fix: Record permission update status and adjust retry logic

JohnDuprey · JohnDuprey · commit cd2d86a1e09f · 2026-02-27T11:46:28.000-05:00
Capture results from Add-CIPPApplicationPermission/Add-CIPPDelegatedPermission, detect and aggregate permission failures (excluding service principal creation failures), and log success/warn messages accordingly. Persist LastStatus and LastError to the CPV graph row so downstream logic knows whether the update succeeded. Also add an error log in the catch block.

Update the orchestrator selection logic to use LastStatus when deciding retry interval: failed or missing statuses are retried after 1 day, successful tenants after 7 days. This makes retries for failing tenants more aggressive while avoiding unnecessary reprocessing of stable tenants.
diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-UpdatePermissionsQueue.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-UpdatePermissionsQueue.ps1
@@ -25,9 +25,24 @@ function Push-UpdatePermissionsQueue {
             $DomainRefreshRequired = $true
         }
         Write-Information 'Updating permissions'
-        Add-CIPPApplicationPermission -RequiredResourceAccess 'CIPPDefaults' -ApplicationId $env:ApplicationID -tenantfilter $Item.customerId
-        Add-CIPPDelegatedPermission -RequiredResourceAccess 'CIPPDefaults' -ApplicationId $env:ApplicationID -tenantfilter $Item.customerId
-        Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message "Updated permissions for $($Item.displayName)" -Sev 'Info' -API 'UpdatePermissionsQueue'
+        $AppResults = Add-CIPPApplicationPermission -RequiredResourceAccess 'CIPPDefaults' -ApplicationId $env:ApplicationID -tenantfilter $Item.customerId
+        $DelegatedResults = Add-CIPPDelegatedPermission -RequiredResourceAccess 'CIPPDefaults' -ApplicationId $env:ApplicationID -tenantfilter $Item.customerId
+
+        # Check for permission failures (excluding service principal creation failures)
+        $AllResults = @($AppResults) + @($DelegatedResults)
+        $PermissionFailures = $AllResults | Where-Object { 
+            $_ -like '*Failed*' -and 
+            $_ -notlike '*Failed to create service principal*'
+        }
+
+        if ($PermissionFailures) {
+            $Status = 'Failed'
+            $FailureMessage = ($PermissionFailures -join '; ')
+            Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message "Permission update completed with failures for $($Item.displayName): $FailureMessage" -Sev 'Warn' -API 'UpdatePermissionsQueue'
+        } else {
+            $Status = 'Success'
+            Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message "Updated permissions for $($Item.displayName)" -Sev 'Info' -API 'UpdatePermissionsQueue'
+        }
 
         if ($Item.defaultDomainName -ne 'PartnerTenant') {
             Write-Information 'Pushing CIPP-SAM admin roles'
@@ -38,11 +53,15 @@ function Push-UpdatePermissionsQueue {
         $unixtime = [int64](([datetime]::UtcNow) - (Get-Date '1/1/1970')).TotalSeconds
         $GraphRequest = @{
             LastApply     = "$unixtime"
+            LastStatus    = "$Status"
             applicationId = "$($env:ApplicationID)"
             Tenant        = "$($Item.customerId)"
             PartitionKey  = 'Tenant'
             RowKey        = "$($Item.customerId)"
         }
+        if ($PermissionFailures) {
+            $GraphRequest.LastError = $FailureMessage
+        }
         Add-CIPPAzDataTableEntity @Table -Entity $GraphRequest -Force
 
         if ($DomainRefreshRequired) {
@@ -53,5 +72,6 @@ function Push-UpdatePermissionsQueue {
         }
     } catch {
         Write-Information "Error updating permissions for $($Item.displayName)"
+        Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message "Error updating permissions for $($Item.displayName) - $($_.Exception.Message)" -Sev 'Error' -API 'UpdatePermissionsQueue'
     }
 }
diff --git a/Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-UpdatePermissionsOrchestrator.ps1 b/Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-UpdatePermissionsOrchestrator.ps1
@@ -43,7 +43,13 @@ function Start-UpdatePermissionsOrchestrator {
 
