[pull] master from KelvinTegelaar:master#11
Open
pull[bot] wants to merge 49 commits intojoaadvi:masterfrom
Open
[pull] master from KelvinTegelaar:master#11pull[bot] wants to merge 49 commits intojoaadvi:masterfrom
pull[bot] wants to merge 49 commits intojoaadvi:masterfrom
Conversation
The report block overwrote the actual current expiration day count with the boolean literal $true whenever StateIsCorrect was true, then wrote that boolean into the compare field as the "Current" value. This caused the drift page to render Expected=120 / Current= true and flag a deviation even when the policy was correctly set -- while the remediate block (which used the unmangled value) logged "already set to 120 days". Removing the conditional reassignment makes the report always emit the real numeric value, so when state matches expected the drift page goes green instead of showing a phantom deviation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The standard fetches $CurrentState from SPO once at the top, then the remediate block calls Set-CIPPSPOTenant to mutate the live state but never refreshes $CurrentState. When both remediate and report run in the same pass, the report block builds CurrentValue from the stale pre-remediation $CurrentState and writes it into the drift compare field -- producing Expected=true / Current=false on the manage drift page even though the live SPO state is now correct (and the logbook says "Successfully set File Requests..."). After a successful Set-CIPPSPOTenant, mirror the just-applied properties into $CurrentState so the report block writes the post-remediation values. The catch path is untouched, so failed remediation correctly leaves the original state in the report. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The autoclaim GET endpoint at admin.microsoft.com returns the policy
state under tenantPolicyValue, not policyValue:
{
"policyId": "Autoclaim",
"tenantPolicyValue": "Disabled",
"tenantId": "..."
}
CIPP was reading $AutoClaimPolicy.policyValue (which does not exist
on the response object) so it always evaluated to $null, causing:
- the initial Compare to find a diff vs the Expected 'Disabled',
- remediation to fire every run,
- the post-remediation re-fetch to also read null,
- the drift compare-field to be written with Value=null,
- the manage drift page to show a phantom deviation despite the
log saying "Changed Self Service status for product
'Trial Autoclaim - autoclaim' from '' to 'Disabled'".
The POST body still uses {"policyValue": "Disabled"} -- Microsoft's
read/write schemas are asymmetric on this endpoint, so only the
read paths needed the property name corrected.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The state check uses Compare-Object (order-insensitive) so $StateIsCorrect correctly reported "Federation Configuration already set." But the report block wrote the raw arrays to the compare field, where the current side was alphabetically sorted upstream and the expected side was in user-input order from $Settings.DomainList. The drift page diffs the JSON arrays literally, so identical sets in different orders rendered as a phantom deviation. Sort the parsed expected arrays (AllowedDomainsAsAList for AllowSpecificExternal, BlockedDomains for BlockSpecificExternal) at the source so they match the already-sorted current values. Set-CsTenantFederationConfiguration is set-semantic on the Microsoft side, so order does not affect remediation behavior. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Same shape as the TeamsFederationConfiguration fix: the state check uses Compare-Object (order-insensitive) so $StateIsCorrect correctly reports "already correctly configured", but the report block writes the raw arrays to the compare field where Current and Expected come from different sources and may be ordered differently. The drift page diffs the JSON arrays literally, producing phantom deviations even though the policies are correctly applied. SafeLinksPolicy.DoNotRewriteUrls: Current was $CurrentState.DoNotRewriteUrls (raw API), Expected was $Settings.DoNotRewriteUrls.value (raw user input). Sort both in the report block so they match regardless of input or API order. MalwareFilterPolicy.FileTypes: Current was $CurrentState.FileTypes (raw API), Expected was $ExpectedFileTypes ($DefaultFileTypes + user-supplied OptionalFileTypes split). Sort both in the report block. Set-SafeLinksPolicy and Set-MalwareFilterPolicy treat these lists as sets on the Microsoft side, so order does not affect remediation behavior -- only the drift display. