isgq-github01 · isgq-github01 · Feb 13, 2026 · Jan 4, 2026 · Jan 12, 2026 · Jan 12, 2026
diff --git a/Config/standards.json b/Config/standards.json
@@ -4835,6 +4835,46 @@
       }
     ]
   },
+  {
+    "name": "standards.ReusableSettingsTemplate",
+    "cat": "Templates",
+    "label": "Reusable Settings Template",
+    "multiple": true,
+    "disabledFeatures": {
+      "report": false,
+      "warn": false,
+      "remediate": false
+    },
+    "impact": "Low Impact",
+    "impactColour": "info",
+    "addedDate": "2026-01-11",
+    "helpText": "Deploy and maintain Intune reusable settings templates that can be referenced by multiple policies.",
+    "executiveText": "Creates and keeps reusable Intune settings templates consistent so common firewall and configuration blocks can be reused across many policies.",
+    "addedComponent": [
+      {
+        "type": "autoComplete",
+        "multiple": true,
+        "creatable": false,
+        "required": true,
+        "name": "TemplateList",
+        "label": "Select Reusable Settings Template",
+        "api": {
+          "queryKey": "ListIntuneReusableSettingTemplates",
+          "url": "/api/ListIntuneReusableSettingTemplates",
+          "labelField": "displayName",
+          "valueField": "GUID",
+          "showRefresh": true,
+          "templateView": {
+            "title": "Reusable Settings",
+            "property": "RawJSON",
+            "type": "intune"
+          }
+        }
+      }
+    ],
+    "powershellEquivalent": "",
+    "recommendedBy": []
+  },
   {
     "name": "standards.TransportRuleTemplate",
     "label": "Transport Rule Template",

diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveGuestUsers.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveGuestUsers.ps1
@@ -0,0 +1,89 @@
+function Get-CIPPAlertInactiveGuestUsers {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $InputValue,
+        [Parameter(Mandatory = $false)]
+        [switch]$IncludeNeverSignedIn, # Include users who have never signed in (default is to skip them), future use would allow this to be set in an alert configuration
+        $TenantFilter
+    )
+
+    try {
+        try {
+            $inactiveDays = 90
+            $excludeDisabled = $false
+
+            $excludeDisabled = [bool]$InputValue.ExcludeDisabled
+            if ($null -ne $InputValue.DaysSinceLastLogin -and $InputValue.DaysSinceLastLogin -ne '') {
+                $parsedDays = 0
+                if ([int]::TryParse($InputValue.DaysSinceLastLogin.ToString(), [ref]$parsedDays) -and $parsedDays -gt 0) {
+                    $inactiveDays = $parsedDays
+                }
+            }
+
+
+
+            $Lookup = (Get-Date).AddDays(-$inactiveDays).ToUniversalTime()
+            Write-Host "Checking for guest users inactive since $Lookup (excluding disabled: $excludeDisabled)"
+            # Build base filter - cannot filter assignedLicenses server-side
+            $BaseFilter = if ($excludeDisabled) { 'accountEnabled eq true' } else { '' }
+
+            $Uri = if ($BaseFilter) {
+                "https://graph.microsoft.com/beta/users?`$filter=$BaseFilter&`$select=id,UserPrincipalName,signInActivity,mail,userType,accountEnabled,assignedLicenses"
+            } else {
+                "https://graph.microsoft.com/beta/users?`$select=id,UserPrincipalName,signInActivity,mail,userType,accountEnabled,assignedLicenses"
+            }
+
+            $GraphRequest = New-GraphGetRequest -uri $Uri-tenantid $TenantFilter | Where-Object { $_.userType -eq 'Guest' }
+
+            $AlertData = foreach ($user in $GraphRequest) {
+                $lastInteractive = $user.signInActivity.lastSignInDateTime
+                $lastNonInteractive = $user.signInActivity.lastNonInteractiveSignInDateTime
+
+                # Find most recent sign-in
+                $lastSignIn = $null
+                if ($lastInteractive -and $lastNonInteractive) {
+                    $lastSignIn = if ([DateTime]$lastInteractive -gt [DateTime]$lastNonInteractive) { $lastInteractive } else { $lastNonInteractive }
+                } elseif ($lastInteractive) {
+                    $lastSignIn = $lastInteractive
+                } elseif ($lastNonInteractive) {
+                    $lastSignIn = $lastNonInteractive
+                }
+
+                # Check if inactive
+                $isInactive = (-not $lastSignIn) -or ([DateTime]$lastSignIn -le $Lookup)
+                # Skip users who have never signed in by default (unless IncludeNeverSignedIn is specified)
+                if (-not $IncludeNeverSignedIn -and -not $lastSignIn) { continue }
