diff --git a/Modules/CIPPCore/Public/Set-CIPPAssignedPolicy.ps1 b/Modules/CIPPCore/Public/Set-CIPPAssignedPolicy.ps1 index 671daa0667fa..9b1714c3a6fe 100644 --- a/Modules/CIPPCore/Public/Set-CIPPAssignedPolicy.ps1 +++ b/Modules/CIPPCore/Public/Set-CIPPAssignedPolicy.ps1 @@ -2,6 +2,7 @@ function Set-CIPPAssignedPolicy { [CmdletBinding(SupportsShouldProcess = $true)] param( $GroupName, + $excludeGroup, $PolicyId, $Type, $TenantFilter, @@ -11,25 +12,23 @@ function Set-CIPPAssignedPolicy { ) if (!$PlatformType) { $PlatformType = 'deviceManagement' } try { - $assignmentsObject = switch ($GroupName) { + $assignmentsObject = @() + + $assignmentsObject += switch ($GroupName) { 'allLicensedUsers' { - @( - @{ - target = @{ - '@odata.type' = '#microsoft.graph.allLicensedUsersAssignmentTarget' - } + @{ + target = @{ + '@odata.type' = '#microsoft.graph.allLicensedUsersAssignmentTarget' } - ) + } break } 'AllDevices' { - @( - @{ - target = @{ - '@odata.type' = '#microsoft.graph.allDevicesAssignmentTarget' - } + @{ + target = @{ + '@odata.type' = '#microsoft.graph.allDevicesAssignmentTarget' } - ) + } break } 'AllDevicesAndUsers' { @@ -45,6 +44,7 @@ function Set-CIPPAssignedPolicy { } } ) + break } default { Write-Host "We're supposed to assign a custom group. The group is $GroupName" @@ -53,22 +53,44 @@ function Set-CIPPAssignedPolicy { $Group = $_ foreach ($SingleName in $GroupNames) { if ($_.displayName -like $SingleName) { - $group.id + $_.id } } } - foreach ($Group in $GroupIds) { + $GroupIds | ForEach-Object { @{ target = @{ '@odata.type' = '#microsoft.graph.groupAssignmentTarget' - groupId = $Group + groupId = $_ } } } } } + + # Handle excludeGroup + if ($excludeGroup) { + $ExcludeGroupNames = $excludeGroup.Split(',') + $ExcludeGroupIds = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/groups?$select=id,displayName&$top=999' -tenantid $TenantFilter | ForEach-Object { + $Group = $_ + foreach ($SingleName in $ExcludeGroupNames) { + if ($_.displayName -like $SingleName) { + $_.id + } + } + } + $ExcludeGroupIds | ForEach-Object { + $assignmentsObject += @{ + target = @{ + '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = $_ + } + } + } + } + $assignmentsObject = [PSCustomObject]@{ - assignments = @($assignmentsObject) + assignments = $assignmentsObject } $AssignJSON = ($assignmentsObject | ConvertTo-Json -Depth 10 -Compress) @@ -76,7 +98,7 @@ function Set-CIPPAssignedPolicy { if ($PSCmdlet.ShouldProcess($GroupName, "Assigning policy $PolicyId")) { Write-Host "https://graph.microsoft.com/beta/$($PlatformType)/$Type('$($PolicyId)')/assign" $null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$($PlatformType)/$Type('$($PolicyId)')/assign" -tenantid $tenantFilter -type POST -body $AssignJSON - Write-LogMessage -headers $Headers -API $APIName -message "Assigned $GroupName to Policy $PolicyId" -Sev 'Info' -tenant $TenantFilter + Write-LogMessage -headers $Headers -API $APIName -message "Assigned $GroupName and excluded $excludeGroup to Policy $PolicyId" -Sev 'Info' -tenant $TenantFilter } } catch { $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message diff --git a/Modules/CIPPCore/Public/Set-CIPPIntunePolicy.ps1 b/Modules/CIPPCore/Public/Set-CIPPIntunePolicy.ps1 index 85323c33a79d..64c51dfd5db5 100644 --- a/Modules/CIPPCore/Public/Set-CIPPIntunePolicy.ps1 +++ b/Modules/CIPPCore/Public/Set-CIPPIntunePolicy.ps1 @@ -6,6 +6,7 @@ function Set-CIPPIntunePolicy { $DisplayName, $RawJSON, $AssignTo, + $excludeGroup, $Headers, $APINAME, $tenantFilter @@ -135,7 +136,7 @@ function Set-CIPPIntunePolicy { Write-Host "Assigning policy to $($AssignTo) with ID $($CreateRequest.id) and type $TemplateTypeURL for tenant $tenantFilter" Write-Host "ID is $($CreateRequest.id)" - Set-CIPPAssignedPolicy -GroupName $AssignTo -PolicyId $CreateRequest.id -Type $TemplateTypeURL -TenantFilter $tenantFilter + Set-CIPPAssignedPolicy -GroupName $AssignTo -PolicyId $CreateRequest.id -Type $TemplateTypeURL -TenantFilter $tenantFilter -excludeGroup $excludeGroup } return "Successfully $($PostType) policy for $($tenantFilter) with display name $($Displayname)" } catch { diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 index 68a437bd4bc4..7b61b1574aea 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 @@ -46,7 +46,7 @@ function Invoke-CIPPStandardIntuneTemplate { $description = $request.body.Description $RawJSON = $Request.body.RawJSON $Template.customGroup ? ($Template.AssignTo = $Template.customGroup) : $null - Set-CIPPIntunePolicy -TemplateType $Request.body.Type -Description $description -DisplayName $displayname -RawJSON $RawJSON -AssignTo $Template.AssignTo -tenantFilter $Tenant + Set-CIPPIntunePolicy -TemplateType $Request.body.Type -Description $description -DisplayName $displayname -RawJSON $RawJSON -AssignTo $Template.AssignTo -excludeGroup $Template.excludeGroup -tenantFilter $Tenant } catch { $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message