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…olicies (#2038) This pull request introduces several improvements and bug fixes to the standards enforcement scripts, focusing on ensuring accurate reporting and consistency in policy comparisons. The main changes involve normalizing list-type values for reliable comparisons, correcting field references, and updating in-memory state after remediation to prevent reporting outdated values. **Policy comparison normalization:** * Updated all list-type fields (such as `FileTypes`, `DoNotRewriteUrls`, and domain lists in Teams federation) to be sorted before comparison, ensuring that order differences do not cause false drift reports. [[1]](diffhunk://#diff-21f5937855b4b87d151a77151a2b79e689eef46e372ef5fec22864e684729b19L223-R223) [[2]](diffhunk://#diff-21f5937855b4b87d151a77151a2b79e689eef46e372ef5fec22864e684729b19L241-R241) [[3]](diffhunk://#diff-636adbbc5bcc10efc5ba31410af63ff8cf0c352f5cfeac24dde5d4f7463348a5L234-R234) [[4]](diffhunk://#diff-636adbbc5bcc10efc5ba31410af63ff8cf0c352f5cfeac24dde5d4f7463348a5L248-R248) [[5]](diffhunk://#diff-8094476ac96a5b9884740aae3a3e267ea51843d9caa915f8c9fd87d1aecf9d87L78-R78) [[6]](diffhunk://#diff-8094476ac96a5b9884740aae3a3e267ea51843d9caa915f8c9fd87d1aecf9d87L88-R88) **Bug fixes and accuracy improvements:** * Corrected the field used for reporting the 'Trial Autoclaim' policy value from `policyValue` to `tenantPolicyValue` in `Invoke-CIPPStandardDisableSelfServiceLicenses`. [[1]](diffhunk://#diff-8d188a1e9388883bced1f8938fab119c89ab15d3aaea5f5357817a6a32cb4e5aL69-R69) [[2]](diffhunk://#diff-8d188a1e9388883bced1f8938fab119c89ab15d3aaea5f5357817a6a32cb4e5aL148-R148) * In `Invoke-CIPPStandardSPFileRequests`, updated the in-memory state after remediation so that drift reports reflect the post-remediation values rather than outdated ones. **Code cleanup:** * Removed an unnecessary line in `Invoke-CIPPStandardTeamsMeetingRecordingExpiration` that could have incorrectly set the current value to `$true` instead of the actual expiration days.
Adjust the comparison logic to properly handle cases where the result is null when the CompareType is not 'Catalog'. This ensures that the comparison results are always returned as an array, preventing potential errors. Fixes "Failed to compare policies: Index operation failed; the array index evaluated to null." error on the compare policy page
Enhance the ListIntunePolicy function to support group policy definition lookups and improve handling of requests for configuration policies and group policy configurations. This update allows for more efficient data retrieval. Frontend PR: KelvinTegelaar/CIPP#5951
- Implemented AutoDiscover record validation in Push-DomainAnalyserDomain function. - Enhanced Invoke-ListDomainHealth to support AutoDiscover record retrieval.
…tandardSPFileRequests function
**Important:** This PR is dependant on JohnDuprey/DNSHealth#26 being merged and the module updated in CIPP Implement AutoDiscover record validation in the domain analysis process and enhance the domain health listing functionality to support AutoDiscover record retrieval. Frontend PR: KelvinTegelaar/CIPP#5974
…#2041) ## Summary - Adds optional `usageLocation` (ISO 3166-1 alpha-2) to JIT Admin user creation via Graph API - Saves `defaultUsageLocation` in JIT Admin templates (both Add and Edit) - Prevents Huntress false-positive alerts for JIT Admin accounts missing usage location Fixes KelvinTegelaar/CIPP#5910 Companion PR (frontend): KelvinTegelaar/CIPP#5971 ## Changes - `Set-CIPPUserJITAdmin.ps1` — conditionally includes `usageLocation` in the Graph POST body when creating users - `Invoke-ExecJITAdmin.ps1` — passes `usageLocation` from request body to the User hashtable - `Invoke-AddJITAdminTemplate.ps1` — saves `defaultUsageLocation` in template object - `Invoke-EditJITAdminTemplate.ps1` — same for template editing
- Updated Set-CIPPManager and Set-CIPPSponsor functions to accept multiple users for bulk processing. - Modified Invoke-EditUser and Invoke-PatchUser to handle bulk updates for managers and sponsors. - Enhanced logging for success and error messages during updates.
The autocomplete component sends {label, value} objects but the
Graph API expects a plain string for usageLocation. Extract .value
before passing to API, matching the pattern used by other user
endpoints (Invoke-AddUserDefaults, Invoke-EditUser, etc).
The usageLocation autocomplete sends {label, value} objects but Graph
API
expects a plain string. This causes a "StartObject node found for
usageLocation, PrimitiveValue expected" error when creating JIT Admin
users.
Extract .value before passing to the API, same as Invoke-AddUserDefaults
and Invoke-EditUser already do.
Enable bulk processing for setting multiple managers and sponsors in user updates. Introduce 'manager' and 'sponsor' properties to the user patching functionality. Frontend PR: KelvinTegelaar/CIPP#5976
… reseller relationship links implements KelvinTegelaar/CIPP#5963
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )