From 9a43bd874526c469066ca9b9aca24053f5a2ad58 Mon Sep 17 00:00:00 2001
From: KelvinTegelaar <Kelvin@limenetworks.nl>
Date: Tue, 19 Mar 2024 11:47:20 +0100
Subject: [PATCH 1/9] update apn

---
 .../Public/Entrypoints/Push-CIPPAlertApnCertExpiry.ps1         | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertApnCertExpiry.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertApnCertExpiry.ps1
index 8054acdc8902..13a411f105e9 100644
--- a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertApnCertExpiry.ps1
+++ b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertApnCertExpiry.ps1
@@ -11,6 +11,7 @@ function Push-CIPPAlertApnCertExpiry {
             Write-AlertMessage -tenant $($Item.tenant) -message ('Intune: Apple Push Notification certificate for {0} is expiring on {1}' -f $Apn.appleIdentifier, $Apn.expirationDateTime)
         }
     } catch {
-        Write-AlertMessage -tenant $($Item.Tenant) -message "Failed to check APN certificate expiry for $($Item.Tenant): $(Get-NormalizedError -message $_.Exception.message)"
+        #no error because if a tenant does not have an APN, it'll error anyway.
+        #Write-AlertMessage -tenant $($Item.Tenant) -message "Failed to check APN certificate expiry for $($Item.Tenant): $(Get-NormalizedError -message $_.Exception.message)"
     }
 }

From 3577edf9f0c1fa1c1b0655781485b0e0d487e4eb Mon Sep 17 00:00:00 2001
From: KelvinTegelaar <Kelvin@limenetworks.nl>
Date: Tue, 19 Mar 2024 17:59:49 +0100
Subject: [PATCH 2/9] fixes issue with group assinging via standard

---
 .../Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1       | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1
index d6676fc437ec..8ab1793fec2f 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1
@@ -75,6 +75,7 @@ function Invoke-CIPPStandardIntuneTemplate {
 
         if ($Settings.AssignTo) {
           Write-Host "Assigning Policy to $($Settings.AssignTo) the create ID is $($CreateRequest)"
+          if ($Settings.AssignTo -eq 'customGroup') { $Settings.AssignTo = $Settings.customGroup }
           Set-CIPPAssignedPolicy -PolicyId $CreateRequest.id -TenantFilter $tenant -GroupName $Settings.AssignTo -Type $TemplateTypeURL
         }
         Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully added Intune Template policy for $($Tenant)" -sev 'Info'

From ac56c101c1f09aa274398693e511464c6261043c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= <kris6673@hotmail.com>
Date: Wed, 20 Mar 2024 18:40:38 +0100
Subject: [PATCH 3/9] DisableAppCreation standard

---
 .../Invoke-CIPPStandardDisableAppCreation.ps1 | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAppCreation.ps1

diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAppCreation.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAppCreation.ps1
new file mode 100644
index 000000000000..0d1d2d2a0af6
--- /dev/null
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAppCreation.ps1
@@ -0,0 +1,37 @@
+function Invoke-CIPPStandardDisableAppCreation {
+    <#
+    .FUNCTIONALITY
+    Internal
+    #>
+    param($Tenant, $Settings)
+    $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy?$select=defaultUserRolePermissions' -tenantid $Tenant
+    
+    If ($Settings.remediate) {
+        if ($CurrentInfo.defaultUserRolePermissions.allowedToCreateApps -eq $false) {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message 'Users are already not allowed to create App registrations.' -sev Info
+        } else {
+            try {
+                $body = '{"defaultUserRolePermissions":{"allowedToCreateApps":false}}'
+                $null = New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type patch -Body $body -ContentType 'application/json'    
+                Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled users from creating App registrations.' -sev Info
+                $CurrentInfo.defaultUserRolePermissions.allowedToCreateApps = $false
+            } catch {
+                Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable users from creating App registrations: $($_.exception.message)" -sev Error
+            }
+        }
+    }
+        
+    if ($Settings.alert) {
+
+        if ($CurrentInfo.defaultUserRolePermissions.allowedToCreateApps -eq $false) {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message 'Users are not allowed to create App registrations.' -sev Info
+        } else {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message 'Users are allowed to create App registrations.' -sev Alert
+        }
+    }
+
+    if ($Settings.report) {
+        $State = -not $CurrentInfo.defaultUserRolePermissions.allowedToCreateApps
+        Add-CIPPBPAField -FieldName 'UserAppCreationDisabled' -FieldValue [bool]$State -StoreAs bool -Tenant $tenant
+    }
+}

