refactor: streamline user offboarding and improve task scheduling logic

JohnDuprey · JohnDuprey · commit 0d1f744756d3 · 2026-03-17T16:59:04.000-04:00
run now makes tasks actually run immediately
all user offboardings are now routed through scheduler for proper task tracking and alerting
diff --git a/Modules/CIPPCore/Public/Add-CIPPScheduledTask.ps1 b/Modules/CIPPCore/Public/Add-CIPPScheduledTask.ps1
@@ -1,29 +1,25 @@
 function Add-CIPPScheduledTask {
-    [CmdletBinding(DefaultParameterSetName = 'Default')]
+    [CmdletBinding()]
     param(
-        [Parameter(Mandatory = $true, ParameterSetName = 'Default')]
+        [Parameter(Mandatory = $true)]
         [pscustomobject]$Task,
 
-        [Parameter(Mandatory = $false, ParameterSetName = 'Default')]
+        [Parameter(Mandatory = $false)]
         [bool]$Hidden,
 
-        [Parameter(Mandatory = $false, ParameterSetName = 'Default')]
+        [Parameter(Mandatory = $false)]
         $DisallowDuplicateName = $false,
 
-        [Parameter(Mandatory = $false, ParameterSetName = 'Default')]
+        [Parameter(Mandatory = $false)]
         [string]$SyncType = $null,
 
-        [Parameter(Mandatory = $false, ParameterSetName = 'RunNow')]
+        [Parameter(Mandatory = $false)]
         [switch]$RunNow,
 
-        [Parameter(Mandatory = $true, ParameterSetName = 'RunNow')]
-        [string]$RowKey,
-
-        [Parameter(Mandatory = $false, ParameterSetName = 'Default')]
+        [Parameter(Mandatory = $false)]
         [string]$DesiredStartTime = $null,
 
-        [Parameter(Mandatory = $false, ParameterSetName = 'Default')]
-        [Parameter(Mandatory = $false, ParameterSetName = 'RunNow')]
+        [Parameter(Mandatory = $false)]
         $Headers
     )
 
@@ -39,6 +35,9 @@ function Add-CIPPScheduledTask {
                 $ExistingTask.TaskState = 'Planned'
                 Add-CIPPAzDataTableEntity @Table -Entity $ExistingTask -Force
                 Write-LogMessage -headers $Headers -API 'RunNow' -message "Task $($ExistingTask.Name) scheduled to run now" -Sev 'Info' -Tenant $ExistingTask.Tenant
+                Add-CippQueueMessage -Cmdlet 'Start-UserTasksOrchestrator' -Parameters @{
+                    TaskId = $RowKey
+                }
                 return "Task $($ExistingTask.Name) scheduled to run now"
             } catch {
                 $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
@@ -192,6 +191,7 @@ function Add-CIPPScheduledTask {
                 Hidden               = [bool]$Hidden
                 Results              = 'Planned'
                 AlertComment         = [string]$task.AlertComment
+                CustomSubject        = [string]$task.CustomSubject
             }
 
 
@@ -299,6 +299,13 @@ function Add-CIPPScheduledTask {
                 default { 'less than a minute' }
             }
 
+            if ($RunNow.IsPresent) {
+                Add-CippQueueMessage -Cmdlet 'Start-UserTasksOrchestrator' -Parameters @{
+                    TaskId = $RowKey
+                }
+                return "Task $($entity.Name) scheduled to run now"
+            }
+
             return "Successfully added task: $($entity.Name). It will run in $relativeTime."
         }
     } catch {
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Scheduler/Invoke-AddScheduledItem.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Scheduler/Invoke-AddScheduledItem.ps1
@@ -18,29 +18,22 @@ function Invoke-AddScheduledItem {
     $HeaderProperties = @('x-ms-client-principal', 'x-ms-client-principal-id', 'x-ms-client-principal-name', 'x-forwarded-for')
     $Headers = $Request.Headers | Select-Object -Property $HeaderProperties -ErrorAction SilentlyContinue
 
-    if ($Request.Body.RunNow -eq $true) {
-        try {
-            $Table = Get-CIPPTable -TableName 'ScheduledTasks'
-            $Filter = "PartitionKey eq 'ScheduledTask' and RowKey eq '$($Request.Body.RowKey)'"
-            $ExistingTask = (Get-CIPPAzDataTableEntity @Table -Filter $Filter)
+    $Table = Get-CIPPTable -TableName 'ScheduledTasks'
 
