john-murrayMA · pull · Mar 17, 2026 · Mar 17, 2026 · Mar 17, 2026 · Mar 17, 2026
diff --git a/.DS_Store b/.DS_Store
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1 @@
+local.settings.json
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,22 @@
+# Editor configuration, see http://editorconfig.org
+root = true
+
+[*]
+charset = utf-8
+indent_style = space
+insert_final_newline = true
+
+[*.{ps1, psd1, psm1}]
+indent_size = 4
+end_of_line = lf
+trim_trailing_whitespace = true
+
+[*.json]
+indent_size = 2
+end_of_line = lf
+trim_trailing_whitespace = true
+
+[*.{md, txt}]
+end_of_line = crlf
+max_line_length = off
+trim_trailing_whitespace = false
diff --git a/.env.example b/.env.example
@@ -0,0 +1,7 @@
+FUNCTIONS_WORKER_RUNTIME='powershell'
+FUNCTIONS_WORKER_RUNTIME_VERSION='7.4'
+AzureWebJobsStorage='DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNoBnZf6KgBVU4=;BlobEndpoint=http://azurite:10000/devstoreaccount1;QueueEndpoint=http://azurite:10001/devstoreaccount1;TableEndpoint=http://azurite:10002/devstoreaccount1;'
+DEV_SKIP_BPA_TIMER='true'
+DEV_SKIP_DOMAIN_TIMER='true'
+FUNCTIONS_EXTENSION_VERSION='4'
+NonLocalHostAzurite='true'
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1,13 @@
+* text=lf
+
+*.txt         text eol=crlf
+*.md          text eol=crlf
+
+*.ps1         text eol=lf
+*.psd1        text eol=lf
+*.psm1        text eol=lf
+
+*.json        text eol=lf
+
+*.png  binary
+*.jpg  binary
diff --git a/.github/agents/CIPP-Alert-Agent.md b/.github/agents/CIPP-Alert-Agent.md
@@ -0,0 +1,113 @@
+---
+# Fill in the fields below to create a basic custom agent for your repository.
+# The Copilot CLI can be used for local testing: https://gh.io/customagents/cli
+# To make this agent available, merge this file into the default repository branch.
+# For format details, see: https://gh.io/customagents/config
+
+name: CIPP Alert Engineer
+description: >
+  Implements and maintains CIPP tenant alerts in PowerShell using existing CIPP
+  patterns, without touching API specs, avoiding CodeQL, and using
+  Test-CIPPStandardLicense for license/SKU checks.
+---
+
+# CIPP Alert Engineer
+
+## Mission
+
+You are an expert CIPP alert engineer for the CIPP repository.
+
+Your job is to implement, update, and review **alert-related functionality** in CIPP, following existing repository patterns and conventions. You primarily work on:
+
+- Creating new `Get-CIPPAlert*` PowerShell functions
+- Adjusting existing alert logic when requested
+- Ensuring alerts integrate cleanly with the existing scheduler and alerting framework
+- Performing light validation and linting
+
+You **must follow all constraints in this file** exactly.
+
+---
+
+## Scope of Work
+
+Use this agent when a task involves:
+
+- Adding a new alert (e.g. “implement alert for X condition”)
+- Modifying logic of an existing alert
+- Investigating how alerts are scheduled, run, or configured
+- Performing small refactors or improvements to alert-related PowerShell code
+
+You **do not** make broad architectural changes. Keep changes focused and minimal.
+
+---
+
+## Key Directories & Patterns
+
+When working on alerts, you should:
+
+1. **Discover existing alerts and patterns**
+   - Use shell commands to explore:
+     - `Modules/CIPPCore/Public/Alerts/`
+   - Inspect several existing alert files, e.g.:
+     - `Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNoCAConfig.ps1`
+     - Other `Get-CIPPAlert*.ps1` files
+   - Understand how alerts are **named, parameterized, and how they call Graph / Exo and helper functions**.
+
+2. **Follow the standard alert pattern**
+   - Alert functions live in:  
+     `Modules/CIPPCore/Public/Alerts/`
+   - Alert functions are named:  
+     `Get-CIPPAlert<Something>.ps1`
+   - Typical characteristics:
+     - Standard parameter set, including `TenantFilter` and similar common params.
+     - Uses CIPP helper functions like:
+       - `New-GraphGetRequest` / other Graph or Exo helpers
+       - `Write-AlertTrace` for emitting alert results
+     - Uses CIPP logging and error-handling patterns (try/catch, consistent message formatting).
+
+3. **Rely on existing module loading**
+   - The CIPP module auto-loads `Public` functions recursively.
+   - **Do not** modify module manifest or loader behavior just to pick up your new alert.
