantid $TenantFilter -Requests $BulkRequests
+        $Users = ($BulkResults | Where-Object { $_.id -eq 'users' }).body.value | Where-Object { $_.id }
+
+        $BulkRequests.Clear()
+        foreach ($User in $Users) {
+            $BulkRequests.Add(@{
+                    id     = $User.id
                     method = 'GET'
-                    url    = "users/$($_.id)/memberOf/microsoft.graph.directoryRole/?`$select=id,displayName"
-                }
-            )
+                    url    = "users/$($User.id)/memberOf/microsoft.graph.directoryRole/?`$select=id,displayName"
+                })
         }
         $RoleResults = New-GraphBulkRequest -tenantid $TenantFilter -Requests @($BulkRequests)
         # Write-Information ($RoleResults | ConvertTo-Json -Depth 10 )
@@ -54,7 +54,7 @@
         }
 
         # Write-Information ($Results | ConvertTo-Json -Depth 10)
-        $Metadata = [PSCustomObject]@{Parameters = $Query.Parameters }
+        $Metadata = [PSCustomObject]@{Method = 'BulkRequest' }
     } else {
         # AllTenants logic
         $Results = [System.Collections.Generic.List[object]]::new()

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/GDAP/Invoke-ExecAddGDAPRole.ps1

@@ -71,7 +71,10 @@ function Invoke-ExecAddGDAPRole {
                 @{ label = 'SharePoint Administrator'; value = 'f28a1f50-f6e7-4571-818b-6a12f2af6b6c' },
                 @{ label = 'Authentication Policy Administrator'; value = '0526716b-113d-4c15-b2c8-68e3c22b9f80' },
                 @{ label = 'Privileged Role Administrator'; value = 'e8611ab8-c189-46e8-94e1-60213ab1f814' },
-                @{ label = 'Privileged Authentication Administrator'; value = '7be44c8a-adaf-4e2a-84d6-ab2649e08a13' }
+                @{ label = 'Privileged Authentication Administrator'; value = '7be44c8a-adaf-4e2a-84d6-ab2649e08a13' },
+                @{ label = 'Billing Administrator'; value = 'b0f54661-2d74-4c50-afa3-1ec803f12efe' },
+                @{ label = 'Global Reader'; value = 'f2ef992c-3afb-46b9-b7cf-a126ee74c451' },
+                @{ label = 'Domain Name Administrator'; value = '8329153b-31d0-4727-b945-745eb3bc5f31' }
             )
 
             $Groups = $Request.Body.gdapRoles ?? $CippDefaults

Modules/CIPPCore/Public/Set-CIPPDBCacheManagedDevices.ps1

@@ -18,7 +18,7 @@ function Set-CIPPDBCacheManagedDevices {
 
     try {
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching managed devices' -sev Debug
-        $ManagedDevices = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/managedDevices?$top=999&$select=id,deviceName,operatingSystem,osVersion,complianceState,managedDeviceOwnerType,enrolledDateTime,lastSyncDateTime' -tenantid $TenantFilter
+        $ManagedDevices = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/managedDevices?$top=999' -tenantid $TenantFilter
         if (!$ManagedDevices) { $ManagedDevices = @() }
         Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'ManagedDevices' -Data $ManagedDevices
         Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'ManagedDevices' -Data $ManagedDevices -Count

Modules/CIPPCore/Public/Set-CIPPDBCacheUsers.ps1

@@ -19,9 +19,75 @@ function Set-CIPPDBCacheUsers {
     try {
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching users' -sev Debug
 
