[pull] dev from KelvinTegelaar:dev

Config/FeatureFlags.json

@@ -34,13 +34,15 @@
       "ListCIPPUsers",
       "ExecSSOSetup",
       "ExecContainerManagement",
-      "ListContainerLogs"
+      "ListContainerLogs",
+      "ListWorkerHealth"
     ],
     "Pages": [
       "/cipp/advanced/super-admin/cipp-users",
       "/cipp/advanced/super-admin/sso",
       "/cipp/advanced/super-admin/container",
-      "/cipp/advanced/container-logs"
+      "/cipp/advanced/container-logs",
+      "/cipp/advanced/worker-health"
     ],
     "Hidden": true
   }

Config/standards.json

@@ -3746,7 +3746,7 @@
         "type": "number",
         "name": "standards.IntuneComplianceSettings.deviceComplianceCheckinThresholdDays",
         "label": "Compliance status validity period (days)",
-        "defaultValue": 130,
+        "defaultValue": 120,
         "validators": {
           "min": { "value": 1, "message": "Minimum value is 1" },
           "max": { "value": 120, "message": "Maximum value is 120" }

Modules/CIPPActivityTriggers/Public/Entrypoints/Activity Triggers/Push-CIPPDBCacheApplyBatch.ps1

@@ -35,8 +35,9 @@ function Push-CIPPDBCacheApplyBatch {
         Write-Information "Aggregated $($AllTasks.Count) cache tasks from all tenants"
 
         # Start a single flat orchestrator to execute all cache tasks
+        $TenantSuffix = if ($Item.Parameters.TenantFilter) { "_$($Item.Parameters.TenantFilter)" } else { '' }
         $InputObject = [PSCustomObject]@{
-            OrchestratorName = 'CIPPDBCacheExecute'
+            OrchestratorName = "CIPPDBCacheExecute$TenantSuffix"
             Batch            = @($AllTasks)
             SkipLog          = $true
         }

Modules/CIPPActivityTriggers/Public/Entrypoints/Activity Triggers/Tests/Push-CIPPTestsApplyBatch.ps1

@@ -35,8 +35,9 @@ function Push-CIPPTestsApplyBatch {
         Write-Information "Aggregated $($AllTasks.Count) test tasks from all tenants"
 
         # Start a single flat orchestrator to execute all test tasks
+        $TenantSuffix = if ($Item.Parameters.TenantFilter) { "_$($Item.Parameters.TenantFilter)" } else { '' }
         $InputObject = [PSCustomObject]@{
-            OrchestratorName = 'CIPPTestsExecute'
+            OrchestratorName = "CIPPTestsExecute$TenantSuffix"
             Batch            = @($AllTasks)
             SkipLog          = $true
         }

