Skip to content

[pull] dev from KelvinTegelaar:dev#105

Open
pull[bot] wants to merge 486 commits into
isgq-github01:devfrom
KelvinTegelaar:dev
Open

[pull] dev from KelvinTegelaar:dev#105
pull[bot] wants to merge 486 commits into
isgq-github01:devfrom
KelvinTegelaar:dev

Conversation

@pull

@pull pull Bot commented Jun 16, 2026

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

@pull pull Bot locked and limited conversation to collaborators Jun 16, 2026
@pull pull Bot added the ⤵️ pull label Jun 16, 2026
pull Bot and others added 28 commits June 24, 2026 17:36
[pull] dev from KelvinTegelaar:dev
Add grantMobileThreatDefensePartnerRole to the Mobile Threat Defense
connector payload in both the deployment handler and the
DefenderCompliancePolicy standard, so the new Intune option is deployable
and enforceable.

Fix the crossed iOS connector mappings: AppSync now drives
allowPartnerToCollectIOSApplicationMetadata and ConnectIosCompliance drives
iosMobileApplicationManagementEnabled (MAM), and add the personal
app-inventory property. This corrects the property each toggle controls,
so existing iOS configs change behaviour. Sync Config/standards.json.
Introduce the grantMobileThreatDefensePartnerRole to the Mobile Threat
Defense connector payload, ensuring it is deployable and enforceable.
Correct iOS connector mappings to align with intended functionality. It
was mapped to the wrong property.

Frontend PR: KelvinTegelaar/CIPP#6231
[pull] dev from KelvinTegelaar:dev
Add severity and resolvingComment to the incident PATCH so users can
reprioritise and document why an incident was resolved. Build the body
as a hashtable/JSON so free-text comments with quotes are escaped, and
gate assignee changes behind an explicit AssignToSelf flag so status
and severity and status edits no longer clobber the existing owner.
[pull] dev from KelvinTegelaar:dev
The SetAuthMethod endpoint only toggled state and group targeting, so
method-specific options (TAP lifetimes/usable-once, Authenticator feature
settings, Email OTP external/exclude, QR code, FIDO2 attestation and
self-service, Voice office phone, SMS sign-in) could not be managed from
the portal. Forward those settings through the handler, honor them in
Set-CIPPAuthenticationPolicy, treat an explicit empty Email exclude list
as a clear, and add Pester coverage.
[pull] dev from KelvinTegelaar:dev
[pull] dev from KelvinTegelaar:dev
…rting correctly. (#2105)

Updated "Get-CIPPStadnards.ps1" to resolve Custom Quarantine Policy not
reporting correctly and always showing as non compliant due to Expected
and Current not returning information.

Fix now reports Expected and Current resulting in Compliant if complete
and non-compliants if missing.
JohnDuprey and others added 30 commits July 10, 2026 10:03
Signed-off-by: KelvinTegelaar <49186168+KelvinTegelaar@users.noreply.github.com>
Add SAMCertProvisionAttempted guard to break recursion when Update-CIPPSAMCertificate calls Get-GraphToken, which re-enters Get-CIPPAuthentication before the cert env var is set.

Also short-circuit Key Vault retry loop on 404 responses since the secret is definitively absent and retrying with backoff only adds latency.
Parse app template config JSON with `-AsHashtable` before converting it back to a PSCustomObject so templates can carry both `applicationName` and `ApplicationName` without losing data. This avoids deployment issues caused by PowerShell's default case-insensitive JSON object handling.
Replace `Compare-Object` checks with sorted string equality for Teams federation allowed/blocked domain matching. This prevents parameter binding failures when one side is an empty array while preserving exact list-match behavior.
- Replace silent Write-Information bulk error messages with structured Write-LogMessage calls including normalized error details and batch counts
- Handle duplicate document templates gracefully by selecting the oldest instead of throwing
- Clear stale user/update cache entries from Azure Table Storage at sync start rather than reusing potentially stale data
- Remove debug Write-Host from document template creation
Update role permission filtering to compare normalized permission bases instead of exact strings. The code now strips `.Read`/`.ReadWrite` suffixes and uses a case-insensitive hash set of valid permissions, preventing legitimate role permissions from being incorrectly filtered out when access level suffixes differ.
Update NinjaOne tenant sync to resolve the SharePoint Admin URL via `Get-SharePointAdminLink` and gracefully fall back to a tenant-derived `https://<tenant>-admin.sharepoint.com` URL if lookup fails. The SharePoint management link now uses the resolved admin URL instead of the partner session redirect, improving reliability for tenant link mapping.
Update the NinjaOne tenant sync CVE upload path to call `New-VulnCsvBytes` with only the supported parameters. This aligns the invocation with the helper signature and avoids passing an unused `TenantFilter` argument during vulnerability CSV generation.
Added the `i` flag to the Conventional Commits regex so PR titles with uppercase type prefixes (e.g., `Fix:`, `FEAT:`) are also accepted.
Include Intune managed app protection policies in the policy listing endpoint and map them to the compare endpoint. The list output now classifies iOS, Android, and Windows app protection policies so they appear with clearer policy type names.
Tightens app role existence checks in `Add-CIPPApplicationPermission` to match both `appRoleId` and `resourceId` instead of only role ID. This prevents skipping valid role assignments when the same role ID appears across different service principals.
When AppCache.ApplicationId differs from the Key Vault-backed ApplicationID, Get-GraphToken now reloads auth and updates the AppCache marker to the KV value. This prevents repeated auth reloads on every token request when AppCache and KV are out of sync.
Expand the NudgeMFA standard to support:
- Multiple authentication methods (Authenticator, Passkey)
- Group-level include/exclude targeting with group name resolution
- Snooze enforcement limits (max 3 snoozes)

Adds Set-CIPPRegistrationCampaign helper function as a single writer for the campaign, shared by the new ExecRegistrationCampaign HTTP endpoint and the enhanced NudgeMFA standard. The standard now supports both portal-configured and template-specified group targeting, with full compliance comparison.
Expand the NudgeMFA standard to support:
- Multiple authentication methods (Authenticator, Passkey)
- Group-level include/exclude targeting with group name resolution
- Snooze enforcement limits (max 3 snoozes)

Adds Set-CIPPRegistrationCampaign helper function as a single writer for
the campaign, shared by the new ExecRegistrationCampaign HTTP endpoint
and the enhanced NudgeMFA standard. The standard now supports both
portal-configured and template-specified group targeting, with full
compliance comparison.

Backwards compatible with any current configuration
Update the default assignment mode to 'append' for a less destructive
default.

Frontend PR: KelvinTegelaar/CIPP#6342
Convert `AgeLimitForRetention` from `TimeSpan.TotalDays` to an integer before state comparison in `Invoke-CIPPStandardRetentionPolicyTag`. This avoids decimal day values causing false drift detection when validating retention policy tag settings.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.