         $Tenants = $Tenants | ForEach-Object {
             $CPVRow = $CPVRows | Where-Object -Property Tenant -EQ $_.customerId
-            if (!$CPVRow -or $env:ApplicationID -notin $CPVRow.applicationId -or $SAMPermissions.Timestamp -gt $CPVRow.Timestamp.DateTime -or $CPVRow.Timestamp.DateTime -le (Get-Date).AddDays(-7).ToUniversalTime() -or !$_.defaultDomainName -or ($SAMroles.Timestamp.DateTime -gt $CPVRow.Timestamp.DateTime -and ($SAMRoles.Tenants -contains $_.defaultDomainName -or $SAMRoles.Tenants.value -contains $_.defaultDomainName -or $SAMRoles.Tenants -contains 'AllTenants' -or $SAMRoles.Tenants.value -contains 'AllTenants'))) {
+
+            # Determine retry interval based on last status
+            # No status or Failed status: retry after 1 day, Success: retry after 7 days
+            $RetryDays = if (!$CPVRow.LastStatus -or $CPVRow.LastStatus -eq 'Failed') { -1 } else { -7 }
+            $NeedsRetry = $CPVRow.Timestamp.DateTime -le (Get-Date).AddDays($RetryDays).ToUniversalTime()
+
+            if (!$CPVRow -or $env:ApplicationID -notin $CPVRow.applicationId -or $SAMPermissions.Timestamp -gt $CPVRow.Timestamp.DateTime -or $NeedsRetry -or !$_.defaultDomainName -or ($SAMroles.Timestamp.DateTime -gt $CPVRow.Timestamp.DateTime -and ($SAMRoles.Tenants -contains $_.defaultDomainName -or $SAMRoles.Tenants.value -contains $_.defaultDomainName -or $SAMRoles.Tenants -contains 'AllTenants' -or $SAMRoles.Tenants.value -contains 'AllTenants'))) {
                 $_
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,13 @@ function Start-UpdatePermissionsOrchestrator {`
`43`	`43`
`44`	`44`	`$Tenants = $Tenants \| ForEach-Object {`
`45`	`45`	`$CPVRow = $CPVRows \| Where-Object -Property Tenant -EQ $_.customerId`
`46`		- if (!$CPVRow -or $env:ApplicationID -notin $CPVRow.applicationId -or $SAMPermissions.Timestamp -gt $CPVRow.Timestamp.DateTime -or $CPVRow.Timestamp.DateTime -le (Get-Date).AddDays(-7).ToUniversalTime() -or !$_.defaultDomainName -or ($SAMroles.Timestamp.DateTime -gt $CPVRow.Timestamp.DateTime -and ($SAMRoles.Tenants -contains $_.defaultDomainName -or $SAMRoles.Tenants.value -contains $_.defaultDomainName -or $SAMRoles.Tenants -contains 'AllTenants' -or $SAMRoles.Tenants.value -contains 'AllTenants'))) {
	`46`	`+`
	`47`	`+ # Determine retry interval based on last status`
	`48`	`+ # No status or Failed status: retry after 1 day, Success: retry after 7 days`
	`49`	`+ $RetryDays = if (!$CPVRow.LastStatus -or $CPVRow.LastStatus -eq 'Failed') { -1 } else { -7 }`
	`50`	`+ $NeedsRetry = $CPVRow.Timestamp.DateTime -le (Get-Date).AddDays($RetryDays).ToUniversalTime()`
	`51`	`+`
	`52`	`+ if (!$CPVRow -or $env:ApplicationID -notin $CPVRow.applicationId -or $SAMPermissions.Timestamp -gt $CPVRow.Timestamp.DateTime -or $NeedsRetry -or !$_.defaultDomainName -or ($SAMroles.Timestamp.DateTime -gt $CPVRow.Timestamp.DateTime -and ($SAMRoles.Tenants -contains $_.defaultDomainName -or $SAMRoles.Tenants.value -contains $_.defaultDomainName -or $SAMRoles.Tenants -contains 'AllTenants' -or $SAMRoles.Tenants.value -contains 'AllTenants'))) {`
`47`	`53`	`$_`
`48`	`54`	`}`
`49`	`55`	`}`