[pull] main from KelvinTegelaar:main

package.json

@@ -1,6 +1,6 @@
 {
   "name": "cipp",
-  "version": "10.5.3",
+  "version": "10.5.4",
   "author": "CIPP Contributors",
   "homepage": "https://cipp.app/",
   "bugs": {

public/version.json

@@ -1,3 +1,3 @@
 {
-  "version": "10.5.3"
-}
+  "version": "10.5.4"
+}

src/components/CippComponents/CippUserActions.jsx

@@ -451,6 +451,7 @@ export const useCippUserActions = () => {
       confirmText:
         'Are you sure you want to create a Temporary Access Pass for [userPrincipalName]?',
       multiPost: false,
+      allowResubmit: true,
       condition: () => canWriteUser,
     },
     {

src/components/ReleaseNotesDialog.js

@@ -168,11 +168,7 @@ export const ReleaseNotesDialog = forwardRef((_props, ref) => {
 
   const releaseListQuery = ApiGetCall({
     url: '/api/ListGitHubReleaseNotes',
-    queryKey: 'list-github-release-options',
-    data: {
-      Owner: RELEASE_OWNER,
-      Repository: RELEASE_REPO,
-    },
+    queryKey: `list-github-release-options`,
     waiting: shouldFetchReleaseList,
     staleTime: 300000,
   })
@@ -484,7 +480,13 @@ export const ReleaseNotesDialog = forwardRef((_props, ref) => {
         >
           View release notes on GitHub
         </Button>
-        <Stack alignItems="center" direction="row" flexWrap="wrap" gap={1} justifyContent="flex-end">
+        <Stack
+          alignItems="center"
+          direction="row"
+          flexWrap="wrap"
+          gap={1}
+          justifyContent="flex-end"
+        >
           <Button
             onClick={handleDismissPermanently}
             size="small"

src/data/CIPPDBCacheTypes.json

@@ -328,5 +328,10 @@
     "type": "DetectedApps",
     "friendlyName": "Detected Apps",
     "description": "All detected applications with devices where each app is installed"
+  },
+  {
+    "type": "IntuneAppInstallStatus",
+    "friendlyName": "Intune App Install Status",
+    "description": "Per-application install status rollup (failed/installed/pending device counts) from the AppInstallStatusAggregate report"
   }
 ]

src/data/alerts.json

@@ -391,7 +391,7 @@
   {
     "name": "IntunePolicyConflicts",
     "label": "Alert on Intune policy or app conflicts/errors",
-    "recommendedRunInterval": "4h",
+    "recommendedRunInterval": "1d",
     "requiresInput": true,
     "multipleInput": true,
     "inputs": [

src/pages/security/compliance/dlp/index.js

@@ -22,6 +22,7 @@ const Page = () => {
         return { ...data }
       },
       confirmText: 'Are you sure you want to create a template based on this DLP policy?',
+      hideBulk: true,
     },
     {
       label: 'Enable Policy',

src/pages/tools/custom-tests/add.jsx

@@ -814,10 +814,12 @@ All UPNs: {{join(Result[*].UserPrincipalName, ", ")}}`,
                     </Typography>
                   </Stack>
                   <Typography variant="caption" color="text.secondary">
-                    AST allowlist — approved cmdlets only. <code>+=</code> is blocked. Data access
-                    is automatically tenant-locked — do not pass{' '}
-                    <code>-TenantFilter</code>. Type <code>%</code> in the editor for replacement
-                    variables.
+                    Runs in PowerShell <strong>ConstrainedLanguage</strong> — approved cmdlets
+                    only. <code>New-Object</code>, <code>{'[pscustomobject]@{}'}</code> casts, and
+                    .NET/reflection are blocked. Build rows with{' '}
+                    <code>{'Select-Object @{Name;Expression}'}</code> and return a plain{' '}
+                    <code>{'@{}'}</code> hashtable. Data access is tenant-locked — do not pass{' '}
+                    <code>-TenantFilter</code>. Type <code>%</code> for replacement variables.
                   </Typography>
                 </Box>
               </Grid>
@@ -907,20 +909,11 @@ $Licenses | ForEach-Object {
 # Build results - users with their resolved license names
 $results = $Users | Where-Object {
     $_.assignedLicenses.Count -gt 0
-} | ForEach-Object {
-    $user = $_
-    $licenseNames = @($user.assignedLicenses | ForEach-Object {
-        $name = $SkuLookup[$_.skuId]
-        if ($name) { $name } else { $_.skuId }
-    })
-    [PSCustomObject]@{
-        UserPrincipalName = $user.userPrincipalName
-        DisplayName       = $user.displayName
-        AccountEnabled    = $user.accountEnabled
-        LicenseCount      = $licenseNames.Count
-        Licenses          = $licenseNames -join ', '
-    }
-}
+} | Select-Object @{Name='UserPrincipalName'; Expression={ $_.userPrincipalName }},
+    @{Name='DisplayName'; Expression={ $_.displayName }},
+    @{Name='AccountEnabled'; Expression={ $_.accountEnabled }},
+    @{Name='LicenseCount'; Expression={ @($_.assignedLicenses).Count }},
+    @{Name='Licenses'; Expression={ (@($_.assignedLicenses | ForEach-Object { $n = $SkuLookup[$_.skuId]; if ($n) { $n } else { $_.skuId } }) -join ', ') }}
 
