Merge pull request #765 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Standards/Push-CIPPStandardsList.ps1

@@ -180,6 +180,38 @@ function Push-CIPPStandardsList {
             }
         }
 
+        $CAStandardFound = ($ComputedStandards.Keys.Where({ $_ -like '*ConditionalAccessTemplate*' }, 'First').Count -gt 0)
+        if ($CAStandardFound) {
+            $TestResult = Test-CIPPStandardLicense -StandardName 'ConditionalAccessTemplate_general' -TenantFilter $TenantFilter -RequiredCapabilities @('AAD_PREMIUM', 'AAD_PREMIUM_P2')
+            if (-not $TestResult) {
+                $CAKeys = @($ComputedStandards.Keys | Where-Object { $_ -like '*ConditionalAccessTemplate*' })
+                $BulkFields = [System.Collections.Generic.List[object]]::new()
+                foreach ($Key in $CAKeys) {
+                    $TemplateKey = ($Key -split '\|', 2)[1]
+                    if ($TemplateKey) {
+                        $BulkFields.Add([PSCustomObject]@{
+                                FieldName  = "standards.ConditionalAccessTemplate.$TemplateKey"
+                                FieldValue = 'This tenant does not have the required license for this standard.'
+                            })
+                    }
+                    [void]$ComputedStandards.Remove($Key)
+                }
+                if ($BulkFields.Count -gt 0) {
+                    Set-CIPPStandardsCompareField -TenantFilter $TenantFilter -BulkFields $BulkFields
+                }
+
+                Write-Information "Removed ConditionalAccessTemplate standards for $TenantFilter - missing required license"
+            } else {
+                # License valid - update CIPPDB cache with latest CA information before we run so that standards have the most up to date info
+                try {
+                    Write-Information "Updating CIPPDB cache for Conditional Access policies for $TenantFilter"
+                    Set-CIPPDBCacheConditionalAccessPolicies -TenantFilter $TenantFilter
+                } catch {
+                    Write-Warning "Failed to update CA cache for $TenantFilter : $($_.Exception.Message)"
+                }
+            }
+        }
+
         Write-Host "Returning $($ComputedStandards.Count) standards for tenant $TenantFilter after filtering."
         # Return filtered standards
         $FilteredStandards = $ComputedStandards.Values | ForEach-Object {

Modules/CIPPCore/Public/Functions/Remove-EmptyArrays.ps1

@@ -0,0 +1,50 @@
+function Remove-EmptyArrays {
+    <#
+    .SYNOPSIS
+        Recursively removes empty arrays and null properties from objects
+    .DESCRIPTION
+        This function recursively traverses an object (Array, Hashtable, or PSCustomObject) and removes:
+        - Empty arrays
+        - Null properties
+        The function modifies the object in place.
+    .PARAMETER Object
+        The object to process (can be Array, Hashtable, or PSCustomObject)
+    .FUNCTIONALITY
+        Internal
+    .EXAMPLE
+        $obj = @{ items = @(); name = "test"; value = $null }
+        Remove-EmptyArrays -Object $obj
+    .EXAMPLE
+        $obj = [PSCustomObject]@{ items = @(); name = "test" }
+        Remove-EmptyArrays -Object $obj
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [object]$Object
+    )
+
+    if ($Object -is [Array]) {
+        foreach ($Item in $Object) { 
+            Remove-EmptyArrays -Object $Item 
+        }
+    } elseif ($Object -is [HashTable]) {
+        foreach ($Key in @($Object.get_Keys())) {
+            if ($Object[$Key] -is [Array] -and $Object[$Key].get_Count() -eq 0) {
+                $Object.Remove($Key)
+            } else { 
+                Remove-EmptyArrays -Object $Object[$Key] 
+            }
+        }
+    } elseif ($Object -is [PSCustomObject]) {
+        foreach ($Name in @($Object.PSObject.Properties.Name)) {
+            if ($Object.$Name -is [Array] -and $Object.$Name.get_Count() -eq 0) {
+                $Object.PSObject.Properties.Remove($Name)
+            } elseif ($null -eq $Object.$Name) {
+                $Object.PSObject.Properties.Remove($Name)
+            } else { 
+                Remove-EmptyArrays -Object $Object.$Name 
+            }
+        }
+    }
+}

