Surface SAM/GDAP configuration drift in top-level CIPP alerts#34
Draft
Surface SAM/GDAP configuration drift in top-level CIPP alerts#34
Conversation
Dev to hotfix
Copilot
AI
changed the title
[WIP] Add notification for permission issues in CIPP-SAM
Surface SAM/GDAP configuration drift in top-level CIPP alerts
Mar 8, 2026
Dev to release
Introduce Invoke-ListMailboxForwarding HTTP entrypoint and Get-CIPPMailboxForwardingReport report function. The entrypoint parses request params (CIPPEndpoint, tenantFilter, ForwardingOnly), calls the report function, logs activity and returns HttpResponseContext with appropriate status codes. The report generator reads cached mailbox data via Get-CIPPDbItem, supports a TenantFilter and -ForwardingOnly switch, handles 'AllTenants' by aggregating per-tenant reports, computes forwarding status (External/Internal/Both/None), and returns PSCustomObjects with fields like UPN, DisplayName, PrimarySmtpAddress, ForwardingType, ForwardTo, DeliverToMailboxAndForward, Tenant and CacheTimestamp. Error handling and logging added for missing data and per-tenant failures.
Add UseReportDB query handling to fetch mailbox forwarding from the report DB (Get-CIPPMailboxForwardingReport). If UseReportDB=true the report function is called and returned; otherwise the code performs a live Exchange Online query (Get-Mailbox via New-ExoRequest), selects relevant fields and projects normalized PSCustomObjects with ForwardingType, ForwardTo, HasForwarding, and related properties. Also improve logging and error handling for both paths.
A mailbox forwarding report should only contain mailboxes with forwarding.
…box-forwarding-report Feature/mailbox forwarding report
also add env var backup table
Dev to hotfix
…state Two bugs caused scheduled offboarding tasks to silently disappear: 1. In Push-ExecScheduledCommand, if Invoke-CIPPOffboardingJob threw an exception the inner catch set $State='Failed', but the outer state update unconditionally set TaskState='Processing' for all orchestrator- based commands, ignoring the failure. The task was then stuck in 'Processing' showing "Orchestration in progress" with no way to recover. Fixed by checking $State before deciding between 'Processing' and 'Failed'. 2. In Start-UserTasksOrchestrator the recovery filter included stuck 'Pending' (>24h) and 'Running' (>4h) tasks but omitted 'Processing'. Any task stuck in 'Processing' (from bug #1 or from an orchestration where the post-execution handler itself failed) would never be retried. Fixed by adding 'Processing' to the recovery filter with the same 4-hour timeout used for 'Running'. https://claude.ai/code/session_019TANRi9wms5e5W1nJgZWQm
… binding Start-CIPPOrchestrator was called without -CallerIsQueueTrigger from inside CIPPActivityFunction, causing it to fall through to Add-CippQueueMessage which uses Push-OutputBinding with a QueueItem binding that doesn't exist in activity function context. The queue message silently failed, leaving the GUID orphaned in table storage with the actual offboarding orchestration never starting. Passing -CallerIsQueueTrigger routes directly to Start-NewOrchestration which is available in the activity function context, allowing all 12 offboarding tasks to actually execute. https://claude.ai/code/session_019TANRi9wms5e5W1nJgZWQm
fix: Exclude 'On-Premises Directory Synchronization Service Account' from MFA reports
…t-hold-standard Fix: Update litigation hold standard to use more service plans
…ed-offboarding-activity Bug/scheduled offboarding activity
…oken for CippLogs table
Zacgoose
force-pushed
the
copilot/add-permission-issue-notification
branch
from
18a64e9 to
e7a6263
Compare
Zacgoose
force-pushed
the
copilot/add-permission-issue-notification
branch
from
e7a6263 to
941681f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Admins currently have to manually run Access Checks to discover SAM permission drift or GDAP role/relationship issues, so important post-release permission changes are easy to miss. This change promotes those failures into the existing global alert stream so misconfiguration is visible immediately after login.
Alerting behavior update (
Invoke-GetCippAlerts)AccessCheckstable entries:PartitionKey='AccessCheck', RowKey='AccessPermissions'PartitionKey='AccessCheck', RowKey='GDAPRelationships'Success=false, non-emptyErrorMessages, orMissingPermissions)GDAPIssuespresent)New alert types
SAM Permission Issues DetectedGDAP Relationship Issues Detected/cipp/settings(Access Checks) for remediation context.Focused endpoint coverage
Tests/Endpoint/Invoke-GetCippAlerts.Tests.ps1to verify:💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.