-            if ($ExistingTask) {
-                $RerunParams = @{
-                    TenantFilter = $ExistingTask.Tenant
-                    Type         = 'ScheduledTask'
-                    API          = $Request.Body.RowKey
-                    Clear        = $true
-                }
-                $null = Test-CIPPRerun @RerunParams
-                $Result = Add-CIPPScheduledTask -RowKey $Request.Body.RowKey -RunNow -Headers $Headers
-            } else {
-                $Result = "Task with id $($Request.Body.RowKey) does not exist"
-            }
-        } catch {
-            Write-Warning "Error scheduling task: $($_.Exception.Message)"
-            Write-Information $_.InvocationInfo.PositionMessage
-            $Result = "Error scheduling task: $($_.Exception.Message)"
+    if ($Request.Body.RowKey) {
+        $Filter = "PartitionKey eq 'ScheduledTask' and RowKey eq '$($Request.Body.RowKey)'"
+        $ExistingTask = (Get-CIPPAzDataTableEntity @Table -Filter $Filter)
+    }
+
+    if ($ExistingTask -and $Request.Body.RunNow -eq $true) {
+        $RerunParams = @{
+            TenantFilter = $ExistingTask.Tenant
+            Type         = 'ScheduledTask'
+            API          = $Request.Body.RowKey
+            Clear        = $true
         }
+        $null = Test-CIPPRerun @RerunParams
+        $Result = Add-CIPPScheduledTask -RowKey $Request.Body.RowKey -RunNow -Headers $Headers
     } else {
         $ScheduledTask = @{
             Task                  = $Request.Body
@@ -49,6 +42,9 @@ function Invoke-AddScheduledItem {
             DisallowDuplicateName = $DisallowDuplicateName
             DesiredStartTime      = $Request.Body.DesiredStartTime
         }
+        if ($Request.Body.RunNow -eq $true) {
+            $ScheduledTask.RunNow = $true
+        }
         $Result = Add-CIPPScheduledTask @ScheduledTask
     }
     return ([HttpResponseContext]@{
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Scheduler/Invoke-ListScheduledItems.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Scheduler/Invoke-ListScheduledItems.ps1
@@ -11,6 +11,8 @@ function Invoke-ListScheduledItems {
     $ScheduledItemFilter.Add("PartitionKey eq 'ScheduledTask'")
 
     $Id = $Request.Query.Id ?? $Request.Body.Id
+    $TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter
+
     if ($Id) {
         # Interact with query parameters.
         $ScheduledItemFilter.Add("RowKey eq '$($Id)'")
@@ -48,6 +50,10 @@ function Invoke-ListScheduledItems {
         $Tasks = $Tasks | Where-Object { $_.command -eq $Type }
     }
 
+    if ($TenantFilter) {
+        $Tasks = $Tasks | Where-Object { $_.tenant -eq $TenantFilter -or $TenantFilter -eq 'AllTenants' }
+    }
+
     if ($SearchTitle) {
         $Tasks = $Tasks | Where-Object { $_.Name -like $SearchTitle }
     }
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecOffboardUser.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecOffboardUser.ps1
@@ -10,39 +10,41 @@ function Invoke-ExecOffboardUser {
     $AllUsers = $Request.Body.user.value
     $TenantFilter = $request.Body.tenantFilter.value ? $request.Body.tenantFilter.value : $request.Body.tenantFilter
     $OffboardingOptions = $Request.Body | Select-Object * -ExcludeProperty user, tenantFilter, Scheduled
+
+    $StatusCode = [HttpStatusCode]::OK
     $Results = foreach ($username in $AllUsers) {
         try {
-            $APIName = 'ExecOffboardUser'
             $Headers = $Request.Headers
-
-
-            if ($Request.Body.Scheduled.enabled) {
-                $taskObject = [PSCustomObject]@{
-                    TenantFilter  = $TenantFilter
-                    Name          = "Offboarding: $Username"
-                    Command       = @{
-                        value = 'Invoke-CIPPOffboardingJob'
-                    }
-                    Parameters    = [pscustomobject]@{
-                        Username     = $Username
-                        APIName      = 'Scheduled Offboarding'
-                        options      = $OffboardingOptions
-                        RunScheduled = $true
-                    }
-                    ScheduledTime = $Request.Body.Scheduled.date
-                    PostExecution = @{
-                        Webhook = [bool]$Request.Body.PostExecution.webhook
-                        Email   = [bool]$Request.Body.PostExecution.email
-                        PSA     = [bool]$Request.Body.PostExecution.psa
-                    }
-                    Reference     = $Request.Body.reference
+            $taskObject = [PSCustomObject]@{
+                TenantFilter  = $TenantFilter
+                Name          = "Offboarding: $Username"
+                Command       = @{
+                    value = 'Invoke-CIPPOffboardingJob'
+                }
+                Parameters    = [pscustomobject]@{
+                    Username     = $Username
+                    APIName      = 'Scheduled Offboarding'
+                    options      = $OffboardingOptions
+                    RunScheduled = $true
                 }
-                Add-CIPPScheduledTask -Task $taskObject -hidden $false -Headers $Headers
+                PostExecution = @{
+                    Webhook = [bool]$Request.Body.PostExecution.webhook
+                    Email   = [bool]$Request.Body.PostExecution.email
+                    PSA     = [bool]$Request.Body.PostExecution.psa
+                }
+                Reference     = $Request.Body.reference
+            }
+            $Params = @{
+                Task    = $taskObject
+                hidden  = $false
+                Headers = $Headers
+            }
+            if ($Request.Body.Scheduled.enabled) {
+                $taskObject.ScheduledTime = $Request.Body.Scheduled.date
             } else {
-                Invoke-CIPPOffboardingJob -Username $Username -TenantFilter $TenantFilter -Options $OffboardingOptions -APIName $APIName -Headers $Headers
+                $Params.RunNow = $true
             }
-            $StatusCode = [HttpStatusCode]::OK
-
+            Add-CIPPScheduledTask @Params
         } catch {
             $StatusCode = [HttpStatusCode]::Forbidden
             $_.Exception.message
diff --git a/Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-CIPPOrchestrator.ps1 b/Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-CIPPOrchestrator.ps1
@@ -37,7 +37,10 @@ function Start-CIPPOrchestrator {
 
