incedIT · pull · Feb 27, 2026 · Feb 25, 2026 · Feb 25, 2026 · Feb 25, 2026
diff --git a/CIPPTimers.json b/CIPPTimers.json
@@ -75,7 +75,7 @@
     "Id": "9b0c8e50-f798-49db-9a8b-dbcc0fcadeea",
     "Command": "Start-StandardsOrchestrator",
     "Description": "Orchestrator to process standards",
-    "Cron": "0 0 */4 * * *",
+    "Cron": "0 0 */12 * * *",
     "Priority": 4,
     "RunOnProcessor": true,
     "PreferredProcessor": "standards"

diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertGroupMembershipChange.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertGroupMembershipChange.ps1
@@ -19,7 +19,7 @@ function Get-CIPPAlertGroupMembershipChange {
         $AuditLogs = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$filter=activityDateTime ge $OneHourAgo and (activityDisplayName eq 'Add member to group' or activityDisplayName eq 'Remove member from group')" -tenantid $TenantFilter
 
         $AlertData = foreach ($Log in $AuditLogs) {
-            $Member = ($Log.targetResources | Where-Object { $_.type -in @('User', 'ServicePrincipal') })[0]
+            $Member = ($Log.targetResources | Where-Object { $_.type -in @('User', 'ServicePrincipal', 'Group') })[0]
             $GroupProp = ($Member.modifiedProperties | Where-Object { $_.displayName -eq 'Group.DisplayName' })
             $GroupDisplayName = (($GroupProp.newValue ?? $GroupProp.oldValue) -replace '"', '')
             if (!$GroupDisplayName -or !($MonitoredGroups | Where-Object { $GroupDisplayName -like $_ })) { continue }

diff --git a/Modules/CIPPCore/Public/Compare-CIPPIntuneObject.ps1 b/Modules/CIPPCore/Public/Compare-CIPPIntuneObject.ps1
@@ -34,7 +34,8 @@ function Compare-CIPPIntuneObject {
             'agents',
             'isSynced'
             'locationInfo',
-            'templateId'
+            'templateId',
+            'source'
         )
 
         $excludeProps = $defaultExcludeProperties + $ExcludeProperties
@@ -49,6 +50,38 @@ function Compare-CIPPIntuneObject {
                 $excludeProps -contains $PropertyName)
         }
 