+                # Only process inactive users
+                if ($isInactive) {
+
+                    if (-not $lastSignIn) {
+                        $Message = 'Guest user {0} has never signed in.' -f $user.UserPrincipalName
+                    } else {
+                        $daysSinceSignIn = [Math]::Round(((Get-Date) - [DateTime]$lastSignIn).TotalDays)
+                        $Message = 'Guest user {0} has been inactive for {1} days. Last sign-in: {2}' -f $user.UserPrincipalName, $daysSinceSignIn, $lastSignIn
+                    }
+
+
+                    [PSCustomObject]@{
+                        UserPrincipalName   = $user.UserPrincipalName
+                        Id                  = $user.id
+                        lastSignIn          = $lastSignIn
+                        DaysSinceLastSignIn = if ($daysSinceSignIn) { $daysSinceSignIn } else { 'N/A' }
+                        Message             = $Message
+                        Tenant              = $TenantFilter
+                    }
+                }
+            }
+
+            Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+        } catch {}
+    } catch {
+        Write-AlertMessage -tenant $($TenantFilter) -message "Failed to check inactive guest users for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+    }
+}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveUsers.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveUsers.ps1
@@ -0,0 +1,85 @@
+function Get-CIPPAlertInactiveUsers {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $InputValue,
+        [Parameter(Mandatory = $false)]
+        [switch]$IncludeNeverSignedIn, # Include users who have never signed in (default is to skip them), future use would allow this to be set in an alert configuration
+        $TenantFilter
+    )
+
+    try {
+        try {
+            $inactiveDays = 90
+            $excludeDisabled = $false
+
+            $excludeDisabled = [bool]$InputValue.ExcludeDisabled
+            if ($null -ne $InputValue.DaysSinceLastLogin -and $InputValue.DaysSinceLastLogin -ne '') {
+                $parsedDays = 0
+                if ([int]::TryParse($InputValue.DaysSinceLastLogin.ToString(), [ref]$parsedDays) -and $parsedDays -gt 0) {
+                    $inactiveDays = $parsedDays
+                }
+            }
+
+            $Lookup = (Get-Date).AddDays(-$inactiveDays).ToUniversalTime()
+            Write-Host "Checking for users inactive since $Lookup (excluding disabled: $excludeDisabled)"
+            # Build base filter - cannot filter accountEnabled server-side
+            $BaseFilter = if ($excludeDisabled) { 'accountEnabled eq true' } else { '' }
+
+            $Uri = if ($BaseFilter) {
+                "https://graph.microsoft.com/beta/users?`$filter=$BaseFilter&`$select=id,UserPrincipalName,signInActivity,mail,userType,accountEnabled,assignedLicenses"
+            } else {
+                "https://graph.microsoft.com/beta/users?`$select=id,UserPrincipalName,signInActivity,mail,userType,accountEnabled,assignedLicenses"
+            }
+
+            $GraphRequest = New-GraphGetRequest -uri $Uri -tenantid $TenantFilter | Where-Object { $_.userType -eq 'Member' }
+
+            $AlertData = foreach ($user in $GraphRequest) {
+                $lastInteractive = $user.signInActivity.lastSignInDateTime
+                $lastNonInteractive = $user.signInActivity.lastNonInteractiveSignInDateTime
+
+                # Find most recent sign-in
+                $lastSignIn = $null
+                if ($lastInteractive -and $lastNonInteractive) {
+                    $lastSignIn = if ([DateTime]$lastInteractive -gt [DateTime]$lastNonInteractive) { $lastInteractive } else { $lastNonInteractive }
+                } elseif ($lastInteractive) {
+                    $lastSignIn = $lastInteractive
+                } elseif ($lastNonInteractive) {
+                    $lastSignIn = $lastNonInteractive
+                }
+
+                # Check if inactive
+                $isInactive = (-not $lastSignIn) -or ([DateTime]$lastSignIn -le $Lookup)
+                # Skip users who have never signed in by default (unless IncludeNeverSignedIn is specified)
+                if (-not $IncludeNeverSignedIn -and -not $lastSignIn) { continue }
+                # Only process inactive users
+                if ($isInactive) {
+                    if (-not $lastSignIn) {
+                        $Message = 'User {0} has never signed in.' -f $user.UserPrincipalName
+                    } else {
