Skip to content

Auto repair invalid Provider JSON, PowerPlatform 3.1 tenant isolation hotfix, Fix AAD crash when no tenant licenses#2255

Merged
tkol2022 merged 12 commits into
mainfrom
2043-PP31-tenant-isolation-returns-hotfix
Jul 8, 2026
Merged

Auto repair invalid Provider JSON, PowerPlatform 3.1 tenant isolation hotfix, Fix AAD crash when no tenant licenses#2255
tkol2022 merged 12 commits into
mainfrom
2043-PP31-tenant-isolation-returns-hotfix

Conversation

@tkol2022

@tkol2022 tkol2022 commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

🗣 Description

Based on recent troubleshooting with a large agency and historical crashes this PR address the following core problems:

  • Enhances Invoke-Scuba and Invoke-ScubaCached to automatically repair invalid JSON created from the ScubaGear providers. Every so often one of the providers encountered a coding mishap or condition which produces JSON that is syntactically wrong causing ScubaGear to crash. This is a major problem for agencies, particularly when they are gearing up for BOD submissions.
  • Prevents the AAD provider from either crashing or producing unexpected results when there are no licenses in the tenant. In version 1.8.0 this condition caused a type inconsistency with the $PrivilegedServicePrincipals hashtable.
  • Ensures that PowerPlatform produces a Rego output for policy 3.1 tenant isolation, when the tenant has never had this configuration modified. This was fixed in a prior release but based on recent troubleshooting the Rego code was slightly off when I examined a provider JSON from a real world tenant.

Closes #2247
Closes #2246

💭 Motivation and context

Helps reduce trouble tickets and debugging sessions for agencies and Scuba developers. Helps agencies get a version of ScubaGear that is more resilient to uncommon condition faults.

🧪 Testing

I have prepared a spreadsheet with explicit testing scenarios and instructions, along with some screenshots to help reviewers. See comment. Please feel free to come up with your own test cases based on your understanding of the changes.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • PR targets the correct parent branch (e.g., main or release-name) for merge.
  • Changes are limited to a single goal - eschew scope creep!
  • Changes are sized such that they do not touch excessive number of files.
  • All future TODOs are captured in issues, which are referenced in code comments.
  • These code changes follow the ScubaGear content style guide.
  • Related issues these changes resolve are linked preferably via closing keywords.
  • All relevant type-of-change labels added.
  • All relevant project fields are set.
  • All relevant repo and/or project documentation updated to reflect these changes.
  • Unit tests added/updated to cover PowerShell and Rego changes.
  • Functional tests added/updated to cover PowerShell and Rego changes.
  • All automated checks (e.g., linting, static analysis, unit/smoke tests) passed.

✅ Pre-merge checklist

  • PR passed smoke test check.

  • PR/feature branch passes functional tests for relevant products, if applicable.

  • Feature branch has been rebased against changes from parent branch, as needed.

    Use Update branch button below or use this reference to rebase from the command line.

  • Resolved all merge conflicts on branch.

  • Squash all commits into one PR level commit using the Squash and merge button.

✅ Post-merge checklist

  • Feature branch deleted after merge to clean up repository.
  • Close issues resolved by this PR if the closing keywords did not activate.
  • Verified that all checks pass on parent branch (e.g., main or release-name) after merge.

tkol2022 added 5 commits June 28, 2026 19:38
… null based on actual data from an agency tenant where the feature was never configured. Added auto repair of invalid JSON file to Invoke-ScubaCached; works for both invalid provider settings JSON files and invalid ScubaResults files. Streamlined processing of provider JSON versus ScubaResults JSON files to make Invoke-ScubaCached more resilient and have a documented, deterministic execution flow.
…of null based on actual data from an agency tenant. Same change to the respective functional test.
…which was generated by any of the providers. Fixed bug that crashes AAD when PrivilegedServicePrincipals is empty due to no $ServicePlans in the tenant; this bug was from an agency.
… attempting to repair it. If not it crashes when the provider does not produce any JSON.
@tkol2022

Copy link
Copy Markdown
Collaborator Author

Testing

Please reference this spreadsheet for the testing scenarios. Note that some of the tests are centered on changed to Invoke-ScubaCached whereas others are centered on Invoke-Scuba.

JSONRepairTestCases.xlsx

Here is what the message looks like when Invoke-Scuba auto repairs JSON output from a provider.
scubagear invalid json repair message

Here is how to simulate invalid provider JSON produced by Invoke-Scuba. Notice that there is variable after the field name.
simulate invalid powerbi json

Here is how to simulate no licenses in the tenant by modifying ExportAADprovider.
simulate no licenses in tenant

Here is what a JSON file looks like with invalid data in it (the field name is there but there is no associated data) (this is what you will be using for the Invoke-ScubaCached tests).
image

@tkol2022 tkol2022 added this to the Riptide milestone Jun 30, 2026
@tkol2022 tkol2022 added bug This issue or pull request addresses broken functionality enhancement This issue or pull request will add new or improve existing functionality labels Jun 30, 2026
@tkol2022 tkol2022 force-pushed the 2043-PP31-tenant-isolation-returns-hotfix branch from bacb215 to 8925329 Compare July 1, 2026 15:54
…Invoke-ScubaCached with Invoke-Scuba in next release.
@tkol2022

tkol2022 commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator Author

FYI, I had to comment out some Pester tests in Invoke-ScubaCached.Tests.ps1 that were failing. All the Invoke-ScubaCached pester tests will need to be rewritten once we merge that cmdlet with Invoke-Scuba via #2217.

…gins to README for Invoke-Scuba and message to console output.
@tkol2022

tkol2022 commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator Author

I added a message about the 2.0.0 release and the need to pass -M365Environment for interactive logins against non-commercial tenants until we enhance that in the next release.

image image

@JosephRWalter JosephRWalter left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I went through all the tests in the testcase file, they all performed as expected. Looks good.

@mitchelbaker-cisa mitchelbaker-cisa left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Went through all test scenarios and received the expected output. For test scenario 16 (putting invalid JSON in the providers), I tested with invalid JSON keys in one, two, and three different providers. They were all repaired for each case.

Left a few small comments for you to review below but looks good otherwise.

Comment thread README.md Outdated
Comment thread PowerShell/ScubaGear/Modules/Orchestrator.psm1 Outdated
tkol2022 and others added 4 commits July 8, 2026 10:48
…login parameter

Co-authored-by: mitchelbaker-cisa <149098823+mitchelbaker-cisa@users.noreply.github.com>
…ggestion

Co-authored-by: mitchelbaker-cisa <149098823+mitchelbaker-cisa@users.noreply.github.com>
@tkol2022

tkol2022 commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator Author

@mitchelbaker-cisa I made your suggested updates. Kindly approve if sastifactory.

@mitchelbaker-cisa mitchelbaker-cisa left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for resolving the comments, Ted!

@tkol2022

tkol2022 commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator Author

Smoke test was successful.

Functional tests failed for SS, EXO tenant 1 and Teams tenant 7.

EXO tenant 1 failed due to a random error fetching the tenant name from Get-OrganizationConfig so unrelated to my code.

Teams failed due to Get-TeamsTenantDetail: [0] : Request cancelled so unrelated to my code.

Security Suite failures seem to be the same ones on main so unrelated to my code.

@tkol2022 tkol2022 merged commit 6e10a42 into main Jul 8, 2026
21 checks passed
@tkol2022 tkol2022 deleted the 2043-PP31-tenant-isolation-returns-hotfix branch July 8, 2026 21:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug This issue or pull request addresses broken functionality enhancement This issue or pull request will add new or improve existing functionality

Projects

None yet

3 participants