+        function ShouldCompareAsUnorderedSet {
+            param (
+                [string]$PropertyPath
+            )
+            # Properties that should be compared as sets (order doesn't matter)
+            $unorderedSetPatterns = @(
+                'includeGroups',
+                'excludeGroups',
+                'includeUsers',
+                'excludeUsers',
+                'includeApplications',
+                'excludeApplications',
+                'includeRoles',
+                'excludeRoles',
+                'includePlatforms',
+                'excludePlatforms',
+                'includeLocations',
+                'excludeLocations',
+                'includeDevices',
+                'excludeDevices',
+                'includeGuestOrExternalUserTypes',
+                'excludeGuestOrExternalUserTypes'
+            )
+
+            foreach ($pattern in $unorderedSetPatterns) {
+                if ($PropertyPath -match "\.$pattern(\.\d+)?$" -or $PropertyPath -eq $pattern) {
+                    return $true
+                }
+            }
+            return $false
+        }
+
         function Compare-ObjectsRecursively {
             param (
                 [Parameter(Mandatory = $true)]
@@ -136,25 +169,65 @@ function Compare-CIPPIntuneObject {
                     }
                 }
             } elseif ($Object1 -is [Array] -or $Object1 -is [System.Collections.IList]) {
-                $maxLength = [Math]::Max($Object1.Count, $Object2.Count)
-
-                for ($i = 0; $i -lt $maxLength; $i++) {
-                    $newPath = "$PropertyPath.$i"
-
-                    if ($i -lt $Object1.Count -and $i -lt $Object2.Count) {
-                        Compare-ObjectsRecursively -Object1 $Object1[$i] -Object2 $Object2[$i] -PropertyPath $newPath -Depth ($Depth + 1) -MaxDepth $MaxDepth
-                    } elseif ($i -lt $Object1.Count) {
+                # Check if this array should be compared as an unordered set
+                if (ShouldCompareAsUnorderedSet -PropertyPath $PropertyPath) {
+                    # For unordered sets, compare contents regardless of order
+                    if ($Object1.Count -ne $Object2.Count) {
+                        # Different lengths - report the difference
                         $result.Add([PSCustomObject]@{
-                                Property      = $newPath
-                                ExpectedValue = $Object1[$i]
-                                ReceivedValue = ''
+                                Property      = $PropertyPath
+                                ExpectedValue = "Array with $($Object1.Count) items"
+                                ReceivedValue = "Array with $($Object2.Count) items"
                             })
                     } else {
-                        $result.Add([PSCustomObject]@{
-                                Property      = $newPath
-                                ExpectedValue = ''
-                                ReceivedValue = $Object2[$i]
-                            })
+                        # Same length - check if all items exist in both arrays
+                        $array1Sorted = @($Object1 | Sort-Object)
+                        $array2Sorted = @($Object2 | Sort-Object)
+
+                        for ($i = 0; $i -lt $array1Sorted.Count; $i++) {
+                            $item1 = $array1Sorted[$i]
+                            $item2 = $array2Sorted[$i]
+
+                            # For primitive types, direct comparison
+                            if ($item1 -is [string] -or $item1 -is [int] -or $item1 -is [long] -or $item1 -is [bool] -or $item1 -is [double] -or $item1 -is [decimal]) {
+                                if ($item1 -ne $item2) {
+                                    # Items don't match even after sorting - arrays have different contents
+                                    $result.Add([PSCustomObject]@{
+                                            Property      = $PropertyPath
+                                            ExpectedValue = ($Object1 -join ', ')
+                                            ReceivedValue = ($Object2 -join ', ')
+                                        })
+                                    break
+                                }
+                            } else {
+                                # For complex objects, recursively compare with a generic path
+                                $newPath = "$PropertyPath[$i]"
+                                Compare-ObjectsRecursively -Object1 $item1 -Object2 $item2 -PropertyPath $newPath -Depth ($Depth + 1) -MaxDepth $MaxDepth
+                            }
+                        }
+                    }
+                } else {
+                    # Ordered array comparison (original behavior)
+                    $maxLength = [Math]::Max($Object1.Count, $Object2.Count)
+
+                    for ($i = 0; $i -lt $maxLength; $i++) {
+                        $newPath = "$PropertyPath.$i"
+
+                        if ($i -lt $Object1.Count -and $i -lt $Object2.Count) {
+                            Compare-ObjectsRecursively -Object1 $Object1[$i] -Object2 $Object2[$i] -PropertyPath $newPath -Depth ($Depth + 1) -MaxDepth $MaxDepth
+                        } elseif ($i -lt $Object1.Count) {
+                            $result.Add([PSCustomObject]@{
+                                    Property      = $newPath
+                                    ExpectedValue = $Object1[$i]
+                                    ReceivedValue = ''
+                                })
+                        } else {
+                            $result.Add([PSCustomObject]@{
+                                    Property      = $newPath
+                                    ExpectedValue = ''
+                                    ReceivedValue = $Object2[$i]
+                                })
+                        }
                     }
                 }
             } elseif ($Object1 -is [PSCustomObject] -or $Object1.PSObject.Properties.Count -gt 0) {

diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-UpdatePermissionsQueue.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-UpdatePermissionsQueue.ps1
@@ -25,9 +25,24 @@ function Push-UpdatePermissionsQueue {
             $DomainRefreshRequired = $true
         }
         Write-Information 'Updating permissions'
-        Add-CIPPApplicationPermission -RequiredResourceAccess 'CIPPDefaults' -ApplicationId $env:ApplicationID -tenantfilter $Item.customerId
-        Add-CIPPDelegatedPermission -RequiredResourceAccess 'CIPPDefaults' -ApplicationId $env:ApplicationID -tenantfilter $Item.customerId
-        Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message "Updated permissions for $($Item.displayName)" -Sev 'Info' -API 'UpdatePermissionsQueue'
+        $AppResults = Add-CIPPApplicationPermission -RequiredResourceAccess 'CIPPDefaults' -ApplicationId $env:ApplicationID -tenantfilter $Item.customerId
+        $DelegatedResults = Add-CIPPDelegatedPermission -RequiredResourceAccess 'CIPPDefaults' -ApplicationId $env:ApplicationID -tenantfilter $Item.customerId
+
+        # Check for permission failures (excluding service principal creation failures)
+        $AllResults = @($AppResults) + @($DelegatedResults)
+        $PermissionFailures = $AllResults | Where-Object { 
+            $_ -like '*Failed*' -and 
+            $_ -notlike '*Failed to create service principal*'
+        }
+
+        if ($PermissionFailures) {
+            $Status = 'Failed'
+            $FailureMessage = ($PermissionFailures -join '; ')
+            Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message "Permission update completed with failures for $($Item.displayName): $FailureMessage" -Sev 'Warn' -API 'UpdatePermissionsQueue'
+        } else {
+            $Status = 'Success'
+            Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message "Updated permissions for $($Item.displayName)" -Sev 'Info' -API 'UpdatePermissionsQueue'
+        }
 
         if ($Item.defaultDomainName -ne 'PartnerTenant') {
             Write-Information 'Pushing CIPP-SAM admin roles'
@@ -38,11 +53,15 @@ function Push-UpdatePermissionsQueue {
         $unixtime = [int64](([datetime]::UtcNow) - (Get-Date '1/1/1970')).TotalSeconds
         $GraphRequest = @{
             LastApply     = "$unixtime"
+            LastStatus    = "$Status"
             applicationId = "$($env:ApplicationID)"
             Tenant        = "$($Item.customerId)"
             PartitionKey  = 'Tenant'
             RowKey        = "$($Item.customerId)"
         }
+        if ($PermissionFailures) {
+            $GraphRequest.LastError = $FailureMessage
+        }
         Add-CIPPAzDataTableEntity @Table -Entity $GraphRequest -Force
 
         if ($DomainRefreshRequired) {
@@ -53,5 +72,6 @@ function Push-UpdatePermissionsQueue {
         }
     } catch {
         Write-Information "Error updating permissions for $($Item.displayName)"
+        Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message "Error updating permissions for $($Item.displayName) - $($_.Exception.Message)" -Sev 'Error' -API 'UpdatePermissionsQueue'
     }
 }
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecDnsConfig.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecDnsConfig.ps1
@@ -3,7 +3,7 @@ function Invoke-ExecDnsConfig {
     .FUNCTIONALITY
         Entrypoint
     .ROLE
-        CIPP.AppSettings.ReadWrite
+        Tenant.Domains.ReadWrite
     #>
     [CmdletBinding()]
     param($Request, $TriggerMetadata)

diff --git a/...nts/HTTP Functions/Email-Exchange/Administration/Contacts/Invoke-ListContactTemplates.ps1 b/...nts/HTTP Functions/Email-Exchange/Administration/Contacts/Invoke-ListContactTemplates.ps1
@@ -1,9 +1,9 @@
-Function Invoke-ListContactTemplates {
+function Invoke-ListContactTemplates {
     <#
     .FUNCTIONALITY
         Entrypoint,AnyTenant
     .ROLE
-        Exchange.Read
+        Exchange.Contact.Read
     #>
     [CmdletBinding()]
     param($Request, $TriggerMetadata)
@@ -39,9 +39,9 @@ Function Invoke-ListContactTemplates {
         if (-not $Templates) {
             Write-LogMessage -headers $Headers -API $APIName -message "Template with ID $RequestedID not found" -sev 'Warn'
             return ([HttpResponseContext]@{
-                StatusCode = [HttpStatusCode]::NotFound
-                Body       = @{ Error = "Template with ID $RequestedID not found" }
-            })
+                    StatusCode = [HttpStatusCode]::NotFound
+                    Body       = @{ Error = "Template with ID $RequestedID not found" }
+                })
             return
         }
     } else {

