From 1e309cba891c99efdac3029be2a97262c3c9a67c Mon Sep 17 00:00:00 2001 From: John Duprey Date: Fri, 24 Oct 2025 09:47:58 -0400 Subject: [PATCH 1/5] handle objects that do not have group type --- .../CIPP/Settings/Invoke-ExecTenantGroup.ps1 | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecTenantGroup.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecTenantGroup.ps1 index 335c5b80c1fa..361c712e920f 100644 --- a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecTenantGroup.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecTenantGroup.ps1 @@ -35,9 +35,13 @@ function Invoke-ExecTenantGroup { if ($groupDescription) { $GroupEntity.Description = $groupDescription } - $GroupEntity.GroupType = $groupType + if (!$GroupEntity.PSObject.Properties.Name -contains 'GroupType') { + $GroupEntity | Add-Member -NotePropertyName 'GroupType' -NotePropertyValue $groupType -Force + } else { + $GroupEntity.GroupType = $groupType + } if ($groupType -eq 'dynamic' -and $dynamicRules) { - $GroupEntity.DynamicRules = "$($dynamicRules | ConvertTo-Json -depth 100 -Compress)" + $GroupEntity.DynamicRules = "$($dynamicRules | ConvertTo-Json -Depth 100 -Compress)" $GroupEntity | Add-Member -NotePropertyName 'RuleLogic' -NotePropertyValue $ruleLogic -Force } else { $GroupEntity | Add-Member -NotePropertyName 'RuleLogic' -NotePropertyValue $null -Force @@ -52,7 +56,7 @@ function Invoke-ExecTenantGroup { GroupType = $groupType } if ($groupType -eq 'dynamic' -and $dynamicRules) { - $GroupEntity.DynamicRules = "$($dynamicRules | ConvertTo-Json -depth 100 -Compress)" + $GroupEntity.DynamicRules = "$($dynamicRules | ConvertTo-Json -Depth 100 -Compress)" $GroupEntity.RuleLogic = $ruleLogic } Add-CIPPAzDataTableEntity @Table -Entity $GroupEntity -Force From 98ec9395054d56e11b1ea1b15b0a7677e57451db Mon Sep 17 00:00:00 2001 From: rvdwegen Date: Fri, 24 Oct 2025 17:07:35 +0200 Subject: [PATCH 2/5] Fix edit tenant group --- .../HTTP Functions/CIPP/Settings/Invoke-ExecTenantGroup.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecTenantGroup.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecTenantGroup.ps1 index 335c5b80c1fa..9eaa28228c75 100644 --- a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecTenantGroup.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecTenantGroup.ps1 @@ -35,7 +35,7 @@ function Invoke-ExecTenantGroup { if ($groupDescription) { $GroupEntity.Description = $groupDescription } - $GroupEntity.GroupType = $groupType + $GroupEntity | Add-Member -NotePropertyName 'GroupType' -NotePropertyValue $groupType -Force if ($groupType -eq 'dynamic' -and $dynamicRules) { $GroupEntity.DynamicRules = "$($dynamicRules | ConvertTo-Json -depth 100 -Compress)" $GroupEntity | Add-Member -NotePropertyName 'RuleLogic' -NotePropertyValue $ruleLogic -Force From 0b687c4caf718161e890cff14c1bf5c572fe15c2 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Fri, 24 Oct 2025 13:52:08 -0400 Subject: [PATCH 3/5] fix add task --- Modules/CIPPCore/Public/Add-CIPPScheduledTask.ps1 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/Add-CIPPScheduledTask.ps1 b/Modules/CIPPCore/Public/Add-CIPPScheduledTask.ps1 index 93ffb9ec6540..4dd7e2a14e77 100644 --- a/Modules/CIPPCore/Public/Add-CIPPScheduledTask.ps1 +++ b/Modules/CIPPCore/Public/Add-CIPPScheduledTask.ps1 @@ -221,7 +221,8 @@ function Add-CIPPScheduledTask { $Parameters.'$select' = $task.Trigger.WatchedAttributes | ForEach-Object { $_.value ?? $_ } -join ',' } if ($task.Trigger.ResourceFilter) { - $Parameters.'$filter' = "id eq '" + $task.Trigger.ResourceFilter | ForEach-Object { $_.value ?? $_ } -join "' or id eq '" + $ResourceFilterValues = $task.Trigger.ResourceFilter | ForEach-Object { $_.value ?? $_ } + $Parameters.'