Skip to content

Commit 5d93e5e

Browse files
committed
Add group exclusion support to Set-CIPPCAExclusion
Enhanced Set-CIPPCAExclusion to handle group exclusions in addition to user exclusions for conditional access policies. The function now supports adding and removing group exclusions, updates logging to distinguish between users and groups, and improves identifier handling for ShouldProcess prompts.
1 parent a201138 commit 5d93e5e

1 file changed

Lines changed: 81 additions & 22 deletions

File tree

Modules/CIPPCore/Public/Set-CIPPCAExclusion.ps1

Lines changed: 81 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -7,12 +7,31 @@ function Set-CIPPCAExclusion {
77
$PolicyId,
88
$Username,
99
$Users,
10+
$Groups,
1011
$Headers
1112
)
1213
try {
1314
$CheckExisting = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$($PolicyId)" -tenantid $TenantFilter -AsApp $true
1415
if ($ExclusionType -eq 'add') {
15-
if ($Users) {
16+
if ($Groups) {
17+
# Handle group exclusions
18+
$Groupnames = $Groups.addedFields.displayName
19+
$ExcludeGroups = [System.Collections.Generic.List[string]]::new()
20+
foreach ($Group in $CheckExisting.conditions.users.excludeGroups) {
21+
$ExcludeGroups.Add($Group)
22+
}
23+
foreach ($Group in $Groups.value) {
24+
if ($Group -and $Group -ne '' -and $ExcludeGroups -notcontains $Group) {
25+
$ExcludeGroups.Add($Group)
26+
}
27+
}
28+
$NewExclusions = [pscustomobject]@{
29+
conditions = [pscustomobject]@{ users = [pscustomobject]@{
30+
excludeGroups = $ExcludeGroups
31+
}
32+
}
33+
}
34+
} elseif ($Users) {
1635
$Username = $Users.addedFields.userPrincipalName
1736
$ExcludeUsers = [System.Collections.Generic.List[string]]::new()
1837
foreach ($User in $CheckExisting.conditions.users.excludeUsers) {
@@ -29,7 +48,7 @@ function Set-CIPPCAExclusion {
2948
}
3049
}
3150
}
32-
} else {
51+
} elseif ($UserID) {
3352
if ($UserID -match '^[a-f0-9]{8}-([a-f0-9]{4}-){3}[a-f0-9]{12}$') {
3453
$Username = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users/$($UserID)" -tenantid $TenantFilter).userPrincipalName
3554
}
@@ -43,52 +62,92 @@ function Set-CIPPCAExclusion {
4362

4463
$RawJson = ConvertTo-Json -Depth 10 -InputObject $NewExclusions
4564

46-
if ($Users) {
47-
$UserIdentifier = ($Username -join ', ')
65+
if ($Groups) {
66+
$Identifier = ($Groupnames -join ', ')
67+
$IdentifierType = 'group'
68+
} elseif ($Users) {
69+
$Identifier = ($Username -join ', ')
70+
$IdentifierType = 'user'
4871
} else {
49-
$UserIdentifier = $UserID
72+
$Identifier = $UserID
73+
$IdentifierType = 'user'
5074
}
51-
if ($PSCmdlet.ShouldProcess($PolicyId, "Add exclusion for $UserIdentifier")) {
75+
if ($PSCmdlet.ShouldProcess($PolicyId, "Add exclusion for $IdentifierType $Identifier")) {
5276
$null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$($CheckExisting.id)" -tenantid $tenantfilter -type PATCH -body $RawJSON -AsApp $true
5377
}
5478
}
5579