Modules/CIPPCore/Public/Authentication/Initialize-CIPPAuth.ps1

@@ -108,7 +108,58 @@ function Initialize-CIPPAuth {
         }
     }
 
-    # 5. Post-migration cleanup: if CIPP_SSO_MIGRATION_APPID is still set but EasyAuth
+    # 5. Reconcile EasyAuth issuer with SSOMultiTenant setting: if EasyAuth is already
+    #    configured, check whether the issuer URL matches the current SSOMultiTenant value
+    #    from Key Vault. If it changed (e.g. toggled from single to multi-tenant), update
+    #    the EasyAuth config via ARM and restart.
+    if ($EasyAuthEnabled -and $AuthState.HasSAMCredentials -and -not $env:CIPP_SSO_MIGRATION_APPID) {
+        try {
+            $AuthConfigJson = $env:WEBSITE_AUTH_V2_CONFIG_JSON
+            if ($AuthConfigJson) {
+                $AuthConfig = $AuthConfigJson | ConvertFrom-Json -ErrorAction Stop
+                $CurrentIssuer = $AuthConfig.identityProviders.azureActiveDirectory.registration.openIdIssuer
+                $ConfiguredAppId = $AuthConfig.identityProviders.azureActiveDirectory.registration.clientId
+
+                if ($CurrentIssuer -and $ConfiguredAppId) {
+                    # Read SSOMultiTenant from KV/DevSecrets
+                    $SSOMultiTenant = $false
+                    if ($env:AzureWebJobsStorage -eq 'UseDevelopmentStorage=true' -or $env:NonLocalHostAzurite -eq 'true') {
+                        try {
+                            $DevSecretsTable = Get-CIPPTable -tablename 'DevSecrets'
+                            $Secret = Get-CIPPAzDataTableEntity @DevSecretsTable -Filter "PartitionKey eq 'SSO' and RowKey eq 'SSO'" -ErrorAction SilentlyContinue
+                            $SSOMultiTenant = $Secret.SSOMultiTenant -eq 'True'
+                        } catch { }
+                    } elseif ($KVName) {
+                        try {
+                            $MtVal = Get-CippKeyVaultSecret -VaultName $KVName -Name 'SSOMultiTenant' -AsPlainText -ErrorAction Stop
+                            $SSOMultiTenant = $MtVal -eq 'True'
+                        } catch { }
+                    }
+
+                    $ExpectedIssuer = if ($SSOMultiTenant) {
+                        'https://login.microsoftonline.com/common/v2.0'
+                    } else {
+                        "https://login.microsoftonline.com/$($env:TenantID)/v2.0"
+                    }
+
+                    if ($CurrentIssuer -ne $ExpectedIssuer) {
+                        Write-Information "[Auth-Init] EasyAuth issuer mismatch: current=$CurrentIssuer expected=$ExpectedIssuer — updating"
+                        $Configured = Set-CIPPSSOEasyAuth -AppId $ConfiguredAppId -MultiTenant $SSOMultiTenant -TenantId $env:TenantID
+                        if ($Configured) {
+                            Write-Information '[Auth-Init] EasyAuth issuer updated — requesting container restart'
+                            [Craft.Services.AppLifecycleBridge]::RequestRestart('EasyAuth issuer updated to match SSOMultiTenant setting during warmup')
+                        }
+                    } else {
+                        Write-Information "[Auth-Init] EasyAuth issuer matches SSOMultiTenant setting ($SSOMultiTenant) — no update needed"
+                    }
+                }
+            }
+        } catch {
+            Write-Information "[Auth-Init] EasyAuth issuer reconciliation failed (non-fatal): $_"
+        }
+    }
+
+    # 6. Post-migration cleanup: if CIPP_SSO_MIGRATION_APPID is still set but EasyAuth
     #    is now configured, check whether the EasyAuth clientId still matches the migration
     #    app. If it differs, the customer's own CIPP-SSO app is active and we can remove
     #    the migration trigger env var.

Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1

@@ -209,6 +209,14 @@ function Test-CIPPAccess {
                 'permissions'     = $Permissions
             }
 
+            # Hosted payment status checks — shown to all users (no permission gating)
+            if ($env:cipp_hosted_subscription_ended) {
+                $MeResponse['hostedSubscriptionEnded'] = $true
+            }
+            if ($env:cipp_hosted_failed_payments) {
+                $MeResponse['hostedFailedPayments'] = $true
+            }
+
             # Forced SSO migration: non-dismissible prompt when migration env var is set
             if ($env:CIPP_SSO_MIGRATION_APPID -and $Permissions -contains 'CIPP.AppSettings.ReadWrite') {
                 $MeResponse['forceSsoMigration'] = @{

Modules/CIPPCore/Public/Authentication/Update-CIPPSAMRedirectUri.ps1

@@ -29,7 +29,7 @@ function Update-CIPPSAMRedirectUri {
     )
 
     try {
-        $AppResponse = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/applications(appId='$($env:ApplicationID)')?`$select=id,web" -tenantid $env:TenantID -NoAuthCheck $true
+        $AppResponse = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/applications(appId='$($env:ApplicationID)')?`$select=id,web" -tenantid $env:TenantID -NoAuthCheck $true -AsApp $true
         $ExistingUris = @($AppResponse.web.redirectUris)
         $MissingUris = $RequiredUris | Where-Object { $_ -notin $ExistingUris }
 