$filter' = "id eq '" + ($ResourceFilterValues -join "' or id eq '") + "'" } $Resource = $task.Trigger.DeltaResource.value ?? $task.Trigger.DeltaResource From 0806d3af80855db6e9a2612fdd8f50d261d2309b Mon Sep 17 00:00:00 2001 From: John Duprey Date: Fri, 24 Oct 2025 15:58:53 -0400 Subject: [PATCH 4/5] offboarding, schedule immutable id add restoring user for immutable id clear --- .../CIPPCore/Public/Clear-CIPPImmutableId.ps1 | 11 +++++ .../Users/Invoke-CIPPOffboardingJob.ps1 | 45 ++++++++++++++++--- 2 files changed, 51 insertions(+), 5 deletions(-) diff --git a/Modules/CIPPCore/Public/Clear-CIPPImmutableId.ps1 b/Modules/CIPPCore/Public/Clear-CIPPImmutableId.ps1 index eaba79df769d..60255008687e 100644 --- a/Modules/CIPPCore/Public/Clear-CIPPImmutableId.ps1 +++ b/Modules/CIPPCore/Public/Clear-CIPPImmutableId.ps1 @@ -8,6 +8,17 @@ function Clear-CIPPImmutableId { ) try { + try { + $User = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$UserID" -tenantid $TenantFilter -ErrorAction SilentlyContinue + } catch { + $DeletedUser = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/directory/deletedItems/$UserID" -tenantid $TenantFilter + if ($DeletedUser.id) { + # Restore deleted user object + $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/directory/deletedItems/$UserID/restore" -tenantid $TenantFilter -type POST + Write-LogMessage -headers $Headers -API $APIName -message "Restored deleted user $UserID to clear immutable ID" -sev Info -tenant $TenantFilter + } + } + $Body = [pscustomobject]@{ onPremisesImmutableId = $null } $Body = ConvertTo-Json -InputObject $Body -Depth 5 -Compress $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$UserID" -tenantid $TenantFilter -type PATCH -body $Body diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-CIPPOffboardingJob.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-CIPPOffboardingJob.ps1 index 80c782083a28..2ad6abf635b3 100644 --- a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-CIPPOffboardingJob.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-CIPPOffboardingJob.ps1 @@ -11,7 +11,7 @@ function Invoke-CIPPOffboardingJob { if ($Options -is [string]) { $Options = $Options | ConvertFrom-Json } - $User = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($Username)?`$select=id,displayName" -tenantid $TenantFilter + $User = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($Username)?`$select=id,displayName,onPremisesSyncEnabled,onPremisesImmutableId" -tenantid $TenantFilter $UserID = $User.id $DisplayName = $User.displayName Write-Host "Running offboarding job for $Username with options: $($Options | ConvertTo-Json -Depth 10)" @@ -182,10 +182,45 @@ function Invoke-CIPPOffboardingJob { } } { $_.ClearImmutableId -eq $true } { - try { - Clear-CIPPImmutableID -UserID $userid -TenantFilter $TenantFilter -Headers $Headers -APIName $APIName - } catch { - $_.Exception.Message + if ($User.onPremisesSyncEnabled -ne $true -and ![string]::IsNullOrEmpty($User.onPremisesImmutableId)) { + Write-LogMessage -Message "User $Username has an ImmutableID set but is not synced from on-premises. Proceeding to clear the ImmutableID." -TenantFilter $TenantFilter -Severity 'Warning' -APIName $APIName -Headers $Headers + try { + Clear-CIPPImmutableID -UserID $userid -TenantFilter $TenantFilter -Headers $Headers -APIName $APIName + } catch { + $_.Exception.Message + } + } elseif ($User.onPremisesSyncEnabled -eq $true -and ![string]::IsNullOrEmpty($User.onPremisesImmutableId)) { + Write-LogMessage -Message "User $Username is synced from on-premises. Scheduling an Immutable ID clear for when the user account has been soft deleted." -TenantFilter $TenantFilter -Severity 'Error' -APIName $APIName -Headers $Headers + + $ScheduledTask = @{ + TenantFilter = $TenantFilter + Name = "Clear Immutable ID: $Username" + Command = @{ + value = 'Clear-CIPPImmutableID' + } + Parameters = [pscustomobject]@{ + userid = $userid + APIName = $APIName + Headers = $Headers + } + Trigger = @{ + Type = 'DeltaQuery' + DeltaResource = 'users' + ResourceFilter = @($UserID) + EventType = 'deleted' + UseConditions = $false + ExecutePerResource = $true + ExecutionMode = 'once' + } + ScheduledTime = [int64](([datetime]::UtcNow).AddMinutes(5) - (Get-Date '1/1/1970')).TotalSeconds + Recurrence = '15m' + PostExecution = @{ + Webhook = $false + Email = $false + PSA = $false + } + } + Add-CIPPScheduledTask -Task $ScheduledTask -hidden $false } } } From 813dc3dc67d634abf5ee82eae83b23cd9a389eec Mon Sep 17 00:00:00 2001 From: John Duprey Date: Fri, 24 Oct 2025 16:48:52 -0400 Subject: [PATCH 5/5] Update version_latest.txt --- version_latest.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_latest.txt b/version_latest.txt index acd405b1d62e..f6f89a8f8109 100644 --- a/version_latest.txt +++ b/version_latest.txt @@ -1 +1 @@ -8.6.0 +8.6.1