+                        $daysSinceSignIn = [Math]::Round(((Get-Date) - [DateTime]$lastSignIn).TotalDays)
+                        $Message = 'User {0} has been inactive for {1} days. Last sign-in: {2}' -f $user.UserPrincipalName, $daysSinceSignIn, $lastSignIn
+                    }
+
+                    [PSCustomObject]@{
+                        UserPrincipalName   = $user.UserPrincipalName
+                        Id                  = $user.id
+                        lastSignIn          = $lastSignIn
+                        DaysSinceLastSignIn = if ($daysSinceSignIn) { $daysSinceSignIn } else { 'N/A' }
+                        Message             = $Message
+                        Tenant              = $TenantFilter
+                    }
+                }
+            }
+
+            Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+        } catch {}
+    } catch {
+        Write-AlertMessage -tenant $($TenantFilter) -message "Failed to check inactive users with licenses for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+    }
+}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMFAAdmins.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMFAAdmins.ps1
@@ -20,6 +20,15 @@ function Get-CIPPAlertMFAAdmins {
         if (!$DuoActive) {
             $Users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq true and isMfaRegistered eq false and userType eq 'member'&`$select=id,userDisplayName,userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true |
                 Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
+
+            # Filter out JIT admins if any users were found
+            if ($Users) {
+                $Schema = Get-CIPPSchemaExtensions | Where-Object { $_.id -match '_cippUser' } | Select-Object -First 1
+                $JITAdmins = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/users?`$select=id,$($Schema.id)&`$filter=$($Schema.id)/jitAdminEnabled eq true" -tenantid $TenantFilter -ComplexFilter
+                $JITAdminIds = $JITAdmins.id
+                $Users = $Users | Where-Object { $_.id -notin $JITAdminIds }
+            }
+
             if ($Users.UserPrincipalName) {
                 $AlertData = foreach ($user in $Users) {
                     [PSCustomObject]@{

diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertStaleEntraDevices.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertStaleEntraDevices.ps1
@@ -0,0 +1,83 @@
+function Get-CIPPAlertStaleEntraDevices {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $InputValue,
+        $TenantFilter
+    )
+
+    try {
+        try {
+            $inactiveDays = 90
+
+            $excludeDisabled = [bool]$InputValue.ExcludeDisabled
+            if ($null -ne $InputValue.DaysSinceLastActivity -and $InputValue.DaysSinceLastActivity -ne '') {
+                $parsedDays = 0
+                if ([int]::TryParse($InputValue.DaysSinceLastActivity.ToString(), [ref]$parsedDays) -and $parsedDays -gt 0) {
+                    $inactiveDays = $parsedDays
+                }
+            }
+
+            $Lookup = (Get-Date).AddDays(-$inactiveDays).ToUniversalTime()
+            Write-Host "Checking for inactive Entra devices since $Lookup (excluding disabled: $excludeDisabled)"
+            # Build base filter - cannot filter accountEnabled server-side
+            $BaseFilter = if ($excludeDisabled) { 'accountEnabled eq true' } else { '' }
+
+            $Uri = if ($BaseFilter) {
+                "https://graph.microsoft.com/beta/devices?`$filter=$BaseFilter"
+            } else {
+                'https://graph.microsoft.com/beta/devices'
+            }
+
+            $GraphRequest = New-GraphGetRequest -uri $Uri -tenantid $TenantFilter
+
+            $AlertData = foreach ($device in $GraphRequest) {
+
+                $lastActivity = $device.approximateLastSignInDateTime
+
+                $isInactive = (-not $lastActivity) -or ([DateTime]$lastActivity -le $Lookup)
+                # Only process stale Entra devices
+                if ($isInactive) {
+
+                    if (-not $lastActivity) {
+
+                        $Message = 'Device {0} has never been active' -f $device.displayName
+                    } else {
+                        $daysSinceLastActivity = [Math]::Round(((Get-Date) - [DateTime]$lastActivity).TotalDays)
+                        $Message = 'Device {0} has been inactive for {1} days. Last activity: {2}' -f $device.displayName, $daysSinceLastActivity, $lastActivity
+                    }
+
+                    if ($device.TrustType -eq 'Workplace') { $TrustType = 'Entra registered' }
