added action to "Deploy to Custom Group" for authentication methods

isgq-github01 · isgq-github01 · commit 9148b20b1430 · 2026-02-12T11:00:42.000+10:00
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Invoke-SetAuthMethod.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Invoke-SetAuthMethod.ps1
@@ -15,10 +15,47 @@ function Invoke-SetAuthMethod {
     $State = if ($Request.Body.state -eq 'enabled') { $true } else { $false }
     $TenantFilter = $Request.Body.tenantFilter
     $AuthenticationMethodId = $Request.Body.Id
+    $GroupIdsRaw = $Request.Body.GroupIds
+
+    function Get-StandardizedList {
+        param($InputObject)
+
+        if ($null -eq $InputObject) { return @() }
+
+        if ($InputObject -is [string]) {
+            return @(
+                $InputObject -split ',' |
+                    ForEach-Object { $_.Trim() } |
+                    Where-Object { -not [string]::IsNullOrWhiteSpace($_) }
+            )
+        }
+
+        if ($InputObject -is [array] -or $InputObject -is [System.Collections.IEnumerable]) {
+            return @(
+                $InputObject |
+                    ForEach-Object { "$_".Trim() } |
+                    Where-Object { -not [string]::IsNullOrWhiteSpace($_) }
+            )
+        }
+
+        return @("$InputObject".Trim()) | Where-Object { -not [string]::IsNullOrWhiteSpace($_) }
+    }
+
+    $GroupIds = Get-StandardizedList -InputObject $GroupIdsRaw
 
 
     try {
-        $Result = Set-CIPPAuthenticationPolicy -Tenant $TenantFilter -APIName $APIName -AuthenticationMethodId $AuthenticationMethodId -Enabled $State -Headers $Headers
+        $Params = @{
+            Tenant                 = $TenantFilter
+            APIName                = $APIName
+            AuthenticationMethodId = $AuthenticationMethodId
+            Enabled                = $State
+            Headers                = $Headers
+        }
+        if (@($GroupIds).Count -gt 0) {
+            $Params.GroupIds = @($GroupIds)
+        }
+        $Result = Set-CIPPAuthenticationPolicy @Params
         $StatusCode = [HttpStatusCode]::OK
     } catch {
         $Result = $_.Exception.Message
diff --git a/Modules/CIPPCore/Public/Set-CIPPAuthenticationPolicy.ps1 b/Modules/CIPPCore/Public/Set-CIPPAuthenticationPolicy.ps1
@@ -10,6 +10,7 @@ function Set-CIPPAuthenticationPolicy {
         $TAPDefaultLifeTime = 60, #minutes
         $TAPDefaultLength = 8, #TAP password generated length in chars
         $TAPisUsableOnce = $true,
+        [Parameter()][string[]]$GroupIds,
         [Parameter()][ValidateRange(1, 395)]$QRCodeLifetimeInDays = 365,
         [Parameter()][ValidateRange(8, 20)]$QRCodePinLength = 8,
         $APIName = 'Set Authentication Policy',
@@ -118,6 +119,40 @@ function Set-CIPPAuthenticationPolicy {
             throw "Somehow you hit the default case with an input of $AuthenticationMethodId . You probably made a typo in the input for AuthenticationMethodId. It`'s case sensitive."
         }
     }
+
+    if ($PSBoundParameters.ContainsKey('GroupIds') -and @($GroupIds).Count -gt 0) {
+        $ResolvedGroupIds = @(
+            @($GroupIds) |
+                ForEach-Object { "$_".Trim() } |
+                Where-Object { -not [string]::IsNullOrWhiteSpace($_) } |
+                Select-Object -Unique
+        )
+
+        if ($ResolvedGroupIds.Count -gt 0) {
+            $TargetTemplate = $null
+            if ($CurrentInfo.includeTargets -and @($CurrentInfo.includeTargets).Count -gt 0) {
+                $TargetTemplate = $CurrentInfo.includeTargets | Select-Object -First 1
+            }
+
+            $CurrentInfo.includeTargets = @(
+                foreach ($GroupId in $ResolvedGroupIds) {
+                    $TargetProperties = [ordered]@{}
+                    if ($TargetTemplate) {
+                        foreach ($Property in $TargetTemplate.PSObject.Properties) {
+                            if ($Property.Name -ne 'id' -and $Property.Name -ne 'targetType') {
+                                $TargetProperties[$Property.Name] = $Property.Value
+                            }
+                        }
+                    }
+                    $TargetProperties.targetType = 'group'
+                    $TargetProperties.id = $GroupId
+                    [pscustomobject]$TargetProperties
+                }
+            )
+            $OptionalLogMessage = "$OptionalLogMessage and targeted groups set to $($ResolvedGroupIds -join ', ')"
+        }
+    }
+
     # Set state of the authentication method
     try {
         if ($PSCmdlet.ShouldProcess($AuthenticationMethodId, "Set state to $State $OptionalLogMessage")) {