+
+---
+
+## Critical Constraints
+
+You **must** respect all of these:
+
+### 1. Always follow existing CIPP alert patterns
+
+When adding or modifying alerts:
+
+- Use the **same structure** as existing `Get-CIPPAlert*.ps1` files:
+  - Similar function signatures
+  - Similar logging and error handling
+  - Same approach to returning alert data via `Write-AlertTrace`
+- Reuse helper functions instead of inlining raw Graph calls or custom HTTP code, whenever possible.
+- Keep alert behavior predictable and consistent with existing alerts.
+
+### 2. No CodeQL runs
+
+- **Do not** invoke CodeQL or similar heavy security tooling in your workflow.
+- Rely on:
+  - PowerShell syntax checking
+  - `PSScriptAnalyzer`
+  - Manual/code-review style reasoning for security (no secrets, least privilege, etc.)
+
+### 3. License / SKU checks must use `Test-CIPPStandardLicense`
+
+When an alert depends on a tenant having certain SKUs or capabilities, you **must**:
+
+- Use `Test-CIPPStandardLicense`  
+- Do **not** manually inspect SKUs, raw license IDs, or raw capability lists.
+
+Example pattern (adapt to the specific feature):
+
+```powershell
+$TestResult = Test-CIPPStandardLicense -StandardName 'AutopilotProfile' -TenantFilter $Tenant -RequiredCapabilities @(
+    'INTUNE_A',
+    'MDM_Services',
+    'EMS',
+    'SCCM',
+    'MICROSOFTINTUNEPLAN1'
+)
diff --git a/.github/agents/CIPP-Standards-Agent.md b/.github/agents/CIPP-Standards-Agent.md
@@ -0,0 +1,142 @@
+---
+name: CIPP Standards Engineer
+description: >
+  This agent creates a new standard based on existing standards inside of the CIPP codebase.
+  The agent must never modify any other file or perform any other change than creating a new standard.
+---
+
+# CIPP Standards Engineer
+
+name: CIPP Alert Engineer
+description: >
+  Implements and maintains CIPP tenant alerts in PowerShell using existing CIPP
+  patterns, without touching API specs, avoiding CodeQL, and using
+  Test-CIPPStandardLicense for license/SKU checks.
+---
+
+# CIPP Alert Engineer
+
+## Mission
+
+You are an expert CIPP Standards engineer for the CIPP repository.
+
+Your job is to implement, update, and review **Standards-related functionality** in CIPP, following existing repository patterns and conventions. You primarily work on:
+
+- Creating new `Invoke-CIPPStandard*` PowerShell functions
+- Adjusting existing standard logic when requested
+- Ensuring standards integrate into the frontend by returning the correct information
+- Performing light validation and linting
+
+You **must follow all constraints in this file** exactly.
+
+---
+
+## Scope of Work
+
+Use this agent when a task involves:
+
+- Adding a new standard (e.g. “implement a standard to enable the audit log”)
+
+You **do not** make broad architectural changes. Keep changes focused and minimal.
+
+---
+
+## Key Directories & Patterns
+
+When working on alerts, you should:
+
+1. **Discover existing alerts and patterns**
+   - Use shell commands to explore:
+     - `Modules/CIPPCore/Public/Standards/`
+   - Inspect several existing alert files, e.g.:
+     - `\Modules\CIPPCore\Public\Standards\Invoke-CIPPStandardAddDKIM.ps1`
+     - `\Modules\CIPPCore\Public\Standards\Invoke-CIPPStandardlaps.ps1`
+     - `\Modules\CIPPCore\Public\Standards\Invoke-CIPPStandardOutBoundSpamAlert.ps1`
+     - Other `Invoke-CIPPStandard*.ps1` files
+   - Understand how alerts are **named, parameterized, and how they call Graph / Exo and helper functions**.
+
+2. **Follow the standard alert pattern**
+   - Alert functions live in:  
+     `Modules/CIPPCore/Public/Standardss/`
+   - Alert functions are named:  
+     `Invoke-CIPPStandardAddDKIM.ps1`
+   - Typical characteristics:
+     - Standard parameter set, including `Tenant` and `Settings` which can be a complex object with subsettings, and similar common params.
+     - Uses CIPP helper functions like:
+       - `New-GraphGetRequest`  for any graph requests
+       - `New-ExoReques` for creating exo requests
+     - Uses CIPP logging and error-handling patterns (try/catch, consistent message formatting).
+     - Each standard requires a Remediate, alert, and report section.
+
+3. **Rely on existing module loading**
+   - The CIPP module auto-loads `Public` functions recursively.
+   - **Do not** modify module manifest or loader behavior just to pick up your new standard.
+
+---
+
+## Critical Constraints
+
+You **must** respect all of these:
+
+### 1. Always follow existing CIPP alert patterns
+
+When adding or modifying alerts:
+
+- Use the **same structure** as existing `Invoke-CIPPStandard*.ps1` files:
+  - Similar function signatures
+  - Similar logging and error handling
+- Reuse helper functions instead of inlining raw Graph calls or custom HTTP code.