 # Build markdown table
 $header = "### Licensed Users: $($results.Count)\\n\\n| User | Display Name | Enabled | Licenses |\\n|---|---|---|---|"
@@ -968,14 +961,10 @@ $Users = Get-CIPPTestData -Type 'Users'
 $Users | Where-Object {
     $_.accountEnabled -eq $false -and
     $_.assignedLicenses.Count -gt 0
-} | ForEach-Object {
-    [PSCustomObject]@{
-        UserPrincipalName = $_.userPrincipalName
-        DisplayName       = $_.displayName
-        LicenseCount      = $_.assignedLicenses.Count
-        Message           = 'Disabled account with active license(s)'
-    }
-}`}
+} | Select-Object @{Name='UserPrincipalName'; Expression={ $_.userPrincipalName }},
+    @{Name='DisplayName'; Expression={ $_.displayName }},
+    @{Name='LicenseCount'; Expression={ @($_.assignedLicenses).Count }},
+    @{Name='Message'; Expression={ 'Disabled account with active license(s)' }}`}
                   language="powershell"
                   showLineNumbers={true}
                 />
@@ -1008,14 +997,10 @@ $RegDetails = Get-CIPPTestData -Type 'UserRegistrationDetails'
 $noMfa = $RegDetails | Where-Object {
     $_.methodsRegistered.Count -eq 0 -and
     $_.userType -ne 'guest'
-} | ForEach-Object {
-    [PSCustomObject]@{
-        UserPrincipalName = $_.userPrincipalName
-        UserDisplayName   = $_.userDisplayName
-        IsAdmin           = $_.isAdmin
-        Message           = 'No MFA methods registered'
-    }
-}
+} | Select-Object @{Name='UserPrincipalName'; Expression={ $_.userPrincipalName }},
+    @{Name='UserDisplayName'; Expression={ $_.userDisplayName }},
+    @{Name='IsAdmin'; Expression={ $_.isAdmin }},
+    @{Name='Message'; Expression={ 'No MFA methods registered' }}
 
 $count = @($noMfa).Count
 if ($count -gt 0) {
@@ -1068,18 +1053,11 @@ $cutoff = (Get-Date).AddDays(-$DaysThreshold)
 $Guests | Where-Object {
     -not $_.signInActivity.lastSignInDateTime -or
     [datetime]$_.signInActivity.lastSignInDateTime -lt $cutoff
-} | ForEach-Object {
-    $lastSign = if ($_.signInActivity.lastSignInDateTime) {
-        $_.signInActivity.lastSignInDateTime
-    } else { 'Never' }
-    [PSCustomObject]@{
-        UserPrincipalName = $_.userPrincipalName
-        DisplayName       = $_.displayName
-        CreatedDateTime   = $_.createdDateTime
-        LastSignIn        = $lastSign
-        Message           = "No sign-in within $DaysThreshold days"
-    }
-}`}
+} | Select-Object @{Name='UserPrincipalName'; Expression={ $_.userPrincipalName }},
+    @{Name='DisplayName'; Expression={ $_.displayName }},
+    @{Name='CreatedDateTime'; Expression={ $_.createdDateTime }},
+    @{Name='LastSignIn'; Expression={ if ($_.signInActivity.lastSignInDateTime) { $_.signInActivity.lastSignInDateTime } else { 'Never' } }},
+    @{Name='Message'; Expression={ "No sign-in within $DaysThreshold days" }}`}
                   language="powershell"
                   showLineNumbers={true}
                 />
@@ -1111,12 +1089,8 @@ $Guests | Where-Object {
 $Policies = Get-CIPPTestData -Type 'ConditionalAccessPolicies'
 $grouped = $Policies | Group-Object -Property state
 
-$counts = $grouped | ForEach-Object {
-    [PSCustomObject]@{
-        State = $_.Name
-        Count = $_.Count
-    }
-}
+$counts = $grouped | Select-Object @{Name='State'; Expression={ $_.Name }},
+    @{Name='Count'; Expression={ $_.Count }}
 
 # Build markdown summary — %tenantname% is replaced at runtime
 $header = "### %tenantname% — CA Policies: $(@($Policies).Count) total\n\n| State | Count |\n|---|---|"
@@ -1428,6 +1402,13 @@ $md = $summaryTable + "\n\n---\n\n" + $policyTable
                       Type <code>%</code> to insert replacement variables (e.g.{' '}
                       <code>%tenantid%</code>, <code>%defaultdomain%</code>, or custom variables).
                     </Typography>
+                    <Alert severity="info" sx={{ mt: 1 }}>
+                      Scripts run in <strong>ConstrainedLanguage</strong>. Build output rows with{' '}
+                      <code>{'Select-Object @{Name;Expression}'}</code> (not{' '}
+                      <code>{'[pscustomobject]@{}'}</code>) and return a{' '}
+                      <code>{'@{ CIPPStatus = ... }'}</code> hashtable. <code>New-Object</code> and
+                      .NET reflection are blocked.
+                    </Alert>
                     {hasTenantFilterParam && (
                       <Alert severity="warning" sx={{ mt: 1 }}>
                         <code>-TenantFilter</code> is not needed — data access functions are