From 224474aeddc49aa411f19d54ca4882705e87dc21 Mon Sep 17 00:00:00 2001
From: KelvinTegelaar <Kelvin@limenetworks.nl>
Date: Wed, 20 Mar 2024 19:33:02 +0100
Subject: [PATCH 4/9] add reprocess to exclude

---
 Modules/CIPPCore/Public/Invoke-CIPPWebhookProcessing.ps1 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Modules/CIPPCore/Public/Invoke-CIPPWebhookProcessing.ps1 b/Modules/CIPPCore/Public/Invoke-CIPPWebhookProcessing.ps1
index 77139f1ddaba..db62dae8b160 100644
--- a/Modules/CIPPCore/Public/Invoke-CIPPWebhookProcessing.ps1
+++ b/Modules/CIPPCore/Public/Invoke-CIPPWebhookProcessing.ps1
@@ -67,6 +67,7 @@ function Invoke-CippWebhookProcessing {
         'OAuth2:Token'
         'SAS:EndAuth'
         'SAS:ProcessAuth'
+        'Login:reprocess'
     )
     if ($TableObj.RequestType -in $ExtendedPropertiesIgnoreList) {
         Write-Host 'No need to process this operation.'

From b4ec1fd0883f02270b4defd62dc06cbb7684e19d Mon Sep 17 00:00:00 2001
From: John Duprey <jwd@johnwduprey.com>
Date: Thu, 21 Mar 2024 21:41:38 -0400
Subject: [PATCH 5/9] Limit standards to enabled only

---
 Modules/CIPPCore/Public/Invoke-CIPPStandardsRun.ps1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Modules/CIPPCore/Public/Invoke-CIPPStandardsRun.ps1 b/Modules/CIPPCore/Public/Invoke-CIPPStandardsRun.ps1
index 1c7e177e3555..8dd8055c6c93 100644
--- a/Modules/CIPPCore/Public/Invoke-CIPPStandardsRun.ps1
+++ b/Modules/CIPPCore/Public/Invoke-CIPPStandardsRun.ps1
@@ -78,7 +78,7 @@ function Invoke-CIPPStandardsRun {
 
     #For each item in our object, run the queue.
 
-    $Batch = foreach ($task in $object | Where-Object -Property Standard -NotLike 'v2*') {
+    $Batch = foreach ($task in $object | Where-Object { $_.Standard -NotLike 'v2*' -and ($_.Settings.remediate -eq $true -or $_.Settings.alert -eq $true -or $_.Settings.report -eq $true) }) {
         [PSCustomObject]@{
             Tenant       = $task.Tenant
             Standard     = $task.Standard

From 7f4dfaded45d1593881d3588f80666440b0e4daf Mon Sep 17 00:00:00 2001
From: John Duprey <jwd@johnwduprey.com>
Date: Fri, 22 Mar 2024 08:52:43 -0400
Subject: [PATCH 6/9] Convert scheduler/alert rules to json objects

---
 .../Public/Entrypoints/Invoke-ListScheduledItems.ps1   |  5 ++++-
 .../Public/Entrypoints/Invoke-ListWebhookAlert.ps1     | 10 ++++++----
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListScheduledItems.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListScheduledItems.ps1
index d23de674c779..17a650f11196 100644
--- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListScheduledItems.ps1
+++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListScheduledItems.ps1
@@ -11,7 +11,10 @@ Function Invoke-ListScheduledItems {
     # Write to the Azure Functions log stream.
     Write-Host 'PowerShell HTTP trigger function processed a request.'
     $Table = Get-CIPPTable -TableName 'ScheduledTasks'
-    $ScheduledTasks = Get-CIPPAzDataTableEntity @Table -Filter "PartitionKey eq 'ScheduledTask' and Hidden ne 'True'"
+    $ScheduledTasks = foreach ($Task in Get-CIPPAzDataTableEntity @Table -Filter "PartitionKey eq 'ScheduledTask' and Hidden ne 'True'") {
+        $Task.Parameters = $Task.Parameters | ConvertFrom-Json
+        $Task
+    }
 
     # Associate values to output bindings by calling 'Push-OutputBinding'.
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListWebhookAlert.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListWebhookAlert.ps1
index 5ee5feb2924f..d585504f4254 100644
--- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListWebhookAlert.ps1
+++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListWebhookAlert.ps1
@@ -11,12 +11,14 @@ Function Invoke-ListWebhookAlert {
     $APIName = $TriggerMetadata.FunctionName
     Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug'
     $Table = get-cipptable -TableName 'SchedulerConfig'
-    $WebhookRow = Get-CIPPAzDataTableEntity @Table | Where-Object -Property PartitionKey -EQ 'WebhookAlert' 
-    
+    $WebhookRow = foreach ($Webhook in Get-CIPPAzDataTableEntity @Table | Where-Object -Property PartitionKey -EQ 'WebhookAlert') {
+        $Webhook.If = $Webhook.If | ConvertFrom-Json
+        $Webhook.execution = $Webhook.execution | ConvertFrom-Json
+        $Webhook
+    }
+
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
             StatusCode = [HttpStatusCode]::OK
             Body       = @($WebhookRow)
         })
-
-
 }