Modules/CIPPCore/Public/Functions/Test-IsGuid.ps1

@@ -0,0 +1,23 @@
+function Test-IsGuid {
+    <#
+    .SYNOPSIS
+        Tests if a string is a valid GUID
+    .DESCRIPTION
+        This function checks if a string can be parsed as a valid GUID using .NET's Guid.TryParse method.
+    .PARAMETER String
+        The string to test for GUID format
+    .FUNCTIONALITY
+        Internal
+    .EXAMPLE
+        Test-IsGuid -String "123e4567-e89b-12d3-a456-426614174000"
+    .EXAMPLE
+        Test-IsGuid -String "not-a-guid"
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$String
+    )
+
+    return [guid]::TryParse($String, [ref][guid]::Empty)
+}

Modules/CIPPCore/Public/GraphHelper/New-GraphGetRequest.ps1

@@ -160,6 +160,11 @@ function New-GraphGetRequest {
                             $WaitTime = [int]$RetryAfterHeader
                             Write-Warning "Rate limited (429). Waiting $WaitTime seconds before retry. Attempt $($RetryCount + 1) of $MaxRetries"
                             $ShouldRetry = $true
+                        } else {
+                            # If no Retry-After header, use exponential backoff with jitter
+                            $WaitTime = Get-Random -Minimum 1.1 -Maximum 4.1  # Random sleep between 1-4 seconds
+                            Write-Warning "Rate limited (429) with no Retry-After header. Waiting $WaitTime seconds before retry. Attempt $($RetryCount + 1) of $MaxRetries. Headers: $(($HttpResponseDetails.Headers | ConvertTo-Json -Compress))"
+                            $ShouldRetry = $true
                         }
                     }
                     # Check for "Resource temporarily unavailable"

Modules/CIPPCore/Public/New-CIPPCAPolicy.ps1

@@ -11,39 +11,17 @@ function New-CIPPCAPolicy {
         $CreateGroups = $false,
         $APIName = 'Create CA Policy',
         $Headers,
-        $PreloadedCAPolicies = $null
+        $PreloadedCAPolicies = $null,
+        $PreloadedLocations = $null
     )
 
-    function Remove-EmptyArrays ($Object) {
-        if ($Object -is [Array]) {
-            foreach ($Item in $Object) { Remove-EmptyArrays $Item }
-        } elseif ($Object -is [HashTable]) {
-            foreach ($Key in @($Object.get_Keys())) {
-                if ($Object[$Key] -is [Array] -and $Object[$Key].get_Count() -eq 0) {
-                    $Object.Remove($Key)
-                } else { Remove-EmptyArrays $Object[$Key] }
-            }
-        } elseif ($Object -is [PSCustomObject]) {
-            foreach ($Name in @($Object.PSObject.Properties.Name)) {
-                if ($Object.$Name -is [Array] -and $Object.$Name.get_Count() -eq 0) {
-                    $Object.PSObject.Properties.Remove($Name)
-                } elseif ($null -eq $Object.$Name) {
-                    $Object.PSObject.Properties.Remove($Name)
-                } else { Remove-EmptyArrays $Object.$Name }
-            }
-        }
-    }
-    # Function to check if a string is a GUID
-    function Test-IsGuid($string) {
-        return [guid]::TryParse($string, [ref][guid]::Empty)
-    }
     # Helper function to replace group display names with GUIDs
     function Convert-GroupNameToId {
         param($TenantFilter, $groupNames, $CreateGroups, $GroupTemplates)
 
         $GroupIds = [System.Collections.Generic.List[string]]::new()
         $groupNames | ForEach-Object {
-            if (Test-IsGuid $_) {
+            if (Test-IsGuid -String $_) {
                 Write-LogMessage -Headers $Headers -API $APIName -message "Already GUID, no need to replace: $_" -Sev 'Debug'
                 $GroupIds.Add($_) # it's a GUID, so we keep it
             } else {
@@ -89,7 +67,7 @@ function New-CIPPCAPolicy {
 