@@ -46,7 +46,7 @@ function Update-CIPPSAMRedirectUri {
             web = @{ redirectUris = $UpdatedUris }
         } | ConvertTo-Json -Depth 5
 
-        New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/applications/$($AppResponse.id)" -body $Body -tenantid $env:TenantID -type PATCH -NoAuthCheck $true
+        New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/applications/$($AppResponse.id)" -body $Body -tenantid $env:TenantID -type PATCH -NoAuthCheck $true -AsApp $true
         Write-Information "[SAM-Redirect] Added redirect URIs: $($MissingUris -join ', ')"
         Write-LogMessage -API 'SAM-Redirect' -message "Added redirect URIs: $($MissingUris -join ', ')" -sev Info
     } catch {

Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-CIPPDBTestsRun.ps1

@@ -69,12 +69,16 @@ function Start-CIPPDBTestsRun {
         Write-Information "Built batch of $($Batch.Count) tenant test list activities"
 
         # Phase 2 via PostExecution: Aggregate all task lists and start flat execution orchestrator
+        $NameSuffix = if ($TenantFilter -ne 'allTenants') { "-$TenantFilter" } else { '' }
         $InputObject = [PSCustomObject]@{
-            OrchestratorName = 'TestsList'
+            OrchestratorName = "TestsList$NameSuffix"
             Batch            = @($Batch)
             SkipLog          = $true
             PostExecution    = @{
                 FunctionName = 'CIPPTestsApplyBatch'
+                Parameters   = @{
+                    TenantFilter = $TenantFilter
+                }
             }
         }
 

Modules/CIPPCore/Public/Get-CIPPGeoIPLocation.ps1

@@ -12,7 +12,10 @@ function Get-CIPPGeoIPLocation {
         return ($GeoIP.Data | ConvertFrom-Json)
     }
     $location = Invoke-CIPPRestMethod -Uri "https://geoipdb.azurewebsites.net/api/GetIPInfo?IP=$IP"
-    if ($location.status -eq 'FAIL') { throw "Could not get location for $IP" }
+    if ($location.status -eq 'FAIL') {
+        Write-logMessage -API GeoIPLocation -message "Failed to get location for $IP. API returned status 'FAIL' with message: $($location.message)" -sev Warning
+        throw "Could not get location for $IP"
+    }
     $CacheGeo = @{
         PartitionKey = 'IP'
         RowKey       = $IP

Modules/CIPPCore/Public/New-CIPPCAPolicy.ps1

@@ -12,7 +12,8 @@ function New-CIPPCAPolicy {
         $APIName = 'Create CA Policy',
         $Headers,
         $PreloadedCAPolicies = $null,
-        $PreloadedLocations = $null
+        $PreloadedLocations = $null,
+        $PreloadedSecurityDefaults = $null
     )
 
     # Helper function to replace group display names with GUIDs
@@ -490,16 +491,30 @@ function New-CIPPCAPolicy {
         }
     }
     if ($DisableSD -eq $true) {
-        #Send request to disable security defaults.
-        $body = '{ "isEnabled": false }'
-        try {
-            $null = New-GraphPostRequest -tenantid $TenantFilter -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -Type patch -Body $body -asApp $true
-            Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message "Disabled Security Defaults for tenant $($TenantFilter)" -Sev 'Info'
-            Start-Sleep 3
-        } catch {
-            $ErrorMessage = Get-CippException -Exception $_
-            Write-Information "Error disabling security defaults: $($ErrorMessage | ConvertTo-Json -Depth 10 -Compress)"
-            Write-Information "Failed to disable security defaults for tenant $($TenantFilter): $($ErrorMessage.NormalizedError)"
+        # Check if Security Defaults is already disabled using preloaded or live data
+        $SDPolicy = $PreloadedSecurityDefaults
+        if ($null -eq $SDPolicy) {
+            try {
+                $SDPolicy = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -tenantid $TenantFilter -AsApp $true
+            } catch {
+                $ErrorMessage = Get-CippException -Exception $_
+                Write-Information "Error fetching Security Defaults status: $($ErrorMessage | ConvertTo-Json -Depth 10 -Compress)"
+            }
+        }
+
+        if ($SDPolicy.isEnabled -eq $false) {
+            Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message 'Security Defaults already disabled, skipping.' -Sev 'Info'
+        } else {
+            $body = '{ "isEnabled": false }'
+            try {
+                $null = New-GraphPostRequest -tenantid $TenantFilter -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -Type patch -Body $body -asApp $true
+                Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message "Disabled Security Defaults for tenant $($TenantFilter)" -Sev 'Info'
+                Start-Sleep 3
+            } catch {
+                $ErrorMessage = Get-CippException -Exception $_
+                Write-Information "Error disabling security defaults: $($ErrorMessage | ConvertTo-Json -Depth 10 -Compress)"
+                Write-Information "Failed to disable security defaults for tenant $($TenantFilter): $($ErrorMessage.NormalizedError)"
+            }
         }
     }
     $RawJSON = ConvertTo-Json -InputObject $JSONobj -Depth 10 -Compress

