Merge pull request #754 from KelvinTegelaar/dev

pull[bot] · web-flow · commit f5d188fc3c6b · 2026-02-13T00:41:08.000Z
[pull] dev from KelvinTegelaar:dev
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveGuestUsers.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveGuestUsers.ps1
@@ -0,0 +1,89 @@
+function Get-CIPPAlertInactiveGuestUsers {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $InputValue,
+        [Parameter(Mandatory = $false)]
+        [switch]$IncludeNeverSignedIn, # Include users who have never signed in (default is to skip them), future use would allow this to be set in an alert configuration
+        $TenantFilter
+    )
+
+    try {
+        try {
+            $inactiveDays = 90
+            $excludeDisabled = $false
+
+            $excludeDisabled = [bool]$InputValue.ExcludeDisabled
+            if ($null -ne $InputValue.DaysSinceLastLogin -and $InputValue.DaysSinceLastLogin -ne '') {
+                $parsedDays = 0
+                if ([int]::TryParse($InputValue.DaysSinceLastLogin.ToString(), [ref]$parsedDays) -and $parsedDays -gt 0) {
+                    $inactiveDays = $parsedDays
+                }
+            }
+
+
+
+            $Lookup = (Get-Date).AddDays(-$inactiveDays).ToUniversalTime()
+            Write-Host "Checking for guest users inactive since $Lookup (excluding disabled: $excludeDisabled)"
+            # Build base filter - cannot filter assignedLicenses server-side
+            $BaseFilter = if ($excludeDisabled) { 'accountEnabled eq true' } else { '' }
+
+            $Uri = if ($BaseFilter) {
+                "https://graph.microsoft.com/beta/users?`$filter=$BaseFilter&`$select=id,UserPrincipalName,signInActivity,mail,userType,accountEnabled,assignedLicenses"
+            } else {
+                "https://graph.microsoft.com/beta/users?`$select=id,UserPrincipalName,signInActivity,mail,userType,accountEnabled,assignedLicenses"
+            }
+
+            $GraphRequest = New-GraphGetRequest -uri $Uri-tenantid $TenantFilter | Where-Object { $_.userType -eq 'Guest' }
+
+            $AlertData = foreach ($user in $GraphRequest) {
+                $lastInteractive = $user.signInActivity.lastSignInDateTime
+                $lastNonInteractive = $user.signInActivity.lastNonInteractiveSignInDateTime
+
+                # Find most recent sign-in
+                $lastSignIn = $null
+                if ($lastInteractive -and $lastNonInteractive) {
+                    $lastSignIn = if ([DateTime]$lastInteractive -gt [DateTime]$lastNonInteractive) { $lastInteractive } else { $lastNonInteractive }
+                } elseif ($lastInteractive) {
+                    $lastSignIn = $lastInteractive
+                } elseif ($lastNonInteractive) {
+                    $lastSignIn = $lastNonInteractive
+                }
+
+                # Check if inactive
+                $isInactive = (-not $lastSignIn) -or ([DateTime]$lastSignIn -le $Lookup)
+                # Skip users who have never signed in by default (unless IncludeNeverSignedIn is specified)
+                if (-not $IncludeNeverSignedIn -and -not $lastSignIn) { continue }
+                # Only process inactive users
+                if ($isInactive) {
+
+                    if (-not $lastSignIn) {
+                        $Message = 'Guest user {0} has never signed in.' -f $user.UserPrincipalName
+                    } else {
+                        $daysSinceSignIn = [Math]::Round(((Get-Date) - [DateTime]$lastSignIn).TotalDays)
+                        $Message = 'Guest user {0} has been inactive for {1} days. Last sign-in: {2}' -f $user.UserPrincipalName, $daysSinceSignIn, $lastSignIn
+                    }
+
+
+                    [PSCustomObject]@{
+                        UserPrincipalName   = $user.UserPrincipalName
+                        Id                  = $user.id
+                        lastSignIn          = $lastSignIn
+                        DaysSinceLastSignIn = if ($daysSinceSignIn) { $daysSinceSignIn } else { 'N/A' }
+                        Message             = $Message
+                        Tenant              = $TenantFilter
+                    }
+                }
+            }
+
+            Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+        } catch {}
+    } catch {
