advania · pull · Oct 24, 2025 · Oct 24, 2025 · Oct 24, 2025 · Oct 24, 2025
diff --git a/Modules/CIPPCore/Public/Add-CIPPScheduledTask.ps1 b/Modules/CIPPCore/Public/Add-CIPPScheduledTask.ps1
@@ -221,7 +221,8 @@ function Add-CIPPScheduledTask {
                         $Parameters.'$select' = $task.Trigger.WatchedAttributes | ForEach-Object { $_.value ?? $_ } -join ','
                     }
                     if ($task.Trigger.ResourceFilter) {
-                        $Parameters.'$filter' = "id eq '" + $task.Trigger.ResourceFilter | ForEach-Object { $_.value ?? $_ } -join "' or id eq '"
+                        $ResourceFilterValues = $task.Trigger.ResourceFilter | ForEach-Object { $_.value ?? $_ }
+                        $Parameters.'$filter' = "id eq '" + ($ResourceFilterValues -join "' or id eq '") + "'"
                     }
                     $Resource = $task.Trigger.DeltaResource.value ?? $task.Trigger.DeltaResource
 

diff --git a/Modules/CIPPCore/Public/Clear-CIPPImmutableId.ps1 b/Modules/CIPPCore/Public/Clear-CIPPImmutableId.ps1
@@ -8,6 +8,17 @@ function Clear-CIPPImmutableId {
     )
 
     try {
+        try {
+            $User = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$UserID" -tenantid $TenantFilter -ErrorAction SilentlyContinue
+        } catch {
+            $DeletedUser = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/directory/deletedItems/$UserID" -tenantid $TenantFilter
+            if ($DeletedUser.id) {
+                # Restore deleted user object
+                $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/directory/deletedItems/$UserID/restore" -tenantid $TenantFilter -type POST
+                Write-LogMessage -headers $Headers -API $APIName -message "Restored deleted user $UserID to clear immutable ID" -sev Info -tenant $TenantFilter
+            }
+        }
+
         $Body = [pscustomobject]@{ onPremisesImmutableId = $null }
         $Body = ConvertTo-Json -InputObject $Body -Depth 5 -Compress
         $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$UserID" -tenantid $TenantFilter -type PATCH -body $Body

diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecTenantGroup.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecTenantGroup.ps1
@@ -35,9 +35,9 @@ function Invoke-ExecTenantGroup {
                 if ($groupDescription) {
                     $GroupEntity.Description = $groupDescription
                 }
-                $GroupEntity.GroupType = $groupType
+                $GroupEntity | Add-Member -NotePropertyName 'GroupType' -NotePropertyValue $groupType -Force
                 if ($groupType -eq 'dynamic' -and $dynamicRules) {
-                    $GroupEntity.DynamicRules = "$($dynamicRules | ConvertTo-Json -depth 100 -Compress)"
+                    $GroupEntity.DynamicRules = "$($dynamicRules | ConvertTo-Json -Depth 100 -Compress)"
                     $GroupEntity | Add-Member -NotePropertyName 'RuleLogic' -NotePropertyValue $ruleLogic -Force
                 } else {
                     $GroupEntity | Add-Member -NotePropertyName 'RuleLogic' -NotePropertyValue $null -Force
@@ -52,7 +52,7 @@ function Invoke-ExecTenantGroup {
                     GroupType    = $groupType
                 }
                 if ($groupType -eq 'dynamic' -and $dynamicRules) {
-                    $GroupEntity.DynamicRules = "$($dynamicRules | ConvertTo-Json -depth 100 -Compress)"
+                    $GroupEntity.DynamicRules = "$($dynamicRules | ConvertTo-Json -Depth 100 -Compress)"
                     $GroupEntity.RuleLogic = $ruleLogic
                 }
                 Add-CIPPAzDataTableEntity @Table -Entity $GroupEntity -Force

diff --git a/...ic/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-CIPPOffboardingJob.ps1 b/...ic/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-CIPPOffboardingJob.ps1
@@ -11,7 +11,7 @@ function Invoke-CIPPOffboardingJob {
     if ($Options -is [string]) {
         $Options = $Options | ConvertFrom-Json
     }
-    $User = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($Username)?`$select=id,displayName" -tenantid $TenantFilter
+    $User = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($Username)?`$select=id,displayName,onPremisesSyncEnabled,onPremisesImmutableId" -tenantid $TenantFilter
     $UserID = $User.id
     $DisplayName = $User.displayName
     Write-Host "Running offboarding job for $Username with options: $($Options | ConvertTo-Json -Depth 10)"
@@ -182,10 +182,45 @@ function Invoke-CIPPOffboardingJob {
             }
         }
         { $_.ClearImmutableId -eq $true } {
-            try {
-                Clear-CIPPImmutableID -UserID $userid -TenantFilter $TenantFilter -Headers $Headers -APIName $APIName
-            } catch {
-                $_.Exception.Message
+            if ($User.onPremisesSyncEnabled -ne $true -and ![string]::IsNullOrEmpty($User.onPremisesImmutableId)) {
+                Write-LogMessage -Message "User $Username has an ImmutableID set but is not synced from on-premises. Proceeding to clear the ImmutableID." -TenantFilter $TenantFilter -Severity 'Warning' -APIName $APIName -Headers $Headers
+                try {
+                    Clear-CIPPImmutableID -UserID $userid -TenantFilter $TenantFilter -Headers $Headers -APIName $APIName
+                } catch {
+                    $_.Exception.Message
+                }
+            } elseif ($User.onPremisesSyncEnabled -eq $true -and ![string]::IsNullOrEmpty($User.onPremisesImmutableId)) {
+                Write-LogMessage -Message "User $Username is synced from on-premises. Scheduling an Immutable ID clear for when the user account has been soft deleted." -TenantFilter $TenantFilter -Severity 'Error' -APIName $APIName -Headers $Headers
+
+                $ScheduledTask = @{
+                    TenantFilter  = $TenantFilter
+                    Name          = "Clear Immutable ID: $Username"
+                    Command       = @{
+                        value = 'Clear-CIPPImmutableID'
+                    }
+                    Parameters    = [pscustomobject]@{
+                        userid  = $userid
+                        APIName = $APIName
+                        Headers = $Headers
+                    }
+                    Trigger       = @{
+                        Type               = 'DeltaQuery'
+                        DeltaResource      = 'users'
+                        ResourceFilter     = @($UserID)
+                        EventType          = 'deleted'
+                        UseConditions      = $false
+                        ExecutePerResource = $true
+                        ExecutionMode      = 'once'
+                    }
+                    ScheduledTime = [int64](([datetime]::UtcNow).AddMinutes(5) - (Get-Date '1/1/1970')).TotalSeconds
+                    Recurrence    = '15m'
+                    PostExecution = @{
+                        Webhook = $false
+                        Email   = $false
+                        PSA     = $false
+                    }
+                }
+                Add-CIPPScheduledTask -Task $ScheduledTask -hidden $false
             }
         }
     }

diff --git a/version_latest.txt b/version_latest.txt
@@ -1 +1 @@
-8.6.0
+8.6.1