Modules/CIPPCore/Public/Set-CIPPAuthenticationPolicy.ps1

@@ -21,7 +21,7 @@ function Set-CIPPAuthenticationPolicy {
     $State = if ($Enabled) { 'enabled' } else { 'disabled' }
     # Get current state of the called authentication method and Set state of authentication method to input state
     try {
-        $CurrentInfo = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/$AuthenticationMethodId" -tenantid $Tenant
+        $CurrentInfo = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/$AuthenticationMethodId" -tenantid $Tenant -AsApp $True
         $CurrentInfo.state = $State
     } catch {
         $ErrorMessage = Get-CippException -Exception $_
@@ -137,7 +137,7 @@ function Set-CIPPAuthenticationPolicy {
     try {
         if ($PSCmdlet.ShouldProcess($AuthenticationMethodId, "Set state to $State $OptionalLogMessage")) {
             # Convert body to JSON and send request
-            $null = New-GraphPostRequest -tenantid $Tenant -Uri "https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/$AuthenticationMethodId" -Type PATCH -Body (ConvertTo-Json -InputObject $CurrentInfo -Compress -Depth 10) -ContentType 'application/json'
+            $null = New-GraphPostRequest -tenantid $Tenant -Uri "https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/$AuthenticationMethodId" -Type PATCH -Body (ConvertTo-Json -InputObject $CurrentInfo -Compress -Depth 10) -ContentType 'application/json' -AsApp $True
             Write-LogMessage -headers $Headers -API $APIName -tenant $Tenant -message "Set $AuthenticationMethodId state to $State $OptionalLogMessage" -sev Info
         }
         return "Set $AuthenticationMethodId state to $State $OptionalLogMessage"

Modules/CIPPDB/Public/DBCache/Set-CIPPDBCacheAdminConsentRequestPolicy.ps1

@@ -19,8 +19,7 @@ function Set-CIPPDBCacheAdminConsentRequestPolicy {
     try {
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching admin consent request policy' -sev Debug
         $ConsentPolicy = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy' -tenantid $TenantFilter
-        Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'AdminConsentRequestPolicy' -Data @($ConsentPolicy)
-        Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'AdminConsentRequestPolicy' -Data @($ConsentPolicy) -Count
+        Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'AdminConsentRequestPolicy' -Data @($ConsentPolicy) -AddCount
         $ConsentPolicy = $null
 
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Cached admin consent request policy successfully' -sev Debug

Modules/CIPPDB/Public/DBCache/Set-CIPPDBCacheAppRoleAssignments.ps1

@@ -39,8 +39,7 @@ function Set-CIPPDBCacheAppRoleAssignments {
         }
 
         if ($AllAppRoleAssignments.Count -gt 0) {
-            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'AppRoleAssignments' -Data $AllAppRoleAssignments
-            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'AppRoleAssignments' -Data $AllAppRoleAssignments -Count
+            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'AppRoleAssignments' -Data $AllAppRoleAssignments -AddCount
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Cached $($AllAppRoleAssignments.Count) app role assignments" -sev Debug
         }
         $AllAppRoleAssignments = $null

