Merge remote-tracking branch 'upstream/master'

Author: TecharyJames

.github/agents/CIPP-Alert-Agent.md

@@ -102,16 +102,13 @@ When adding or modifying alerts:
 
 When an alert depends on a tenant having certain SKUs or capabilities, you **must**:
 
-- Use `Test-CIPPStandardLicense`  
+- Use `Test-CIPPStandardLicense`
+- Prefer `-Preset` for common capability sets: `Exchange`, `SharePoint`, `Intune`, `Entra`, `EntraP2`, `Teams`, `Compliance`
+- Use `-RequiredCapabilities` only when no preset matches, or combine it with `-Preset` for extra edge-case capabilities
 - Do **not** manually inspect SKUs, raw license IDs, or raw capability lists.
 
 Example pattern (adapt to the specific feature):
 
 ```powershell
-$TestResult = Test-CIPPStandardLicense -StandardName 'AutopilotProfile' -TenantFilter $Tenant -RequiredCapabilities @(
-    'INTUNE_A',
-    'MDM_Services',
-    'EMS',
-    'SCCM',
-    'MICROSOFTINTUNEPLAN1'
-)
+$TestResult = Test-CIPPStandardLicense -StandardName 'AutopilotProfile' -TenantFilter $Tenant -Preset Intune
+```

.github/agents/CIPP-Standards-Agent.md

@@ -82,6 +82,7 @@ When adding or modifying standards:
   - Similar logging and error handling
 - Reuse helper functions instead of inlining raw Graph calls or custom HTTP code.
 - Keep behaviour predictable.
+- If a standard needs license gating, use `Test-CIPPStandardLicense` with `-Preset` for common capability sets (`Exchange`, `SharePoint`, `Intune`, `Entra`, `EntraP2`, `Teams`, `Compliance`). Use `-RequiredCapabilities` only when no preset matches, or combine it with `-Preset` for extra edge-case capabilities.
 
 ### 2. Return the code for the frontend.
 

.github/instructions/alerts.instructions.md

@@ -97,14 +97,11 @@ if ($InputValue -is [string] -and $InputValue.Trim().StartsWith('{')) {
 If the alert depends on a specific M365 capability (Intune, Exchange, Defender, etc.), gate it early with `Test-CIPPStandardLicense`. Never inspect raw SKU IDs manually.
 
 ```powershell
-$Licensed = Test-CIPPStandardLicense -StandardName '<AlertName>' -TenantFilter $TenantFilter -RequiredCapabilities @(
-    'INTUNE_A',
-    'MDM_Services'
-)
+$Licensed = Test-CIPPStandardLicense -StandardName '<AlertName>' -TenantFilter $TenantFilter -Preset Intune
 if (-not $Licensed) { return }
 ```
 
-Reference existing alerts in the same domain for common capability strings. The `Test-CIPPStandardLicense` function source documents the capability matching logic.
+Use presets for common service families: `Exchange`, `SharePoint`, `Intune`, `Entra`, `EntraP2`, `Teams`, and `Compliance`. Use `-RequiredCapabilities` only when no preset matches, or combine it with `-Preset` when an alert needs a preset plus extra edge-case capabilities.
 
 ## Querying data
 

.github/instructions/cippdb.instructions.md

@@ -141,7 +141,7 @@ function Set-CIPPDBCacheMyNewType {
 
     try {
         # 1. Optional license check
-        $Licensed = Test-CIPPStandardLicense -StandardName 'MyFeature' -TenantFilter $TenantFilter -RequiredCapabilities @('REQUIRED_SKU')
+        $Licensed = Test-CIPPStandardLicense -StandardName 'MyFeature' -TenantFilter $TenantFilter -Preset Intune
         if (-not $Licensed) { return }
 
         # 2. Fetch data from API
@@ -160,7 +160,7 @@ function Set-CIPPDBCacheMyNewType {
 
 - **Always use `-AddCount`** unless you handle count rows manually
 - **Pipeline streaming** for large datasets: pipe directly from `New-GraphGetRequest` into `Add-CIPPDbItem`
-- **License gating**: use `Test-CIPPStandardLicense` when the API requires specific SKUs
+- **License gating**: use `Test-CIPPStandardLicense -Preset <Name>` for common capability sets (`Exchange`, `SharePoint`, `Intune`, `Entra`, `EntraP2`, `Teams`, `Compliance`); use `-RequiredCapabilities` only for non-preset capabilities or additional edge-case capabilities
 - **Conditional `$select`**: expand Graph `$select` fields based on license capabilities
 - **Error handling**: catch, log with `Write-LogMessage`, do not rethrow (allows other types in the collection to continue)
 - **No explicit return** of data — these functions write to the table as a side effect

.github/instructions/standards.instructions.md

@@ -57,7 +57,7 @@ function Invoke-CIPPStandard<Name> {
         UPDATECOMMENTBLOCK
             Run the Tools\Update-StandardsComments.ps1 script to update this comment block
     .LINK
-        https://docs.cipp.app/user-documentation/tenant/standards/list-standards
+        https://docs.cipp.app/user-documentation/tenant/standards/alignment/templates/available-standards
     #>
 
     param(
@@ -67,7 +67,7 @@ function Invoke-CIPPStandard<Name> {
 
     # 1. License gate (if the data source requires a specific SKU)
     $TestResult = Test-CIPPStandardLicense -StandardName '<Name>' -TenantFilter $Tenant `
-        -RequiredCapabilities @('CAPABILITY_1', 'CAPABILITY_2')
+        -Preset Exchange
     if ($TestResult -eq $false) { return $true }
 
     # 2. Get current state
@@ -235,13 +235,13 @@ Gate early using `Test-CIPPStandardLicense`. Never inspect raw SKU IDs.
 
