[pull] master from KelvinTegelaar:master#93
Merged
pull[bot] merged 202 commits intoInformatics123:masterfrom Feb 20, 2026
Merged
[pull] master from KelvinTegelaar:master#93pull[bot] merged 202 commits intoInformatics123:masterfrom
pull[bot] merged 202 commits intoInformatics123:masterfrom
Conversation
[pull] dev from KelvinTegelaar:dev
[pull] dev from KelvinTegelaar:dev
[pull] dev from KelvinTegelaar:dev
[pull] dev from KelvinTegelaar:dev
[pull] dev from KelvinTegelaar:dev
[pull] dev from KelvinTegelaar:dev
feat(api): add reusable settings template endpoints and tests feat(api): add reusable settings template standard and tests feat(intune): enhance reusable settings handling in templates adds reusable setting template reference from within intune templates. Attempts to acquire a template match by reusable setting disaplayname and references the discovered template if found. if not, creates a new template and references that. This also enhances the standards experience to allow for simply deploying your intune policy. Everything else is automatic. fix: Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> fix(standards): change impact from High to Low refactor(api): extract reusable setting sync to helper Update Tests/Standards/Invoke-CIPPStandardReusableSettingsTemplate.Tests.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> test(tests): update assertions for New-GraphPOSTRequest feat(api): add support for reusable settings in Intune policy refactor(api): extract metadata removal function into helper refactor(api): implement reusable settings discovery helper chore(api): update added date for reusable settings template refactor(api): remove package field from reusable setting templates fix(api): undo over-zealous changes on existing file refactor(api): enhance reusable settings discovery logic refactor(api): remove unused reusable settings assignment refactor(api): rename normalization function to approved verb fix(api): change impact level from high to low test(api): add metadata cleanup function to tests refactor(api): ensure string serialization for RawJSON refactor(api): optimize ReusableSettings initialization fix(api): move helper functions into public moving helper functions into public as that seems to be where the bulk of existing ones actually live fix(api): clean up spacing and foreach childResults refactor(api): optimize array handling in metadata removal refactor(api): replace Write-Information with Write-Verbose for ReusableSettings logging fix(tests): remove unused package field from test data Update Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This fix resolves issue #5257 where Hudu sync was creating thousands of duplicate user and device entries. Root Cause: - The $People and $HuduDevices collections were fetched once at the start of the sync process - When new users/devices were created in Hudu during the sync, they were not added to these in-memory collections - Subsequent iterations or sync runs would not find the newly created assets in the stale collections and create them again, leading to duplicates Changes: - Converted $People and $HuduDevices from static arrays to System.Collections.Generic.List[object] for efficient mutation - Added newly created users to $People collection after creation - Added newly created devices to $HuduDevices collection after creation - This ensures the collections stay up-to-date during the sync process and prevents duplicate creation Fixes: KelvinTegelaar/CIPP#5257 💘 Generated with Crush Assisted-by: Claude Sonnet 4.5 via Crush <crush@charm.land>
Updated the "Vulnerabilities" alert to support multiple inputs for age, CVSS severity, and exploitability levels. This allows for more granular control over vulnerability monitoring. Adjusted the description for clarity.
- Updated the logic to filter incidents based on severity. - Added additional incident properties: CreatedAt, IncidentID, and IncidentUrl.
Added a new alert configuration for DefenderAlerts that includes a recommended run interval of 4 hours and allows users to filter alerts by severity. The input options include All Severities, High, Medium, Low, and Informational.
… minimize requests
Remove .value from $signins as this is done is new-GraphGetRequest already so $SignIns.value.value is null
Optimise getting users licences, making bulk graph requests making it much faster when updating more than 1 licence.
Accumulate nested group memberships into a typed List and use AddRange to correctly collect results from Graph queries. Rename loop variables to avoid shadowing ($RoleGroup / $ExpectedGroup) and update matching/log messages accordingly. Include nested groups in the returned Memberships so missing-group detection considers indirect membership; preserve AdminAgents as an error-level issue.
Fixes failing calls for license lookups by moving to a new endpoint
Refactor: guest invitation logic in Invoke-AddGuest
Licence management granular control and optimisations
Update Get-CIPPAlertSmtpAuthSuccess.ps1
Update Start-UpdateTokensTimer.ps1 to include servicePrincipalLockConfiguration in the Graph GET response, rename variables for clarity. Check servicePrincipalLockConfiguration; if it's not enabled, enable it via a PATCH request and write an informational log entry.
Introduce Update-AppManagementPolicy.ps1 which queries tenant default and app management policies via bulk Graph requests, detects credential creation restrictions, and creates/updates/assigns a "CIPP-SAM Exemption Policy" to allow the CIPP-SAM app to manage credentials. The function returns a PSCustomObject with policy state and a PolicyAction message and handles errors gracefully. Also update Invoke-ExecCreateSAMApp.ps1 and Start-UpdateTokensTimer.ps1 to call Update-AppManagementPolicy and log the resulting PolicyAction before proceeding with password/key operations.
Wrap calls to Update-AppManagementPolicy in try/catch in two entrypoints to avoid unhandled exceptions and improve diagnostics. Files changed: Invoke-ExecCreateSAMApp.ps1 and Start-UpdateTokensTimer.ps1. On success the original PolicyAction is still written; on failure a warning with the exception message is logged and the invocation position info is emitted to aid troubleshooting.
Call Update-AppManagementPolicy after creating apps/SPs and make the policy helper tenant- and app-aware. - New-CIPPAPIConfig.ps1 & Invoke-ExecSendPush.ps1: add try/catch calls to Update-AppManagementPolicy immediately after creating the application/service principal and log the result or failure. - Update-AppManagementPolicy.ps1: add parameters (TenantFilter, ApplicationId) instead of relying on environment variables; pass tenantid into Graph requests; check the provided ApplicationId when evaluating policy targets; rename exemption policy displayName/description from "CIPP-SAM Exemption Policy" to "CIPP Exemption Policy" and adjust related logic; ensure updates/assignments use the tenant scope. These changes ensure newly created apps get an exemption when tenant defaults block credential creation and allow the helper to operate across explicit tenants and application IDs.
Wraps the Autopilot profile assignment in a try/catch to handle errors, moves the success info log into the try block, and logs failures with Get-CippException details. Also tightens message interpolation for AssignTo and TenantFilter to produce clearer logs and a consistent success string.
When multiple policies share the same displayName, choose the most recently modified one. Added Sort-Object -Property lastModifiedDateTime -Descending | Select-Object -First 1 to displayName/Name lookups across Get-CIPPIntunePolicy.ps1 (including Android/iOS bulk results and various template branches) so the function returns the latest matching policy instead of an arbitrary/older one or duplicates.
Only assign $Settings.days to the LitigationHoldDuration parameter if it is a positive integer or the string 'Unlimited'. Adds a TryParse check and conditional logic to avoid passing invalid/non-numeric values to the cmdlet, preventing erroneous requests.
Move PIM-related cache entries into the Azure AD Premium P2 cache list and update the section heading. Removed RoleEligibilitySchedules, RoleManagementPolicies and RoleAssignmentScheduleInstances from the earlier list and added RoleEligibilitySchedules, RoleAssignmentSchedules and RoleManagementPolicies to the P2 cache functions. Also updated the region comment to "Identity Protection/PIM features" to reflect the grouping.
Dev to release
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
11 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )