feat: Add Compare-CIPPIntuneAssignments and Get-CIPPIntunePolicyAssignments functions; update Push-CIPPStandardsList and Invoke-CIPPStandardIntuneTemplate for assignment verification; adjust host.json for function concurrency limits

Author: JohnDuprey

Modules/CIPPCore/Public/Compare-CIPPIntuneAssignments.ps1

@@ -0,0 +1,134 @@
+function Compare-CIPPIntuneAssignments {
+    <#
+    .SYNOPSIS
+        Compares existing Intune policy assignments against expected assignment settings.
+    .DESCRIPTION
+        Returns $true if the existing assignments match the expected settings, $false if they differ,
+        or $null if the comparison could not be completed (e.g. Graph error).
+    .PARAMETER ExistingAssignments
+        The current assignments on the policy, as returned by Get-CIPPIntunePolicyAssignments.
+    .PARAMETER ExpectedAssignTo
+        The expected assignment target type: allLicensedUsers, AllDevices, AllDevicesAndUsers,
+        customGroup, or On (no assignment).
+    .PARAMETER ExpectedCustomGroup
+        The expected custom group name(s), comma-separated. Used when ExpectedAssignTo is 'customGroup'.
+    .PARAMETER ExpectedExcludeGroup
+        The expected exclusion group name(s), comma-separated.
+    .PARAMETER ExpectedAssignmentFilter
+        The expected assignment filter display name. Wildcards supported.
+    .PARAMETER ExpectedAssignmentFilterType
+        'include' or 'exclude'. Defaults to 'include'.
+    .PARAMETER TenantFilter
+        The tenant to query for group/filter resolution.
+    .FUNCTIONALITY
+        Internal
+    #>
+    param(
+        [object[]]$ExistingAssignments,
+        [string]$ExpectedAssignTo,
+        [string]$ExpectedCustomGroup,
+        [string]$ExpectedExcludeGroup,
+        [string]$ExpectedAssignmentFilter,
+        [string]$ExpectedAssignmentFilterType = 'include',
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter
+    )
+
+    try {
+        # Normalize existing targets
+        $ExistingTargetTypes = @($ExistingAssignments.target.'@odata.type' | Where-Object { $_ })
+        $ExistingIncludeGroupIds = @(
+            $ExistingAssignments |
+                Where-Object { $_.target.'@odata.type' -eq '#microsoft.graph.groupAssignmentTarget' } |
+                ForEach-Object { $_.target.groupId }
+        )
+        $ExistingExcludeGroupIds = @(
+            $ExistingAssignments |
+                Where-Object { $_.target.'@odata.type' -eq '#microsoft.graph.exclusionGroupAssignmentTarget' } |
+                ForEach-Object { $_.target.groupId }
+        )
+
+        # Determine expected include target types
+        $ExpectedIncludeTypes = switch ($ExpectedAssignTo) {
+            'allLicensedUsers'   { @('#microsoft.graph.allLicensedUsersAssignmentTarget') }
+            'AllDevices'         { @('#microsoft.graph.allDevicesAssignmentTarget') }
+            'AllDevicesAndUsers' { @('#microsoft.graph.allDevicesAssignmentTarget', '#microsoft.graph.allLicensedUsersAssignmentTarget') }
+            'customGroup'        { @('#microsoft.graph.groupAssignmentTarget') }
+            'On'                 { @() }
+            default              { @() }
+        }
+
+        # Compare include target types (ignore exclusion targets)
+        $ExistingIncludeTypes = @($ExistingTargetTypes | Where-Object { $_ -ne '#microsoft.graph.exclusionGroupAssignmentTarget' })
+        $TargetTypeMatch = $true
+        foreach ($t in $ExpectedIncludeTypes) {
+            if ($t -notin $ExistingIncludeTypes) { $TargetTypeMatch = $false; break }
+        }
+        if ($TargetTypeMatch) {
+            foreach ($t in $ExistingIncludeTypes) {
+                if ($t -notin $ExpectedIncludeTypes) { $TargetTypeMatch = $false; break }
+            }
+        }
+
+        # Lazy-load groups cache only if needed
+        $AllGroupsCache = $null
+
+        # For custom groups, resolve names to IDs and compare
+        $IncludeGroupMatch = $true
+        if ($ExpectedAssignTo -eq 'customGroup' -and $ExpectedCustomGroup) {
+            $AllGroupsCache = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/groups?$select=id,displayName&$top=999' -tenantid $TenantFilter
+            $ExpectedGroupIds = @(
+                $ExpectedCustomGroup.Split(',').Trim() | ForEach-Object {
+                    $name = $_
+                    $AllGroupsCache | Where-Object { $_.displayName -like $name } | Select-Object -ExpandProperty id
+                } | Where-Object { $_ }
+            )
+            $MissingIds = @($ExpectedGroupIds | Where-Object { $_ -notin $ExistingIncludeGroupIds })
+            $ExtraIds   = @($ExistingIncludeGroupIds | Where-Object { $_ -notin $ExpectedGroupIds })
+            $IncludeGroupMatch = ($MissingIds.Count -eq 0 -and $ExtraIds.Count -eq 0)
+        }
+
+        # Compare exclusion groups
+        $ExcludeGroupMatch = $true
+        if ($ExpectedExcludeGroup) {
+            if (-not $AllGroupsCache) {
+                $AllGroupsCache = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/groups?$select=id,displayName&$top=999' -tenantid $TenantFilter
+            }
+            $ExpectedExcludeIds = @(
+                $ExpectedExcludeGroup.Split(',').Trim() | ForEach-Object {
+                    $name = $_
+                    $AllGroupsCache | Where-Object { $_.displayName -like $name } | Select-Object -ExpandProperty id
+                } | Where-Object { $_ }
+            )
+            $MissingExcludeIds = @($ExpectedExcludeIds | Where-Object { $_ -notin $ExistingExcludeGroupIds })
+            $ExtraExcludeIds   = @($ExistingExcludeGroupIds | Where-Object { $_ -notin $ExpectedExcludeIds })
+            $ExcludeGroupMatch = ($MissingExcludeIds.Count -eq 0 -and $ExtraExcludeIds.Count -eq 0)
+        } elseif ($ExistingExcludeGroupIds.Count -gt 0) {
+            # No exclusions expected but some exist
+            $ExcludeGroupMatch = $false
+        }
+
+        # Compare assignment filter
+        $FilterMatch = $true
+        if ($ExpectedAssignmentFilter) {
+            $ExistingFilterIds = @(
+                $ExistingAssignments |
+                    Where-Object { $_.target.deviceAndAppManagementAssignmentFilterId } |
+                    ForEach-Object { $_.target.deviceAndAppManagementAssignmentFilterId }
+            )
+            if ($ExistingFilterIds.Count -eq 0) {
+                $FilterMatch = $false
+            } else {
+                $AllFilters = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/assignmentFilters' -tenantid $TenantFilter
+                $ExpectedFilter = $AllFilters | Where-Object { $_.displayName -like $ExpectedAssignmentFilter } | Select-Object -First 1
+                $FilterMatch = $ExpectedFilter -and ($ExpectedFilter.id -in $ExistingFilterIds)
+            }
+        }
+
+        return $TargetTypeMatch -and $IncludeGroupMatch -and $ExcludeGroupMatch -and $FilterMatch
+
+    } catch {
+        Write-Warning "Compare-CIPPIntuneAssignments failed for tenant $TenantFilter : $($_.Exception.Message)"
+        return $null  # null = unknown, don't treat as mismatch
+    }
+}

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Standards/Push-CIPPStandardsList.ps1

@@ -264,7 +264,7 @@ function Push-CIPPStandardsList {
                 FunctionName = 'CIPPStandard'
             }
         }
-        Write-Host "Sending back $($FilteredStandards.Count) standards: $($FilteredStandards | ConvertTo-Json -Depth 5 -Compress)"
+        Write-Host "Sending back $($FilteredStandards.Count) standards"
         return @($FilteredStandards)
 
     } catch {

Modules/CIPPCore/Public/Get-CIPPIntunePolicyAssignments.ps1

@@ -0,0 +1,72 @@
+function Get-CIPPIntunePolicyAssignments {
+    <#
+    .SYNOPSIS
+        Gets the assignments for an existing Intune policy.
+    .PARAMETER PolicyId
+        The Intune policy ID.
+    .PARAMETER TemplateType
+        The template type (Device, Catalog, Admin, deviceCompliancePolicies, AppProtection,
+        windowsDriverUpdateProfiles, windowsFeatureUpdateProfiles, windowsQualityUpdatePolicies,
+        windowsQualityUpdateProfiles).
+    .PARAMETER TenantFilter
+        The tenant to query.
+    .PARAMETER ExistingPolicy
+        The existing policy object. Required for AppProtection to determine the odata subtype.
+    .FUNCTIONALITY
+        Internal
+    #>
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$PolicyId,
+        [Parameter(Mandatory = $true)]
+        [string]$TemplateType,
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter,
+        $ExistingPolicy
+    )
+
+    switch ($TemplateType) {
+        'Device' {
+            $PlatformType = 'deviceManagement'
+            $TypeUrl = 'deviceConfigurations'
+        }
+        'Catalog' {
+            $PlatformType = 'deviceManagement'
+            $TypeUrl = 'configurationPolicies'
+        }
+        'Admin' {
+            $PlatformType = 'deviceManagement'
+            $TypeUrl = 'groupPolicyConfigurations'
+        }
+        'deviceCompliancePolicies' {
+            $PlatformType = 'deviceManagement'
+            $TypeUrl = 'deviceCompliancePolicies'
+        }
+        'AppProtection' {
+            $PlatformType = 'deviceAppManagement'
+            $OdataType = if ($ExistingPolicy) { $ExistingPolicy.'@odata.type' -replace '#microsoft.graph.', '' } else { $null }
+            if (-not $OdataType) { return $null }
+            $TypeUrl = if ($OdataType -eq 'windowsInformationProtectionPolicy') { 'windowsInformationProtectionPolicies' } else { "${OdataType}s" }
+        }
+        'windowsDriverUpdateProfiles' {
+            $PlatformType = 'deviceManagement'
+            $TypeUrl = 'windowsDriverUpdateProfiles'
+        }
+        'windowsFeatureUpdateProfiles' {
+            $PlatformType = 'deviceManagement'
+            $TypeUrl = 'windowsFeatureUpdateProfiles'
+        }
+        'windowsQualityUpdatePolicies' {
+            $PlatformType = 'deviceManagement'
+            $TypeUrl = 'windowsQualityUpdatePolicies'
+        }
+        'windowsQualityUpdateProfiles' {
+            $PlatformType = 'deviceManagement'
+            $TypeUrl = 'windowsQualityUpdateProfiles'
+        }
+        default { return $null }
+    }
+
+    $Uri = "https://graph.microsoft.com/beta/$PlatformType/$TypeUrl('$PolicyId')/assignments"
+    return New-GraphGetRequest -uri $Uri -tenantid $TenantFilter
+}

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1

@@ -72,8 +72,16 @@ function Invoke-CIPPStandardIntuneTemplate {
     $RawJSON = $rawJsonFromTemplate
     $TemplateType = $Template.Type
 
+    $AssignmentsMatch = $null
     try {
         $ExistingPolicy = Get-CIPPIntunePolicy -tenantFilter $Tenant -DisplayName $displayname -TemplateType $TemplateType
+        if ($ExistingPolicy -and $Settings.verifyAssignments -eq $true) {
+            Write-Information "Verifying assignments for tenant $Tenant"
+            $ExistingAssignments = Get-CIPPIntunePolicyAssignments -PolicyId $ExistingPolicy.id -TemplateType $TemplateType -TenantFilter $Tenant -ExistingPolicy $ExistingPolicy
+            $AssignmentsMatch = Compare-CIPPIntuneAssignments -ExistingAssignments $ExistingAssignments -ExpectedAssignTo $Settings.AssignTo -ExpectedCustomGroup $Settings.customGroup -ExpectedExcludeGroup $Settings.excludeGroup -ExpectedAssignmentFilter $Settings.assignmentFilter -ExpectedAssignmentFilterType $Settings.assignmentFilterType -TenantFilter $Tenant
+
+            Write-Information "AssignmentsMatch for tenant $($Tenant): $AssignmentsMatch"
+        }
     } catch {
         $ExistingPolicy = $null
     }
@@ -113,6 +121,7 @@ function Invoke-CIPPStandardIntuneTemplate {
         customGroup          = $Settings.customGroup
         assignmentFilter     = $Settings.assignmentFilter
         assignmentFilterType = $Settings.assignmentFilterType
+        AssignmentsMatch     = $AssignmentsMatch
     }
 
     if ($Settings.remediate) {
@@ -146,12 +155,21 @@ function Invoke-CIPPStandardIntuneTemplate {
     }
 
     if ($Settings.alert) {
-        $AlertObj = $CompareResult | Select-Object -Property displayname, description, compare, assignTo, excludeGroup, existingPolicyId
-        if ($CompareResult.compare) {
-            Write-StandardsAlert -message "Template $($CompareResult.displayname) does not match the expected configuration." -object $AlertObj -tenant $Tenant -standardName 'IntuneTemplate' -standardId $Settings.templateId
-            Write-LogMessage -API 'Standards' -tenant $Tenant -message "Template $($CompareResult.displayname) does not match the expected configuration. We've generated an alert" -sev info
+        $AlertObj = $CompareResult | Select-Object -Property displayname, description, compare, assignTo, excludeGroup, existingPolicyId, AssignmentsMatch
+        $AssignmentsDiffer = $Settings.verifyAssignments -and ($null -ne $CompareResult.AssignmentsMatch -and -not $CompareResult.AssignmentsMatch)
+        $HasDifference = $CompareResult.compare -or $AssignmentsDiffer
+        if ($HasDifference) {
+            $Message = if ($CompareResult.compare) {
+                "Template $($CompareResult.displayname) does not match the expected configuration."
+            } elseif ($AssignmentsDiffer) {
+                "Template $($CompareResult.displayname) has incorrect assignments."
+            } else {
+                "Template $($CompareResult.displayname) does not match the expected configuration."
+            }
+            Write-StandardsAlert -message $Message -object $AlertObj -tenant $Tenant -standardName 'IntuneTemplate' -standardId $Settings.templateId
+            Write-LogMessage -API 'Standards' -tenant $Tenant -message "$Message We've generated an alert" -sev info
         } else {
-            if ($CompareResult.ExistingPolicyId) {
+            if ($CompareResult.existingPolicyId) {
                 Write-LogMessage -API 'Standards' -tenant $Tenant -message "Template $($CompareResult.displayname) has the correct configuration." -sev Info
             } else {
                 Write-StandardsAlert -message "Template $($CompareResult.displayname) is missing." -object $AlertObj -tenant $Tenant -standardName 'IntuneTemplate' -standardId $Settings.templateId
@@ -173,6 +191,11 @@ function Invoke-CIPPStandardIntuneTemplate {
             description = $CompareResult.description
             isCompliant = $true
         }
+
+        if ($Settings.verifyAssignments) {
+            $CurrentValue['isAssigned'] = if ($null -ne $CompareResult.AssignmentsMatch) { $CompareResult.AssignmentsMatch } else { $false }
+            $ExpectedValue['isAssigned'] = $true
+        }
         Set-CIPPStandardsCompareField -FieldName "standards.IntuneTemplate.$id" -CurrentValue $CurrentValue -ExpectedValue $ExpectedValue -TenantFilter $Tenant
         #Add-CIPPBPAField -FieldName "policy-$id" -FieldValue $Compare -StoreAs bool -Tenant $tenant
     }

host.json

@@ -10,8 +10,8 @@
   "functionTimeout": "00:10:00",
   "extensions": {
     "durableTask": {
-      "maxConcurrentActivityFunctions": 20,
-      "maxConcurrentOrchestratorFunctions": 5,
+      "maxConcurrentActivityFunctions": 5,
+      "maxConcurrentOrchestratorFunctions": 1,
       "tracing": {
         "distributedTracingEnabled": false,
         "version": "None"