Skip to content

[pull] dev from KelvinTegelaar:dev#105

Open
pull[bot] wants to merge 146 commits into
isgq-github01:devfrom
KelvinTegelaar:dev
Open

[pull] dev from KelvinTegelaar:dev#105
pull[bot] wants to merge 146 commits into
isgq-github01:devfrom
KelvinTegelaar:dev

Conversation

@pull

@pull pull Bot commented Jun 16, 2026

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

@pull pull Bot locked and limited conversation to collaborators Jun 16, 2026
@pull pull Bot added the ⤵️ pull label Jun 16, 2026
Zacgoose and others added 30 commits June 30, 2026 23:20
- replace arraylist with generic list
- skip sync on archived companies
If a CA failed to be deployed because of a missing X or another issue these were not surfaced to the user and in tern drift/standards alignment indicated the policy as aligned even though nothing was deployed. Also adds some future helpers that might be of use later
…vanced) (#2114)

## What

The "Check" add-in's alerts are re-sent on every scheduled run - each
run dumps the whole recent backlog to the configured webhook instead of
only new alerts. Reported in #6216 (e.g. 13 test alerts resulted in 13
entries on every run).

## Cause

`Get-CIPPAlertCheckExtension` reads a per-tenant watermark from the
`AlertLastRun` table (`PartitionKey 'AlertLastRun'`, `RowKey
"<tenant>-Get-CIPPAlertCheckExtension"`) so it only fetches alerts newer
than the previous run - but it never writes that watermark back. As a
result `$Since` always falls back to the default 24-hour window, so
every run re-fetches and re-sends the same alerts (and the
day-partitioned de-dupe in `Write-AlertTrace` resets at midnight, which
lines up with the reported timing jumps).

## Fix

Capture the run start, read/store an explicit `LastRunTime` watermark
(falling back to the existing `Timestamp` for backward compatibility),
and upsert the `AlertLastRun` row after processing. Each run now only
sends alerts created since the previous run.

## Testing

- PowerShell parses clean.
- A mock-storage harness confirms the behaviour: run 1 sends the
backlog, run 2 (no new alerts) sends nothing, run 3 sends only a
newly-added alert.

Fixes KelvinTegelaar/CIPP#6216
# Resolve tenant variables in the Win32 Custom App detection script

Fixes KelvinTegelaar/CIPP#6226.

`%tenantid%` and the other `Get-CIPPTextReplacement` tokens resolve in a
Win32 Custom Application's install and uninstall scripts, but not in the
detection script, which reaches Intune with the literal `%tenantid%`
string.

In `Add-CIPPW32ScriptApplication.ps1` the install and uninstall scripts
are passed through `Get-CIPPTextReplacement` before being
base64-encoded, but the detection script was encoded from the raw
`$Properties.detectionScript`. This change runs the detection script
through `Get-CIPPTextReplacement` first, the same way as the install and
uninstall scripts directly below it.

Verified against the real `Get-CIPPTextReplacement` with mocked tenant
lookups: before the change the detection script keeps the literal
`%tenantid%`; after, it resolves to the tenant's customerId and matches
what the install script produces. Other tokens such as `%tenantfilter%`
resolve too.
Improve logging and error handling in the GDAP relationship termination
function
…2112)

## What

Adds a deterministic post-processing stage that enriches the generated
`openapi.json` with typed `200` response schemas and a unique
`operationId` per operation, and publishes the result as a Release
asset. It does **not** replace the existing generator; it runs on its
output.

## Why

The generated spec types request bodies but leaves every `200` response
as the generic `StandardResults` envelope, and carries no `operationId`
on any operation. Two practical consequences:

- OpenAPI importers that key on `operationId` skip every operation.
Tested against a real importer: the unmodified spec imported as **0**
actions; with `operationId` injected it imports as **all 582**.
- Downstream tools get no typed output fields to map against.

## How

A PowerShell stage (`.build/Add-OpenApiResponseSchemas.ps1`) with two
passes, both pure functions of checked-in sources (no live API calls,
byte-identical output across runs):

- **operationId**: bare endpoint name per operation; method-prefixed
only where one path carries multiple methods (e.g. `GetExecCSPLicense` /
`PostExecCSPLicense`). Existing `operationId`s are preserved; any
collision is a hard failure.
- **typed 200 responses**: derived from the frontend shape baselines
(`Tests/Shapes/*.json`) and page `simpleColumns` declarations. The `{
Results, Metadata }` envelope is preserved exactly as the API returns it
(no flattening, so the schema stays truthful to the wire).

Endpoints with no typed source keep `StandardResults`, which is correct
for write/exec operations.