     # If already running in processor context (e.g., timer trigger) and we have an InputObject,
     # start orchestration directly without queuing
-    if ($InputObject -and ($env:CIPP_PROCESSOR -eq 'true' -or $CallerIsQueueTrigger.IsPresent)) {
+
+    $OrchestratorTriggerDisabled = $env:AzureWebJobs_CIPPOrchestrator_Disabled -eq 'true' -or $env:AzureWebJobs_CIPPOrchestrator_Disabled -eq '1'
+
+    if ($InputObject -and -not $OrchestratorTriggerDisabled) {
         Write-Information 'Running in processor context - starting orchestration directly'
         try {
             $InstanceId = Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 10 -Compress)
diff --git a/Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-UserTasksOrchestrator.ps1 b/Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-UserTasksOrchestrator.ps1
@@ -7,15 +7,31 @@ function Start-UserTasksOrchestrator {
     Entrypoint
     #>
     [CmdletBinding(SupportsShouldProcess = $true)]
-    param()
+    param(
+        $TaskId = $null
+    )
 
     $Table = Get-CippTable -tablename 'ScheduledTasks'
-    $4HoursAgo = (Get-Date).AddHours(-4).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')
-    $24HoursAgo = (Get-Date).AddHours(-24).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')
-    # Pending = orchestrator queued, Running = actively executing
-    # Pick up: Planned, Failed-Planned, stuck Pending (>24hr), or stuck Running (>4hr for large AllTenants tasks)
-    $Filter = "PartitionKey eq 'ScheduledTask' and (TaskState eq 'Planned' or TaskState eq 'Failed - Planned' or (TaskState eq 'Pending' and Timestamp lt datetime'$24HoursAgo') or (TaskState eq 'Running' and Timestamp lt datetime'$4HoursAgo') or (TaskState eq 'Processing' and Timestamp lt datetime'$4HoursAgo'))"
-    $tasks = Get-CIPPAzDataTableEntity @Table -Filter $Filter
+
+    if ($TaskId) {
+        $Filter = "PartitionKey eq 'ScheduledTask' and RowKey eq '$TaskId'"
+        $task = Get-CIPPAzDataTableEntity @Table -Filter $Filter
+
+        if (-not $task.RowKey) {
+            Write-Warning "No scheduled task found with ID: $TaskId"
+            return
+        } else {
+            Write-Information "Starting orchestrator for scheduled task: $($task.Name) with ID: $TaskId"
+            $tasks = @($task)
+        }
+    } else {
+        $4HoursAgo = (Get-Date).AddHours(-4).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')
+        $24HoursAgo = (Get-Date).AddHours(-24).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')
+        # Pending = orchestrator queued, Running = actively executing
+        # Pick up: Planned, Failed-Planned, stuck Pending (>24hr), or stuck Running (>4hr for large AllTenants tasks)
+        $Filter = "PartitionKey eq 'ScheduledTask' and (TaskState eq 'Planned' or TaskState eq 'Failed - Planned' or (TaskState eq 'Pending' and Timestamp lt datetime'$24HoursAgo') or (TaskState eq 'Running' and Timestamp lt datetime'$4HoursAgo') or (TaskState eq 'Processing' and Timestamp lt datetime'$4HoursAgo'))"
+        $tasks = Get-CIPPAzDataTableEntity @Table -Filter $Filter
+    }
 
     $Batch = [System.Collections.Generic.List[object]]::new()
     $TenantList = Get-Tenants -IncludeErrors