 ```powershell
 $TestResult = Test-CIPPStandardLicense -StandardName '<Name>' -TenantFilter $Tenant `
-    -RequiredCapabilities @('EXCHANGE_S_STANDARD', 'EXCHANGE_S_ENTERPRISE')
+    -Preset Exchange
 if ($TestResult -eq $false) { return $true }
 ```
 
 The function checks tenant capabilities, logs if missing, and automatically sets the `Set-CIPPStandardsCompareField` with `LicenseAvailable = $false`.
 
-Reference existing standards in the same domain for common capability strings. The `Test-CIPPStandardLicense` function source documents the capability matching logic.
+Use presets for common service families: `Exchange`, `SharePoint`, `Intune`, `Entra`, `EntraP2`, `Teams`, and `Compliance`. Use `-RequiredCapabilities` only when no preset matches, or combine it with `-Preset` when a standard needs a preset plus extra edge-case capabilities.
 
 ## API call patterns
 
@@ -337,7 +337,7 @@ The comment-based help `.NOTES` block drives the frontend UI. Each field maps to
 | `RECOMMENDEDBY` | `recommendedBy` | `"CIS"`, `"CIPP"`, etc. |
 | `MULTIPLE` | `multiple` | `True` for template-based standards (can have multiple instances) |
 | `DISABLEDFEATURES` | `disabledFeatures` | JSON object disabling specific action modes |
-| `REQUIREDCAPABILITIES` | *(discovery only)* | One capability string per line; parsed for standards metadata/JSON generation. The explicit `Test-CIPPStandardLicense` call in the function body still performs the actual runtime license check. |
+| `REQUIREDCAPABILITIES` | *(discovery only)* | One capability string per line; generated from `Test-CIPPStandardLicense -Preset` and/or `-RequiredCapabilities` for standards metadata/JSON generation. The explicit `Test-CIPPStandardLicense` call in the function body still performs the actual runtime license check. |
 | `UPDATECOMMENTBLOCK` | *(tooling only)* | Always include with the literal value `Run the Tools\Update-StandardsComments.ps1 script to update this comment block`. Signals the comment-update tooling to regenerate this block. |
 
 ### Valid CAT values

.github/workflows/dev_cippjta72.yml

@@ -0,0 +1,32 @@
+# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action
+# More GitHub Actions for Azure: https://github.com/Azure/actions
+
+name: Build and deploy Powershell project to Azure Function App - cippjta72
+
+on:
+  push:
+    branches:
+      - dev
+  workflow_dispatch:
+
+env:
+  AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@v4
+      
+      - name: 'Run Azure Functions Action'
+        uses: Azure/functions-action@v1
+        id: fa
+        with:
+          app-name: 'cippjta72'
+          slot-name: 'Production'
+          package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
+          publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_1EBE9D73F9EC4528BA666FC934055536 }}
+          sku: 'flexconsumption'
+        

Config/CIPPDBCacheTypes.json

@@ -244,6 +244,11 @@
     "friendlyName": "Mailboxes",
     "description": "All Exchange Online mailboxes"
   },