## Publishing + CI

- `openapi-enriched-release.yml` builds and uploads
`openapi.enriched.json` as an asset on each GitHub Release (no commits
back to the tree).
- `openapi-enriched-check.yml` runs the test suite and **strictly lints
the enriched spec** against a committed ignore-baseline
(`.redocly.lint-ignore.yaml`) that pins pre-existing findings, so any
*new* finding fails CI.
- `.github/workflows/` is gitignored in this repo (the existing
workflows are force-added), so these two were added with `git add -f`,
matching the repo convention.

## Tests

50 Pester tests + PSScriptAnalyzer (0 findings), run via
`Tests/Build/Invoke-BuildTests.ps1`. Covers operationId rules
(bare/disambiguated/preserve/collision-throws), response typing,
idempotency, and the frontend-scan edge cases.

## Known limitations (documented in `.build/README.md`)

- Only `get/post/put/patch/delete` are processed (the spec has no other
methods today).
- Paths are assumed to start with `/api/` (all current paths do).
- A typed `200` replaces the existing `200.content` (today only
`StandardResults` exists there).
- Conditional/ternary `simpleColumns` expressions are intentionally not
parsed (a conservative miss is preferred over capturing non-column
strings).

## Side benefit

Injecting `operationId` also removes the `operation-operationId` lint
warning that previously applied to every operation in the spec.


## CI activation note

Both workflows are guarded with `if: github.repository_owner ==
'KelvinTegelaar'`, matching the convention of the existing workflows in
this repo (forks do not run them). As a result they will **not** appear
as status checks on this PR from the fork; they activate once merged
into the upstream tree. Verification was therefore done locally before
opening this PR:

- `Tests/Build/Invoke-BuildTests.ps1`: 50 Pester tests passing,
PSScriptAnalyzer 0 findings
- strict Redocly lint of the generated `openapi.enriched.json`: 0
errors, 0 warnings, 5 pre-existing findings ignored via the committed
baseline; verified to fail on an injected new finding
- both workflow YAML files parse clean
- enrichment is deterministic: same inputs produce byte-identical output
across runs
This pull request enhances the `Push-BECRun` PowerShell function by
adding the retrieval and logging of sent message traces for a user, and
includes this data in the output object. These changes improve the
auditing and incident response capabilities of the function by providing
more comprehensive information about user activity.

**Enhancements to auditing and user activity tracking:**

* Added retrieval of sent message traces using the `Get-MessageTraceV2`
cmdlet, with error handling and logging in case of failures. The trace
includes message details such as status, subject, recipient, received
time, and sender IP.
* Included the collected sent message trace data as a new property
(`SentMessages`) in the output object returned by the function.
Introduce support for ExcludeGroupIds and ExcludeGroupNames in
assignment functions.

Frontend PR: KelvinTegelaar/CIPP#6244
Overhaul of the rather interesting way to construct a JSON payload and
add in severity and resolving comment functionality.

Frontend PR: KelvinTegelaar/CIPP#6234
Updated to write to and read from cetralised CIPP database
Frontend PR: KelvinTegelaar/CIPP#6238

The `SetAuthMethod` endpoint only toggled state and group targeting, so
every method-specific option was unreachable from the portal. This
forwards those settings through `Invoke-SetAuthMethod` and applies them
in `Set-CIPPAuthenticationPolicy`.

**Added/exposed settings**
- TAP: `isUsableOnce`, min/max/default lifetime, default length
- Microsoft Authenticator: software OATH + display-app-info /
display-location / companion-app feature states
- Email OTP: external-ID state, exclude groups (empty list now
explicitly clears `excludeTargets`)
- QR Code PIN: lifetime + PIN length
- FIDO2: `isAttestationEnforced` + `isSelfServiceRegistrationAllowed`
(were hardcoded on enable)
- Voice: `isOfficePhoneAllowed`
- SMS: `isUsableForSignIn` (stamped onto each include-target)

Log messages now spell out the changed values per method.

**Tests:** adds `Tests/Private/Set-CIPPAuthenticationPolicy.Tests.ps1`
(7 cases) — `Invoke-Pester -Path
./Tests/Private/Set-CIPPAuthenticationPolicy.Tests.ps1`.
Add the SMTP client authentication state to the mailbox details
response, enhancing the information available for mailbox configuration.

Frontend: KelvinTegelaar/CIPP#6180
Introduce functionality to allow specific user profile fields to be
cleared when editing a user. Currently the property is just quietly
dropped with a success message.

Frontend PR: KelvinTegelaar/CIPP#6261
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

9 participants