diff --git a/.../Public/Entrypoints/HTTP Functions/Email-Exchange/Administration/Invoke-ListMailboxes.ps1 b/.../Public/Entrypoints/HTTP Functions/Email-Exchange/Administration/Invoke-ListMailboxes.ps1
@@ -9,7 +9,27 @@ function Invoke-ListMailboxes {
     param($Request, $TriggerMetadata)
     # Interact with query parameters or the body of the request.
     $TenantFilter = $Request.Query.tenantFilter
+    $UseReportDB = $Request.Query.UseReportDB
+
     try {
+        # If UseReportDB is specified, retrieve from report database
+        if ($UseReportDB -eq 'true') {
+            try {
+                $GraphRequest = Get-CIPPMailboxesReport -TenantFilter $TenantFilter -ErrorAction Stop
+                $StatusCode = [HttpStatusCode]::OK
+            } catch {
+                Write-Host "Error retrieving mailboxes from report database: $($_.Exception.Message)"
+                $StatusCode = [HttpStatusCode]::InternalServerError
+                $GraphRequest = $_.Exception.Message
+            }
+
+            return ([HttpResponseContext]@{
+                    StatusCode = $StatusCode
+                    Body       = @($GraphRequest)
+                })
+        }
+
+        # Original live EXO logic
         $Select = 'id,ExchangeGuid,ArchiveGuid,UserPrincipalName,DisplayName,PrimarySMTPAddress,RecipientType,RecipientTypeDetails,EmailAddresses,WhenSoftDeleted,IsInactiveMailbox,ForwardingSmtpAddress,DeliverToMailboxAndForward,ForwardingAddress,HiddenFromAddressListsEnabled,ExternalDirectoryObjectId,MessageCopyForSendOnBehalfEnabled,MessageCopyForSentAsEnabled,PersistedCapabilities,LitigationHoldEnabled,LitigationHoldDate,LitigationHoldDuration,ComplianceTagHoldApplied,RetentionHoldEnabled,InPlaceHolds,RetentionPolicy'
         $ExoRequest = @{
             tenantid  = $TenantFilter

diff --git a/...ublic/Entrypoints/HTTP Functions/Email-Exchange/Transport/Invoke-AddEditTransportRule.ps1 b/...ublic/Entrypoints/HTTP Functions/Email-Exchange/Transport/Invoke-AddEditTransportRule.ps1
@@ -82,6 +82,7 @@ function Invoke-AddEditTransportRule {
     $DeleteMessage = $Request.Body.DeleteMessage
     $Quarantine = $Request.Body.Quarantine
     $RedirectMessageTo = $Request.Body.RedirectMessageTo
+    $RouteMessageOutboundConnector = $Request.Body.RouteMessageOutboundConnector
     $BlindCopyTo = $Request.Body.BlindCopyTo
     $CopyTo = $Request.Body.CopyTo
     $ModerateMessageByUser = $Request.Body.ModerateMessageByUser
@@ -436,6 +437,7 @@ function Invoke-AddEditTransportRule {
         if ($null -ne $RedirectMessageTo -and $RedirectMessageTo.Count -gt 0) {
             $ruleParams.Add('RedirectMessageTo', $RedirectMessageTo)
         }
+        if ($null -ne$RouteMessageOutboundConnector) {$ruleParams.Add('RouteMessageOutboundConnector', $RouteMessageOutboundConnector)}
         if ($null -ne $BlindCopyTo -and $BlindCopyTo.Count -gt 0) { $ruleParams.Add('BlindCopyTo', $BlindCopyTo) }
         if ($null -ne $CopyTo -and $CopyTo.Count -gt 0) { $ruleParams.Add('CopyTo', $CopyTo) }
         if ($null -ne $ModerateMessageByUser -and $ModerateMessageByUser.Count -gt 0) {