+        $SignInLogsCapable = Test-CIPPStandardLicense -StandardName 'UserSignInLogsCapable' -TenantFilter $TenantFilter -RequiredCapabilities @('AAD_PREMIUM', 'AAD_PREMIUM_P2') -SkipLog
+
+        # Base properties needed by tests, standards, reports, UI, and integrations (Hudu, NinjaOne)
+        $BaseSelect = @(
+            # Core identity
+            'id'
+            'displayName'
+            'userPrincipalName'
+            'givenName'
+            'surname'
+            'mailNickname'
+
+            # Account status
+            'accountEnabled'
+            'userType'
+            'isResourceAccount'
+            'createdDateTime'
+
+            # Security & policies
+            'passwordPolicies'
+            'perUserMfaState'
+
+            # Contact information
+            'mail'
+            'otherMails'
+            'mobilePhone'
+            'businessPhones'
+            'faxNumber'
+            'proxyAddresses'
+
+            # Location & organization
+            'jobTitle'
+            'department'
+            'companyName'
+            'officeLocation'
+            'city'
+            'state'
+            'country'
+            'postalCode'
+            'streetAddress'
+
+            # Settings
+            'preferredLanguage'
+            'usageLocation'
+            'preferredDataLocation'
+            'showInAddressList'
+
+            # Licenses
+            'assignedLicenses'
+            'assignedPlans'
+            'licenseAssignmentStates'
+
+            # On-premises sync
+            'onPremisesSyncEnabled'
+            'onPremisesImmutableId'
+            'onPremisesLastSyncDateTime'
+            'onPremisesDistinguishedName'
+        )
+
+        if ($SignInLogsCapable) {
+            $Select = ($BaseSelect + 'signInActivity') -join ','
+            $Top = 500
+        } else {
+            $Select = $BaseSelect -join ','
+            $Top = 999
+        }
+
         # Stream users directly from Graph API to batch processor
-        # Using $top=500 due to signInActivity limitation
-        New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/users?$top=500&$select=signInActivity' -tenantid $TenantFilter |
+        New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$top=$Top&`$select=$Select&`$count=true" -ComplexFilter -tenantid $TenantFilter |
             Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'Users' -AddCount
 
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Cached users successfully' -sev Debug

Modules/CIPPCore/Public/Test-CIPPAccessTenant.ps1

@@ -17,7 +17,10 @@ function Test-CIPPAccessTenant {
         @{ Name = 'SharePoint Administrator'; Id = 'f28a1f50-f6e7-4571-818b-6a12f2af6b6c' },
         @{ Name = 'Authentication Policy Administrator'; Id = '0526716b-113d-4c15-b2c8-68e3c22b9f80' },
         @{ Name = 'Privileged Role Administrator'; Id = 'e8611ab8-c189-46e8-94e1-60213ab1f814' },
-        @{ Name = 'Privileged Authentication Administrator'; Id = '7be44c8a-adaf-4e2a-84d6-ab2649e08a13' }
+        @{ Name = 'Privileged Authentication Administrator'; Id = '7be44c8a-adaf-4e2a-84d6-ab2649e08a13' },
+        @{ Name = 'Billing Administrator'; Id = 'b0f54661-2d74-4c50-afa3-1ec803f12efe'; Optional = $true },
+        @{ Name = 'Global Reader'; Id = 'f2ef992c-3afb-46b9-b7cf-a126ee74c451'; Optional = $true },
+        @{ Name = 'Domain Name Administrator'; Id = '8329153b-31d0-4727-b945-745eb3bc5f31'; Optional = $true }
     )
 
     $TenantParams = @{
@@ -82,11 +85,11 @@ function Test-CIPPAccessTenant {
                 if (!$Role) {
                     $MissingRoles.Add(
                         [PSCustomObject]@{
-                            Name = $RoleId.Name
-                            Type = 'Tenant'
+                            Name     = $RoleId.Name
+                            Type     = 'Tenant'
+                            Optional = $RoleId.Optional
                         }
                     )
-                    $AddedText = 'but missing GDAP roles'
                 } else {
                     $GDAPRoles.Add([PSCustomObject]@{
                             Role  = $RoleId.Name
@@ -95,6 +98,13 @@ function Test-CIPPAccessTenant {
                 }
             }
 
+            $RequiredMissingRoles = $MissingRoles | Where-Object { $_.Optional -ne $true }
+            if (($RequiredMissingRoles | Measure-Object).Count -gt 0) {
+                $AddedText = 'but missing required GDAP roles'
+            } elseif (($MissingRoles | Measure-Object).Count -gt 0) {
+                $AddedText = 'but missing optional GDAP roles'
+            }
+
             $GraphTest = "Successfully connected to Graph $($AddedText)"
             $GraphStatus = $true
         } catch {