+  {
+    "type": "HVEAccounts",
+    "friendlyName": "HVE Accounts",
+    "description": "High Volume Email accounts"
+  },
   {
     "type": "CASMailboxes",
     "friendlyName": "CAS Mailboxes",
@@ -358,5 +363,10 @@
     "type": "CopilotUserCountTrend",
     "friendlyName": "Copilot User Count Trend",
     "description": "Daily Copilot active user count trend (7-day period)"
+  },
+  {
+    "type": "ExoTransportConfig",
+    "friendlyName": "Exchange Transport Config",
+    "description": "Exchange Online transport configuration including SMTP authentication settings"
   }
 ]

Config/CIPPTimers.json

@@ -17,14 +17,6 @@
     "RunOnProcessor": true,
     "PreferredProcessor": "usertasks"
   },
-  {
-    "Id": "168decf3-7ddd-471e-ab46-8b40be0f18ae",
-    "Command": "Start-CIPPProcessorQueue",
-    "Description": "Timer to handle user initiated tasks",
-    "Cron": "0 */15 * * * *",
-    "Priority": 1,
-    "RunOnProcessor": true
-  },
   {
     "Id": "44a40668-ed71-403c-8c26-b32e320086ad",
     "Command": "Start-AuditLogOrchestrator",
@@ -264,5 +256,23 @@
     "RunOnProcessor": true,
     "TZOffset": true,
     "IsSystem": true
+  },
+  {
+    "Id": "a3b4c5d6-e7f8-4a9b-8c1d-2e3f4a5b6c7d",
+    "Command": "Start-ContainerUpdateCheck",
+    "Description": "Check for container image updates and optionally auto-restart",
+    "Cron": "0 0 * * * *",
+    "Priority": 30,
+    "RunOnProcessor": false,
+    "IsSystem": true
+  },
+  {
+    "Id": "7e2a9b4c-1d5f-4a8e-b3c6-0f9d2e7a4b1c",
+    "Command": "Start-UserSyncTimer",
+    "Description": "Sync partner tenant users and group-based roles into allowedUsers table",
+    "Cron": "0 */15 * * * *",
+    "Priority": 11,
+    "RunOnProcessor": false,
+    "IsSystem": true
   }
 ]

Config/FeatureFlags.json

@@ -19,6 +19,42 @@
       "/tenant/standards/bpa-report",
       "/tenant/standards/bpa-report/builder",
       "/tenant/standards/bpa-report/view"
-    ]
+    ],
+    "Hidden": false
+  },
+  {
+    "Id": "SuperAdminNG",
+    "Name": "Super Admin",
+    "Description": "Additional super admin pages for CIPP instances (CIPP Users, SSO, Container management).",
+    "Enabled": false,
+    "AllowUserToggle": false,
+    "Timers": [],
+    "Endpoints": [
+      "ExecCIPPUsers",
+      "ListCIPPUsers",
+      "ExecContainerManagement",
+      "ListContainerLogs",
+      "ListWorkerHealth"
+    ],
+    "Pages": [
+      "/cipp/advanced/super-admin/cipp-users",
+      "/cipp/advanced/super-admin/container",
+      "/cipp/advanced/container-logs",
+      "/cipp/advanced/worker-health"
+    ],
+    "Hidden": true
+  },
+  {
+    "Id": "MCPServer",
+    "Name": "MCP Server",
+    "Description": "Model Context Protocol (MCP) server endpoint that exposes CIPP's read-only API surface as tools for AI clients. Disabled by default; enable to allow MCP access.",
+    "Enabled": false,
+    "AllowUserToggle": true,
+    "Timers": [],
+    "Endpoints": [
+      "ExecMcp"
+    ],
+    "Pages": [],
+    "Hidden": false
   }
 ]