diff --git a/...ic/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-CIPPOffboardingJob.ps1 b/...ic/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-CIPPOffboardingJob.ps1
@@ -155,7 +155,7 @@ function Invoke-CIPPOffboardingJob {
                 }
             }
             @{
-                Condition  = { ![string]::IsNullOrEmpty($Options.OnedriveAccess) }
+                Condition  = { $Options.OnedriveAccess.Count -gt 0 }
                 Cmdlet     = 'Set-CIPPSharePointPerms'
                 Parameters = @{
                     tenantFilter       = $TenantFilter
@@ -166,7 +166,7 @@ function Invoke-CIPPOffboardingJob {
                 }
             }
             @{
-                Condition  = { ![string]::IsNullOrEmpty($Options.AccessNoAutomap) }
+                Condition  = { $Options.AccessNoAutomap.Count -gt 0 }
                 Cmdlet     = 'Set-CIPPMailboxAccess'
                 Parameters = @{
                     tenantFilter = $TenantFilter
@@ -179,7 +179,7 @@ function Invoke-CIPPOffboardingJob {
                 }
             }
             @{
-                Condition  = { ![string]::IsNullOrEmpty($Options.AccessAutomap) }
+                Condition  = { $Options.AccessAutomap.Count -gt 0 }
                 Cmdlet     = 'Set-CIPPMailboxAccess'
                 Parameters = @{
                     tenantFilter = $TenantFilter

diff --git a/...PCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-EditUser.ps1 b/...PCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-EditUser.ps1
@@ -104,9 +104,10 @@ function Invoke-EditUser {
                         value = 'Set-CIPPUserLicense'
                     }
                     Parameters    = [pscustomobject]@{
-                        UserId      = $UserObj.id
-                        APIName     = 'Sherweb License Assignment'
-                        AddLicenses = $licenses
+                        UserId            = $UserObj.id
+                        APIName           = 'Sherweb License Assignment'
+                        AddLicenses       = $licenses
+                        UserPrincipalName = $UserPrincipalName
                     }
                     ScheduledTime = 0 #right now, which is in the next 15 minutes and should cover most cases.
                     PostExecution = @{
@@ -124,12 +125,12 @@ function Invoke-EditUser {
                     $Results.Add( 'Success. User license is already correct.' )
                 } else {
                     if ($UserObj.removeLicenses) {
-                        $licResults = Set-CIPPUserLicense -UserId $UserObj.id -TenantFilter $UserObj.tenantFilter -RemoveLicenses $CurrentLicenses.assignedLicenses.skuId -Headers $Headers -APIName $APIName
+                        $licResults = Set-CIPPUserLicense -UserPrincipalName $UserPrincipalName -UserId $UserObj.id -TenantFilter $UserObj.tenantFilter -RemoveLicenses $CurrentLicenses.assignedLicenses.skuId -Headers $Headers -APIName $APIName
                         $Results.Add($licResults)
                     } else {
                         #Remove all objects from $CurrentLicenses.assignedLicenses.skuId that are in $licenses
                         $RemoveLicenses = $CurrentLicenses.assignedLicenses.skuId | Where-Object { $_ -notin $licenses }
-                        $licResults = Set-CIPPUserLicense -UserId $UserObj.id -TenantFilter $UserObj.tenantFilter -RemoveLicenses $RemoveLicenses -AddLicenses $licenses -Headers $Headers -APIName $APIName
+                        $licResults = Set-CIPPUserLicense -UserPrincipalName $UserPrincipalName -UserId $UserObj.id -TenantFilter $UserObj.tenantFilter -RemoveLicenses $RemoveLicenses -AddLicenses $licenses -Headers $Headers -APIName $APIName
                         $Results.Add($licResults)
                     }