From 6177af2e387c1c39906e1ea2dd0e8e9195a55441 Mon Sep 17 00:00:00 2001
From: John Duprey <jwd@johnwduprey.com>
Date: Fri, 22 Mar 2024 09:09:45 -0400
Subject: [PATCH 7/9] Webhook batching

---
 Scheduler_GetWebhooks/run.ps1 | 28 ++++++++++++++++++++--------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/Scheduler_GetWebhooks/run.ps1 b/Scheduler_GetWebhooks/run.ps1
index 9b890b878588..ca8c3a456566 100644
--- a/Scheduler_GetWebhooks/run.ps1
+++ b/Scheduler_GetWebhooks/run.ps1
@@ -2,12 +2,24 @@ param($Timer)
 
 $Table = Get-CIPPTable -TableName WebhookIncoming
 $Webhooks = Get-CIPPAzDataTableEntity @Table
-$InputObject = [PSCustomObject]@{
-    OrchestratorName = 'WebhookOrchestrator'
-    Batch            = @($Webhooks)
-    SkipLog          = $true
+$WebhookCount = ($Webhooks | Measure-Object).Count
+$Message = 'Processing {0} webhooks' -f $WebhookCount
+Write-LogMessage -API 'Webhooks' -message $Message -sev Info
+
+try {
+    for ($i = 0; $i -lt $WebhookCount; $i += 2500) {
+        $WebhookBatch = $Webhooks[$i..($i + 2499)]
+        $InputObject = [PSCustomObject]@{
+            OrchestratorName = 'WebhookOrchestrator'
+            Batch            = @($WebhookBatch)
+            SkipLog          = $true
+        }
+        #Write-Host ($InputObject | ConvertTo-Json)
+        $InstanceId = Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5)
+        Write-Host "Started orchestration with ID = '$InstanceId'"
+    }
+} catch {
+    Write-LogMessage -API 'Webhooks' -message "Error processing webhooks - $($_.Exception.Message)" -sev Error
+} finally {
+    Write-LogMessage -API 'Webhooks' -message 'Webhook processing completed' -sev Info
 }
-#Write-Host ($InputObject | ConvertTo-Json)
-$InstanceId = Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5)
-Write-Host "Started orchestration with ID = '$InstanceId'"
-#$Orchestrator = New-OrchestrationCheckStatusResponse -Request $Request -InstanceId $InstanceId
\ No newline at end of file

From f5fee6da0b1300bfdde2e4f3591c8f75751680f7 Mon Sep 17 00:00:00 2001
From: John Duprey <john@cyberdrain.com>
Date: Fri, 22 Mar 2024 09:24:33 -0400
Subject: [PATCH 8/9] up version

---
 version_latest.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version_latest.txt b/version_latest.txt
index 7d3cdbf0dd04..84197c89467d 100644
--- a/version_latest.txt
+++ b/version_latest.txt
@@ -1 +1 @@
-5.3.1
\ No newline at end of file
+5.3.2

From af3ccf4f319b20afd73e57bfa0f8a9958c7182b6 Mon Sep 17 00:00:00 2001
From: John Duprey <jwd@johnwduprey.com>
Date: Fri, 22 Mar 2024 09:27:06 -0400
Subject: [PATCH 9/9] Update Push-CIPPAlertAppSecretExpiry.ps1

---
 .../Public/Entrypoints/Push-CIPPAlertAppSecretExpiry.ps1        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertAppSecretExpiry.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertAppSecretExpiry.ps1
index 739f6953dfce..7b1b8b12fd4f 100644
--- a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertAppSecretExpiry.ps1
+++ b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertAppSecretExpiry.ps1
@@ -21,7 +21,7 @@ function Push-CIPPAlertAppSecretExpiry {
             }
         }
     } catch {
-        Write-AlertMessage -tenant $($Item.Tenant) -message "Failed to check App registration expiry for $($Item.Tenant): $(Get-NormalizedError -message $_.Exception.message)"
+        #Write-AlertMessage -tenant $($Item.Tenant) -message "Failed to check App registration expiry for $($Item.Tenant): $(Get-NormalizedError -message $_.Exception.message)"
     }
 }