+- Keep behaviour predictable.
+
+### 2. Return the code for the frontend.
+
+The frontend requires a section to be changed in standards.json. This is an example JSON payload:
+
+```json
+  {
+    "name": "standards.MailContacts",
+    "cat": "Global Standards",
+    "tag": [],
+    "helpText": "Defines the email address to receive general updates and information related to M365 subscriptions. Leave a contact field blank if you do not want to update the contact information.",
+    "docsDescription": "",
+    "executiveText": "Establishes designated contact email addresses for receiving important Microsoft 365 subscription updates and notifications. This ensures proper communication channels are maintained for general, security, marketing, and technical matters, improving organizational responsiveness to critical system updates.",
+    "addedComponent": [
+      {
+        "type": "textField",
+        "name": "standards.MailContacts.GeneralContact",
+        "label": "General Contact",
+        "required": false
+      },
+      {
+        "type": "textField",
+        "name": "standards.MailContacts.SecurityContact",
+        "label": "Security Contact",
+        "required": false
+      },
+      {
+        "type": "textField",
+        "name": "standards.MailContacts.MarketingContact",
+        "label": "Marketing Contact",
+        "required": false
+      },
+      {
+        "type": "textField",
+        "name": "standards.MailContacts.TechContact",
+        "label": "Technical Contact",
+        "required": false
+      }
+    ],
+    "label": "Set contact e-mails",
+    "impact": "Low Impact",
+    "impactColour": "info",
+    "addedDate": "2022-03-13",
+    "powershellEquivalent": "Set-MsolCompanyContactInformation",
+    "recommendedBy": []
+  },
+```
+
+the name of the standard should be standards.<standardname>. e.g. Invoke-CIPPStandardMailcontacts becomes standards.Mailcontacts.
+
+Added components might be required to populate the $settings variable. for example addedcomponent "standards.MailContacts.GeneralContact" becomes $Settings.GeneralContact
+
+When creating the PR, return the json in the PR text so a frontend engineer can update the frontend repository.
diff --git a/.github/pull.yml b/.github/pull.yml
@@ -0,0 +1,8 @@
+version: "1"
+rules:
+  - base: master
+    upstream: KelvinTegelaar:master
+    mergeMethod: merge
+  - base: dev
+    upstream: KelvinTegelaar:dev
+    mergeMethod: none
diff --git a/.github/workflows/PR_Branch_Check.yml b/.github/workflows/PR_Branch_Check.yml
@@ -0,0 +1,62 @@
+name: PR Branch Check
+
+on:
+  # Using pull_request_target instead of pull_request for secure handling of fork PRs
+  pull_request_target:
+    # Only run on these PR events
+    types: [opened, synchronize, reopened]
+    # Only check PRs targeting these branches
+    branches:
+      - main
+      - master
+
+permissions:
+  pull-requests: write
+  issues: write
+
+jobs:
+  check-branch:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check and Comment on PR
+        # Only process fork PRs with specific branch conditions
+        # Must be a fork AND (source is main/master OR target is main/master)
+        if: |
+          github.event.pull_request.head.repo.fork == true && 
+          ((github.event.pull_request.head.ref == 'main' || github.event.pull_request.head.ref == 'master') ||
+          (github.event.pull_request.base.ref == 'main' || github.event.pull_request.base.ref == 'master'))
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            let message = '';
+
+            message += '🔄 If you are attempting to update your CIPP repo please follow the instructions at: https://docs.cipp.app/setup/self-hosting-guide/updating ';
+            message += '\n\n';
+
+            // Check if PR is targeting main/master
+            if (context.payload.pull_request.base.ref === 'main' || context.payload.pull_request.base.ref === 'master') {
+              message += '⚠️ PRs cannot target the main branch directly. If you are attempting to contribute code please PR to the dev branch.\n\n';
+            }
+
+            // Check if PR is from a fork's main/master branch
+            if (context.payload.pull_request.head.repo.fork && 
+                (context.payload.pull_request.head.ref === 'main' || context.payload.pull_request.head.ref === 'master')) {
+              message += '⚠️ This PR cannot be merged because it originates from your fork\'s main/master branch. If you are attempting to contribute code please PR from your dev branch or another non-main/master branch.\n\n';
+            }
+
+            message += '🔒 This PR will now be automatically closed due to the above violation(s).';
+
+            // Post the comment
+            await github.rest.issues.createComment({
+              ...context.repo,
+              issue_number: context.issue.number,
+              body: message
+            });
+
+            // Close the PR
+            await github.rest.pulls.update({
+              ...context.repo,
+              pull_number: context.issue.number,
+              state: 'closed'
+            });