Modules/CIPPDB/Public/DBCache/Set-CIPPDBCacheApps.ps1

@@ -21,8 +21,7 @@ function Set-CIPPDBCacheApps {
 
         $Apps = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/applications?$top=999&expand=owners' -tenantid $TenantFilter
         if (!$Apps) { $Apps = @() }
-        Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'Apps' -Data $Apps
-        Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'Apps' -Data $Apps -Count
+        Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'Apps' -Data $Apps -AddCount
         $Apps = $null
 
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Cached applications successfully' -sev Debug

Modules/CIPPDB/Public/DBCache/Set-CIPPDBCacheAuthenticationFlowsPolicy.ps1

@@ -22,8 +22,7 @@ function Set-CIPPDBCacheAuthenticationFlowsPolicy {
         $AuthFlowPolicy = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/authenticationFlowsPolicy' -tenantid $TenantFilter -AsApp $true
 
         if ($AuthFlowPolicy) {
-            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'AuthenticationFlowsPolicy' -Data @($AuthFlowPolicy)
-            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'AuthenticationFlowsPolicy' -Data @($AuthFlowPolicy) -Count
+            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'AuthenticationFlowsPolicy' -Data @($AuthFlowPolicy) -AddCount
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Cached authentication flows policy successfully' -sev Debug
         }
 

Modules/CIPPDB/Public/DBCache/Set-CIPPDBCacheAuthenticationMethodsPolicy.ps1

@@ -19,8 +19,7 @@ function Set-CIPPDBCacheAuthenticationMethodsPolicy {
     try {
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching authentication methods policy' -sev Debug
         $AuthMethodsPolicy = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy' -tenantid $TenantFilter
-        Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'AuthenticationMethodsPolicy' -Data @($AuthMethodsPolicy)
-        Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'AuthenticationMethodsPolicy' -Data @($AuthMethodsPolicy) -Count
+        Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'AuthenticationMethodsPolicy' -Data @($AuthMethodsPolicy) -AddCount
         $AuthMethodsPolicy = $null
 
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Cached authentication methods policy successfully' -sev Debug

Modules/CIPPDB/Public/DBCache/Set-CIPPDBCacheAuthorizationPolicy.ps1

@@ -19,8 +19,7 @@ function Set-CIPPDBCacheAuthorizationPolicy {
     try {
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching authorization policy' -sev Debug
         $AuthPolicy = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy' -tenantid $TenantFilter
-        Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'AuthorizationPolicy' -Data @($AuthPolicy)
-        Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'AuthorizationPolicy' -Data @($AuthPolicy) -Count
+        Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'AuthorizationPolicy' -Data @($AuthPolicy) -AddCount
         $AuthPolicy = $null
 
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Cached authorization policy successfully' -sev Debug

Modules/CIPPDB/Public/DBCache/Set-CIPPDBCacheB2BManagementPolicy.ps1

@@ -23,8 +23,7 @@ function Set-CIPPDBCacheB2BManagementPolicy {
         $B2BManagementPolicy = $LegacyPolicies
 
         if ($B2BManagementPolicy) {
-            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'B2BManagementPolicy' -Data @($B2BManagementPolicy)
-            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'B2BManagementPolicy' -Data @($B2BManagementPolicy) -Count
+            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'B2BManagementPolicy' -Data @($B2BManagementPolicy) -AddCount
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Cached B2B management policy successfully' -sev Debug
         } else {
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'No B2B management policy found' -sev Debug

Modules/CIPPDB/Public/DBCache/Set-CIPPDBCacheBitlockerKeys.ps1

@@ -21,8 +21,7 @@ function Set-CIPPDBCacheBitlockerKeys {
 
         $BitlockerKeys = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/informationProtection/bitlocker/recoveryKeys' -tenantid $TenantFilter
         if (!$BitlockerKeys) { $BitlockerKeys = @() }
-        Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'BitlockerKeys' -Data $BitlockerKeys
-        Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'BitlockerKeys' -Data $BitlockerKeys -Count
+        Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'BitlockerKeys' -Data $BitlockerKeys -AddCount
         $BitlockerKeys = $null
 
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Cached BitLocker recovery keys successfully' -sev Debug