+        Write-AlertMessage -tenant $($TenantFilter) -message "Failed to check inactive guest users for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+    }
+}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveUsers.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveUsers.ps1
@@ -0,0 +1,85 @@
+function Get-CIPPAlertInactiveUsers {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $InputValue,
+        [Parameter(Mandatory = $false)]
+        [switch]$IncludeNeverSignedIn, # Include users who have never signed in (default is to skip them), future use would allow this to be set in an alert configuration
+        $TenantFilter
+    )
+
+    try {
+        try {
+            $inactiveDays = 90
+            $excludeDisabled = $false
+
+            $excludeDisabled = [bool]$InputValue.ExcludeDisabled
+            if ($null -ne $InputValue.DaysSinceLastLogin -and $InputValue.DaysSinceLastLogin -ne '') {
+                $parsedDays = 0
+                if ([int]::TryParse($InputValue.DaysSinceLastLogin.ToString(), [ref]$parsedDays) -and $parsedDays -gt 0) {
+                    $inactiveDays = $parsedDays
+                }
+            }
+
+            $Lookup = (Get-Date).AddDays(-$inactiveDays).ToUniversalTime()
+            Write-Host "Checking for users inactive since $Lookup (excluding disabled: $excludeDisabled)"
+            # Build base filter - cannot filter accountEnabled server-side
+            $BaseFilter = if ($excludeDisabled) { 'accountEnabled eq true' } else { '' }
+
+            $Uri = if ($BaseFilter) {
+                "https://graph.microsoft.com/beta/users?`$filter=$BaseFilter&`$select=id,UserPrincipalName,signInActivity,mail,userType,accountEnabled,assignedLicenses"
+            } else {
+                "https://graph.microsoft.com/beta/users?`$select=id,UserPrincipalName,signInActivity,mail,userType,accountEnabled,assignedLicenses"
+            }
+
+            $GraphRequest = New-GraphGetRequest -uri $Uri -tenantid $TenantFilter | Where-Object { $_.userType -eq 'Member' }
+
+            $AlertData = foreach ($user in $GraphRequest) {
+                $lastInteractive = $user.signInActivity.lastSignInDateTime
+                $lastNonInteractive = $user.signInActivity.lastNonInteractiveSignInDateTime
+
+                # Find most recent sign-in
+                $lastSignIn = $null
+                if ($lastInteractive -and $lastNonInteractive) {
+                    $lastSignIn = if ([DateTime]$lastInteractive -gt [DateTime]$lastNonInteractive) { $lastInteractive } else { $lastNonInteractive }
+                } elseif ($lastInteractive) {
+                    $lastSignIn = $lastInteractive
+                } elseif ($lastNonInteractive) {
+                    $lastSignIn = $lastNonInteractive
+                }
+
+                # Check if inactive
+                $isInactive = (-not $lastSignIn) -or ([DateTime]$lastSignIn -le $Lookup)
+                # Skip users who have never signed in by default (unless IncludeNeverSignedIn is specified)
+                if (-not $IncludeNeverSignedIn -and -not $lastSignIn) { continue }
+                # Only process inactive users
+                if ($isInactive) {
+                    if (-not $lastSignIn) {
+                        $Message = 'User {0} has never signed in.' -f $user.UserPrincipalName
+                    } else {
+                        $daysSinceSignIn = [Math]::Round(((Get-Date) - [DateTime]$lastSignIn).TotalDays)
+                        $Message = 'User {0} has been inactive for {1} days. Last sign-in: {2}' -f $user.UserPrincipalName, $daysSinceSignIn, $lastSignIn
+                    }
+
+                    [PSCustomObject]@{
+                        UserPrincipalName   = $user.UserPrincipalName
+                        Id                  = $user.id
+                        lastSignIn          = $lastSignIn
+                        DaysSinceLastSignIn = if ($daysSinceSignIn) { $daysSinceSignIn } else { 'N/A' }
+                        Message             = $Message
+                        Tenant              = $TenantFilter
+                    }
+                }
+            }
+
+            Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+        } catch {}
+    } catch {
+        Write-AlertMessage -tenant $($TenantFilter) -message "Failed to check inactive users with licenses for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+    }
