feat: InTune Template exclude

KelvinTegelaar · Feb 20, 2025 · 22d419f · 22d419f
1 parent 7f19c2a
commit 22d419f
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 20 deletions.
diff --git a/Modules/CIPPCore/Public/Set-CIPPAssignedPolicy.ps1 b/Modules/CIPPCore/Public/Set-CIPPAssignedPolicy.ps1
@@ -2,6 +2,7 @@ function Set-CIPPAssignedPolicy {
     [CmdletBinding(SupportsShouldProcess = $true)]
     param(
         $GroupName,
+        $excludeGroup,
         $PolicyId,
         $Type,
         $TenantFilter,
@@ -11,25 +12,23 @@ function Set-CIPPAssignedPolicy {
     )
     if (!$PlatformType) { $PlatformType = 'deviceManagement' }
     try {
-        $assignmentsObject = switch ($GroupName) {
+        $assignmentsObject = @()
+
+        $assignmentsObject += switch ($GroupName) {
             'allLicensedUsers' {
-                @(
-                    @{
-                        target = @{
-                            '@odata.type' = '#microsoft.graph.allLicensedUsersAssignmentTarget'
-                        }
+                @{
+                    target = @{
+                        '@odata.type' = '#microsoft.graph.allLicensedUsersAssignmentTarget'
                     }
-                )
+                }
                 break
             }
             'AllDevices' {
-                @(
-                    @{
-                        target = @{
-                            '@odata.type' = '#microsoft.graph.allDevicesAssignmentTarget'
-                        }
+                @{
+                    target = @{
+                        '@odata.type' = '#microsoft.graph.allDevicesAssignmentTarget'
                     }
-                )
+                }
                 break
             }
             'AllDevicesAndUsers' {
@@ -45,6 +44,7 @@ function Set-CIPPAssignedPolicy {
                         }
                     }
                 )
+                break
             }
             default {
                 Write-Host "We're supposed to assign a custom group. The group is $GroupName"
@@ -53,30 +53,52 @@ function Set-CIPPAssignedPolicy {
                     $Group = $_
                     foreach ($SingleName in $GroupNames) {
                         if ($_.displayName -like $SingleName) {
-                            $group.id
+                            $_.id
                         }
                     }
                 }
-                foreach ($Group in $GroupIds) {
+                $GroupIds | ForEach-Object {
                     @{
                         target = @{
                             '@odata.type' = '#microsoft.graph.groupAssignmentTarget'
-                            groupId       = $Group
+                            groupId       = $_
                         }
                     }
                 }
             }
         }
+
+        # Handle excludeGroup
+        if ($excludeGroup) {
+            $ExcludeGroupNames = $excludeGroup.Split(',')
+            $ExcludeGroupIds = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/groups?$select=id,displayName&$top=999' -tenantid $TenantFilter | ForEach-Object {
+                $Group = $_
+                foreach ($SingleName in $ExcludeGroupNames) {
+                    if ($_.displayName -like $SingleName) {
+                        $_.id
+                    }
+                }
+            }
+            $ExcludeGroupIds | ForEach-Object {
+                $assignmentsObject += @{
+                    target = @{
+                        '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget'
+                        groupId       = $_
+                    }
+                }
+            }
+        }
+
         $assignmentsObject = [PSCustomObject]@{
-            assignments = @($assignmentsObject)
+            assignments = $assignmentsObject
         }
 
         $AssignJSON = ($assignmentsObject | ConvertTo-Json -Depth 10 -Compress)
         Write-Host "AssignJSON: $AssignJSON"
         if ($PSCmdlet.ShouldProcess($GroupName, "Assigning policy $PolicyId")) {
             Write-Host "https://graph.microsoft.com/beta/$($PlatformType)/$Type('$($PolicyId)')/assign"
             $null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$($PlatformType)/$Type('$($PolicyId)')/assign" -tenantid $tenantFilter -type POST -body $AssignJSON
-            Write-LogMessage -headers $Headers -API $APIName -message "Assigned $GroupName to Policy $PolicyId" -Sev 'Info' -tenant $TenantFilter
+            Write-LogMessage -headers $Headers -API $APIName -message "Assigned $GroupName and excluded $excludeGroup to Policy $PolicyId" -Sev 'Info' -tenant $TenantFilter
         }
     } catch {
         $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message

diff --git a/Modules/CIPPCore/Public/Set-CIPPIntunePolicy.ps1 b/Modules/CIPPCore/Public/Set-CIPPIntunePolicy.ps1
@@ -6,6 +6,7 @@ function Set-CIPPIntunePolicy {
         $DisplayName,
         $RawJSON,
         $AssignTo,
+        $excludeGroup,
         $Headers,
         $APINAME,
         $tenantFilter
@@ -135,7 +136,7 @@ function Set-CIPPIntunePolicy {
             Write-Host "Assigning policy to $($AssignTo) with ID $($CreateRequest.id) and type $TemplateTypeURL for tenant $tenantFilter"
             Write-Host "ID is $($CreateRequest.id)"
 
-            Set-CIPPAssignedPolicy -GroupName $AssignTo -PolicyId $CreateRequest.id -Type $TemplateTypeURL -TenantFilter $tenantFilter
+            Set-CIPPAssignedPolicy -GroupName $AssignTo -PolicyId $CreateRequest.id -Type $TemplateTypeURL -TenantFilter $tenantFilter -excludeGroup $excludeGroup
         }
         return "Successfully $($PostType) policy for $($tenantFilter) with display name $($Displayname)"
     } catch {

diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1
@@ -46,7 +46,7 @@ function Invoke-CIPPStandardIntuneTemplate {
                 $description = $request.body.Description
                 $RawJSON = $Request.body.RawJSON
                 $Template.customGroup ? ($Template.AssignTo = $Template.customGroup) : $null
-                Set-CIPPIntunePolicy -TemplateType $Request.body.Type -Description $description -DisplayName $displayname -RawJSON $RawJSON -AssignTo $Template.AssignTo -tenantFilter $Tenant
+                Set-CIPPIntunePolicy -TemplateType $Request.body.Type -Description $description -DisplayName $displayname -RawJSON $RawJSON -AssignTo $Template.AssignTo -excludeGroup $Template.excludeGroup -tenantFilter $Tenant
 
             } catch {
                 $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message