+                    elseif ($device.TrustType -eq 'AzureAd') { $TrustType = 'Entra joined' }
+                    elseif ($device.TrustType -eq 'ServerAd') { $TrustType = 'Entra hybrid joined' }
+
+                    [PSCustomObject]@{
+                        DeviceName            = if ($device.displayName) { $device.displayName } else { 'N/A' }
+                        Id                    = if ($device.id) { $device.id } else { 'N/A' }
+                        deviceOwnership       = if ($device.deviceOwnership) { $device.deviceOwnership } else { 'N/A' }
+                        operatingSystem       = if ($device.operatingSystem) { $device.operatingSystem } else { 'N/A' }
+                        enrollmentType        = if ($device.enrollmentType) { $device.enrollmentType } else { 'N/A' }
+                        Enabled               = if ($device.accountEnabled) { $device.accountEnabled } else { 'N/A' }
+                        Managed               = if ($device.isManaged) { $device.isManaged } else { 'N/A' }
+                        Complaint             = if ($device.isCompliant) { $device.isCompliant } else { 'N/A' }
+                        JoinType              = $TrustType
+                        lastActivity          = if ($lastActivity) { $lastActivity } else { 'N/A' }
+                        DaysSinceLastActivity = if ($daysSinceLastActivity) { $daysSinceLastActivity } else { 'N/A' }
+                        RegisteredDateTime    = if ($device.createdDateTime) { $device.createdDateTime } else { 'N/A' }
+                        Message               = $Message
+                        Tenant                = $TenantFilter
+                    }
+                }
+            }
+
+            Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+        } catch {}
+    } catch {
+        Write-AlertMessage -tenant $($TenantFilter) -message "Failed to check inactive guest users for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+    }
+}
diff --git a/Modules/CIPPCore/Public/Compare-CIPPIntuneObject.ps1 b/Modules/CIPPCore/Public/Compare-CIPPIntuneObject.ps1
@@ -295,7 +295,7 @@ function Compare-CIPPIntuneObject {
                             foreach ($groupValue in $child.groupSettingCollectionValue) {
                                 if ($groupValue.children) {
                                     $nestedResults = Process-GroupSettingChildren -Children $groupValue.children -Source $Source -IntuneCollection $IntuneCollection
-                                    $results.AddRange($nestedResults)
+                                    foreach ($nr in $nestedResults) { $results.Add($nr) }
                                 }
                             }
                         }
@@ -381,7 +381,7 @@ function Compare-CIPPIntuneObject {
                 # Also process any children within choice setting values
                 if ($child.choiceSettingValue?.children) {
                     $nestedResults = Process-GroupSettingChildren -Children $child.choiceSettingValue.children -Source $Source -IntuneCollection $IntuneCollection
-                    $results.AddRange($nestedResults)
+                    foreach ($nr in $nestedResults) { $results.Add($nr) }
                 }
             }
 
@@ -399,7 +399,7 @@ function Compare-CIPPIntuneObject {
                         foreach ($groupValue in $settingInstance.groupSettingCollectionValue) {
                             if ($groupValue.children -is [System.Array]) {
                                 $childResults = Process-GroupSettingChildren -Children $groupValue.children -Source 'Reference' -IntuneCollection $intuneCollection
-                                $groupResults.AddRange($childResults)
+                                foreach ($cr in $childResults) { $groupResults.Add($cr) }
                             }
                         }
                         # Return the results from the recursive processing
@@ -471,7 +471,7 @@ function Compare-CIPPIntuneObject {
                         foreach ($groupValue in $settingInstance.groupSettingCollectionValue) {
                             if ($groupValue.children -is [System.Array]) {
                                 $childResults = Process-GroupSettingChildren -Children $groupValue.children -Source 'Difference' -IntuneCollection $intuneCollection
-                                $groupResults.AddRange($childResults)
+                                foreach ($cr in $childResults) { $groupResults.Add($cr) }
                             }
                         }
                         # Return the results from the recursive processing