+}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertStaleEntraDevices.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertStaleEntraDevices.ps1
@@ -0,0 +1,83 @@
+function Get-CIPPAlertStaleEntraDevices {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $InputValue,
+        $TenantFilter
+    )
+
+    try {
+        try {
+            $inactiveDays = 90
+
+            $excludeDisabled = [bool]$InputValue.ExcludeDisabled
+            if ($null -ne $InputValue.DaysSinceLastActivity -and $InputValue.DaysSinceLastActivity -ne '') {
+                $parsedDays = 0
+                if ([int]::TryParse($InputValue.DaysSinceLastActivity.ToString(), [ref]$parsedDays) -and $parsedDays -gt 0) {
+                    $inactiveDays = $parsedDays
+                }
+            }
+
+            $Lookup = (Get-Date).AddDays(-$inactiveDays).ToUniversalTime()
+            Write-Host "Checking for inactive Entra devices since $Lookup (excluding disabled: $excludeDisabled)"
+            # Build base filter - cannot filter accountEnabled server-side
+            $BaseFilter = if ($excludeDisabled) { 'accountEnabled eq true' } else { '' }
+
+            $Uri = if ($BaseFilter) {
+                "https://graph.microsoft.com/beta/devices?`$filter=$BaseFilter"
+            } else {
+                'https://graph.microsoft.com/beta/devices'
+            }
+
+            $GraphRequest = New-GraphGetRequest -uri $Uri -tenantid $TenantFilter
+
+            $AlertData = foreach ($device in $GraphRequest) {
+
+                $lastActivity = $device.approximateLastSignInDateTime
+
+                $isInactive = (-not $lastActivity) -or ([DateTime]$lastActivity -le $Lookup)
+                # Only process stale Entra devices
+                if ($isInactive) {
+
+                    if (-not $lastActivity) {
+
+                        $Message = 'Device {0} has never been active' -f $device.displayName
+                    } else {
+                        $daysSinceLastActivity = [Math]::Round(((Get-Date) - [DateTime]$lastActivity).TotalDays)
+                        $Message = 'Device {0} has been inactive for {1} days. Last activity: {2}' -f $device.displayName, $daysSinceLastActivity, $lastActivity
+                    }
+
+                    if ($device.TrustType -eq 'Workplace') { $TrustType = 'Entra registered' }
+                    elseif ($device.TrustType -eq 'AzureAd') { $TrustType = 'Entra joined' }
+                    elseif ($device.TrustType -eq 'ServerAd') { $TrustType = 'Entra hybrid joined' }
+
+                    [PSCustomObject]@{
+                        DeviceName            = if ($device.displayName) { $device.displayName } else { 'N/A' }
+                        Id                    = if ($device.id) { $device.id } else { 'N/A' }
+                        deviceOwnership       = if ($device.deviceOwnership) { $device.deviceOwnership } else { 'N/A' }
+                        operatingSystem       = if ($device.operatingSystem) { $device.operatingSystem } else { 'N/A' }
+                        enrollmentType        = if ($device.enrollmentType) { $device.enrollmentType } else { 'N/A' }
+                        Enabled               = if ($device.accountEnabled) { $device.accountEnabled } else { 'N/A' }
+                        Managed               = if ($device.isManaged) { $device.isManaged } else { 'N/A' }
+                        Complaint             = if ($device.isCompliant) { $device.isCompliant } else { 'N/A' }
+                        JoinType              = $TrustType
+                        lastActivity          = if ($lastActivity) { $lastActivity } else { 'N/A' }
+                        DaysSinceLastActivity = if ($daysSinceLastActivity) { $daysSinceLastActivity } else { 'N/A' }
+                        RegisteredDateTime    = if ($device.createdDateTime) { $device.createdDateTime } else { 'N/A' }
+                        Message               = $Message
+                        Tenant                = $TenantFilter
+                    }
+                }
+            }
+
+            Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+        } catch {}
+    } catch {
+        Write-AlertMessage -tenant $($TenantFilter) -message "Failed to check inactive guest users for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+    }
+}