         $UserIds = [System.Collections.Generic.List[string]]::new()
         $userNames | ForEach-Object {
-            if (Test-IsGuid $_) {
+            if (Test-IsGuid -String $_) {
                 Write-LogMessage -Headers $Headers -API $APIName -message "Already GUID, no need to replace: $_" -Sev 'Debug'
                 $UserIds.Add($_) # it's a GUID, so we keep it
             } else {
@@ -111,7 +89,7 @@ function New-CIPPCAPolicy {
     $displayName = ($RawJSON | ConvertFrom-Json).displayName
 
     $JSONobj = $RawJSON | ConvertFrom-Json | Select-Object * -ExcludeProperty ID, GUID, *time*
-    Remove-EmptyArrays $JSONobj
+    Remove-EmptyArrays -Object $JSONobj
     #Remove context as it does not belong in the payload.
     try {
         $JSONobj.grantControls.PSObject.Properties.Remove('authenticationStrength@odata.context')
@@ -148,13 +126,18 @@ function New-CIPPCAPolicy {
     # Get named locations once if needed
     $AllNamedLocations = $null
     if ($JSONobj.LocationInfo) {
-        try {
-            Write-Information 'Fetching all named locations...'
-            $AllNamedLocations = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/namedLocations?$top=999' -tenantid $TenantFilter -asApp $true
-        } catch {
-            $ErrorMessage = Get-CippException -Exception $_
-            Write-Information "Error fetching named locations: $($ErrorMessage | ConvertTo-Json -Depth 10 -Compress)"
-            throw "Failed to fetch named locations: $($ErrorMessage.NormalizedError)"
+        if ($PreloadedLocations) {
+            Write-Information 'Using preloaded named locations'
+            $AllNamedLocations = $PreloadedLocations
+        } else {
+            try {
+                Write-Information 'Fetching all named locations...'
+                $AllNamedLocations = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/namedLocations?$top=999' -tenantid $TenantFilter -asApp $true
+            } catch {
+                $ErrorMessage = Get-CippException -Exception $_
+                Write-Information "Error fetching named locations: $($ErrorMessage | ConvertTo-Json -Depth 10 -Compress)"
+                throw "Failed to fetch named locations: $($ErrorMessage.NormalizedError)"
+            }
         }
     }
 

Modules/CIPPCore/Public/New-CIPPCATemplate.ps1

@@ -18,11 +18,6 @@ function New-CIPPCATemplate {
     Write-Information "Processing CA Template for tenant $TenantFilter"
     Write-Information ($JSON | ConvertTo-Json -Depth 10)
 
-    # Function to check if a string is a GUID
-    function Test-IsGuid($string) {
-        return [guid]::tryparse($string, [ref][guid]::Empty)
-    }
-
     if ($preloadedUsers) {
         $users = $preloadedUsers
     } else {
@@ -94,15 +89,15 @@ function New-CIPPCATemplate {
     if ($isPSCustomObject -and $null -ne $JSON.conditions.users.includeGroups) {
         $JSON.conditions.users.includeGroups = @($JSON.conditions.users.includeGroups | ForEach-Object {
                 $originalID = $_
-                if ($_ -in 'All', 'None', 'GuestOrExternalUsers' -or -not (Test-IsGuid $_)) { return $_ }
+                if ($_ -in 'All', 'None', 'GuestOrExternalUsers' -or -not (Test-IsGuid -String $_)) { return $_ }
                 $match = $groups | Where-Object { $_.id -eq $originalID }
                 if ($match) { $match.displayName } else { $originalID }
             })
     }
     if ($isPSCustomObject -and $null -ne $JSON.conditions.users.excludeGroups) {
         $JSON.conditions.users.excludeGroups = @($JSON.conditions.users.excludeGroups | ForEach-Object {
                 $originalID = $_
-                if ($_ -in 'All', 'None', 'GuestOrExternalUsers' -or -not (Test-IsGuid $_)) { return $_ }
+                if ($_ -in 'All', 'None', 'GuestOrExternalUsers' -or -not (Test-IsGuid -String $_)) { return $_ }
                 $match = $groups | Where-Object { $_.id -eq $originalID }
                 if ($match) { $match.displayName } else { $originalID }
             })