5680
if ($ExclusionType -eq 'remove') {
57-
if ($Users) {
81+
if ($Groups) {
82+
# Handle group exclusions removal
83+
$GroupID = $Groups.value | Where-Object { $_ -and $_ -ne '' }
84+
$Groupnames = $Groups.addedFields.displayName
85+
$NewExclusions = [pscustomobject]@{
86+
conditions = [pscustomobject]@{ users = [pscustomobject]@{
87+
excludeGroups = @($CheckExisting.conditions.users.excludeGroups | Where-Object { $GroupID -notcontains $_ })
88+
}
89+
}
90+
}
91+
} elseif ($Users) {
5892
$UserID = $Users.value | Where-Object { $_ -and $_ -ne '' }
5993
$Username = $Users.addedFields.userPrincipalName
94+
$NewExclusions = [pscustomobject]@{
95+
conditions = [pscustomobject]@{ users = [pscustomobject]@{
96+
excludeUsers = @($CheckExisting.conditions.users.excludeUsers | Where-Object { $UserID -notcontains $_ })
97+
}
98+
}
99+
}
60100
} else {
61101
if ($UserID -match '^[a-f0-9]{8}-([a-f0-9]{4}-){3}[a-f0-9]{12}$') {
62102
$Username = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users/$($UserID)" -tenantid $TenantFilter).userPrincipalName
63103
}
64104
$UserID = @($UserID)
65-
}
66-
$NewExclusions = [pscustomobject]@{
67-
conditions = [pscustomobject]@{ users = [pscustomobject]@{
68-
excludeUsers = @($CheckExisting.conditions.users.excludeUsers | Where-Object { $UserID -notcontains $_ })
105+
$NewExclusions = [pscustomobject]@{
106+
conditions = [pscustomobject]@{ users = [pscustomobject]@{
107+
excludeUsers = @($CheckExisting.conditions.users.excludeUsers | Where-Object { $UserID -notcontains $_ })
108+
}
69109
}
70110
}
71111
}
72112
$RawJson = ConvertTo-Json -Depth 10 -InputObject $NewExclusions
73-
74-
if ($Users) {
75-
$UserIdentifier = ($Username -join ', ')
113+
114+
if ($Groups) {
115+
$Identifier = ($Groupnames -join ', ')
116+
$IdentifierType = 'group'
117+
} elseif ($Users) {
118+
$Identifier = ($Username -join ', ')
119+
$IdentifierType = 'user'
76120
} else {
77-
$UserIdentifier = $UserID
121+
$Identifier = $UserID
122+
$IdentifierType = 'user'
78123
}
79-
if ($PSCmdlet.ShouldProcess($PolicyId, "Remove exclusion for $UserIdentifier")) {
124+
if ($PSCmdlet.ShouldProcess($PolicyId, "Remove exclusion for $IdentifierType $Identifier")) {
80125
$null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$($CheckExisting.id)" -tenantid $tenantfilter -type PATCH -body $RawJSON -AsApp $true
81126
}
82127
}
83128

84-
foreach ($User in $Username) {
85-
"Successfully performed $($ExclusionType) exclusion for $User from policy $($CheckExisting.displayName)"
86-
Write-LogMessage -headers $Headers -API 'Set-CIPPCAExclusion' -message "Successfully performed $($ExclusionType) exclusion for $User from policy $($CheckExisting.displayName)" -Sev 'Info' -tenant $TenantFilter
129+
if ($Groups) {
130+
foreach ($Group in $Groupnames) {
131+
"Successfully performed $($ExclusionType) exclusion for group $Group from policy $($CheckExisting.displayName)"
132+
Write-LogMessage -headers $Headers -API 'Set-CIPPCAExclusion' -message "Successfully performed $($ExclusionType) exclusion for group $Group from policy $($CheckExisting.displayName)" -Sev 'Info' -tenant $TenantFilter
133+
}
134+
} else {
135+
foreach ($User in $Username) {
136+
"Successfully performed $($ExclusionType) exclusion for $User from policy $($CheckExisting.displayName)"
137+
Write-LogMessage -headers $Headers -API 'Set-CIPPCAExclusion' -message "Successfully performed $($ExclusionType) exclusion for $User from policy $($CheckExisting.displayName)" -Sev 'Info' -tenant $TenantFilter
138+
}
87139
}
88140
} catch {
89-
foreach ($User in $Username) {
90-
"Failed to $($ExclusionType) user exclusion for $User from policy $($CheckExisting.displayName): $($_.Exception.Message)"
91-
Write-LogMessage -headers $Headers -API 'Set-CIPPCAExclusion' -message "Failed to $($ExclusionType) user exclusion for $User from policy $($CheckExisting.displayName): $_" -Sev 'Error' -tenant $TenantFilter -LogData (Get-CippException -Exception $_)
141+
if ($Groups) {
142+
foreach ($Group in $Groupnames) {
143+
"Failed to $($ExclusionType) group exclusion for $Group from policy $($CheckExisting.displayName): $($_.Exception.Message)"
144+
Write-LogMessage -headers $Headers -API 'Set-CIPPCAExclusion' -message "Failed to $($ExclusionType) group exclusion for $Group from policy $($CheckExisting.displayName): $_" -Sev 'Error' -tenant $TenantFilter -LogData (Get-CippException -Exception $_)
145+
}
146+
} else {
147+
foreach ($User in $Username) {
148+
"Failed to $($ExclusionType) user exclusion for $User from policy $($CheckExisting.displayName): $($_.Exception.Message)"
149+
Write-LogMessage -headers $Headers -API 'Set-CIPPCAExclusion' -message "Failed to $($ExclusionType) user exclusion for $User from policy $($CheckExisting.displayName): $_" -Sev 'Error' -tenant $TenantFilter -LogData (Get-CippException -Exception $_)
150+
}
92151
}
93152
}
94153
}

0 commit comments

Comments
 (0)