Fix MS CNAME DKIM breaking DA and fix default domain duplication for deleted tenants

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserDomain.ps1

@@ -256,13 +256,16 @@ function Push-DomainAnalyserDomain {
                 continue
             }
             # Test if there are already MSCNAME values set, skip domain if there is
-            $CurrentMSCNAMEInfo = ConvertFrom-Json $DomainObject.DomainAnalyser -Depth 10
-            if (![string]::IsNullOrWhiteSpace($CurrentMSCNAMEInfo.MSCNAMEDKIMSelectors.selector1.Value) -and
-                ![string]::IsNullOrWhiteSpace($CurrentMSCNAMEInfo.MSCNAMEDKIMSelectors.selector2.Value)) {
-                $Result.MSCNAMEDKIMSelectors = $CurrentMSCNAMEInfo.MSCNAMEDKIMSelectors
-                continue
+            if ($null -ne $DomainObject.DomainAnalyser) {
+                $CurrentMSCNAMEInfo = ConvertFrom-Json $DomainObject.DomainAnalyser -Depth 10
+                if (![string]::IsNullOrWhiteSpace($CurrentMSCNAMEInfo.MSCNAMEDKIMSelectors.selector1.Value) -and
+                    ![string]::IsNullOrWhiteSpace($CurrentMSCNAMEInfo.MSCNAMEDKIMSelectors.selector2.Value)) {
+                    $Result.MSCNAMEDKIMSelectors = $CurrentMSCNAMEInfo.MSCNAMEDKIMSelectors
+                    continue
+                }
             }
 
+
             # Compute the DKIM CNAME records from $Tenant.InitialDomainName according to this logic: https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dkim-configure#syntax-for-dkim-cname-records
             # Test if it has a - in the domain name
             if ($Domain -like '*-*') {
@@ -298,9 +301,9 @@ function Push-DomainAnalyserDomain {
             }
             $Result.MSCNAMEDKIMSelectors = $MSCNAMERecords
         } catch {
-            $Message = 'MS DKIM CNAME Error'
-            Write-LogMessage -API 'DomainAnalyser' -tenant $DomainObject.TenantId -message $Message -LogData (Get-CippException -Exception $_) -sev Error
-            return $Message
+            $ErrorMessage = Get-CippException -Exception $_
+            Write-LogMessage -API 'DomainAnalyser' -tenant $DomainObject.TenantId -message "MS CNAME DKIM error: $($ErrorMessage.NormalizedError)" -LogData $ErrorMessage -sev Error
+            return $ErrorMessage.NormalizedError
         }
     }
 

Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1

@@ -55,7 +55,7 @@ function Get-Tenants {
     }
 
     if ($CleanOld) {
-        $GDAPRelationships = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships?`$filter=status eq 'active' and not startsWith(displayName,'MLT_')&`$select=customer,autoExtendDuration,endDateTime`$top=300" -NoAuthCheck:$true
+        $GDAPRelationships = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships?`$filter=status eq 'active' and not startsWith(displayName,'MLT_')&`$select=customer,autoExtendDuration,endDateTime&`$top=300" -NoAuthCheck:$true
         $GDAPList = foreach ($Relationship in $GDAPRelationships) {
             [PSCustomObject]@{
                 customerId      = $Relationship.customer.tenantId
@@ -86,7 +86,9 @@ function Get-Tenants {
 
         $ActiveRelationships = $GDAPList | Where-Object $IncludedTenantFilter | Where-Object { $_.customerId -notin $SkipListCache.customerId }
         $TenantList = $ActiveRelationships | Group-Object -Property customerId | ForEach-Object {
-            #Write-Host "Processing $($_.Name) to add to tenant list."
+
+            # Write-Host (ConvertTo-Json -InputObject $_ -Depth 10)
+            # Write-Host "Processing $($_.Name), $($_.displayName) to add to tenant list."
             $ExistingTenantInfo = Get-CIPPAzDataTableEntity @TenantsTable -Filter "PartitionKey eq 'Tenants' and RowKey eq '$($_.Name)'"
             if ($TriggerRefresh.IsPresent -and $ExistingTenantInfo.customerId) {
                 # Reset error count
@@ -111,13 +113,17 @@ function Get-Tenants {
                 } catch {
                     try {
                         #doing alternative method to temporarily get domains. Nightly refresh will fix this as it will be marked for renew.
-                        $Domain = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/tenantRelationships/findTenantInformationByTenantId(tenantId='$($LatestRelationship.customerId)')" -NoAuthCheck:$true).defaultDomainName
-                        $defaultDomainName = $Domain
-                        $initialDomainName = $Domain
+                        Write-Host 'Main method failed, trying alternative method.'
+                        Write-Host "Domain variable is $Domain"
+                        $Domain = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/tenantRelationships/findTenantInformationByTenantId(tenantId='$($LatestRelationship.customerId)')" -NoAuthCheck:$true ).defaultDomainName
+                        Write-Host "Alternative method worked, got domain $Domain."
                         $RequiresRefresh = $true
-
                     } catch {
-                        Write-LogMessage -API 'Get-Tenants' -message "Tried adding $($LatestRelationship.customerId) to tenant list but failed to get domains - $($_.Exception.Message)" -level 'Critical'
+                        $ErrorMessage = Get-CippException -Exception $_
+                        Write-LogMessage -API 'Get-Tenants' -message "Tried adding $($LatestRelationship.customerId) to tenant list but failed to get domains - $($_.Exception.Message)" -Sev 'Critical' -LogData $ErrorMessage
+                    } finally {
+                        $defaultDomainName = $Domain
+                        $initialDomainName = $Domain
                     }
                 }
                 Write-Host 'finished getting domain'
@@ -175,7 +181,7 @@ function Get-Tenants {
 
         }
         foreach ($Tenant in $TenantList | Where-Object $IncludedTenantFilter) {
-            if ($Tenant.defaultDomainName -eq 'Invalid' -or !$Tenant.defaultDomainName) {
+            if ($Tenant.defaultDomainName -eq 'Invalid' -or [string]::IsNullOrWhiteSpace($Tenant.defaultDomainName)) {
                 Write-LogMessage -API 'Get-Tenants' -message "We're skipping $($Tenant.displayName) as it has an invalid default domain name. Something is up with this instance." -level 'Critical'
                 continue
             }