Skip to content

Commit 236715d

Browse files
JohnDupreyJohnDuprey
authored
Merge pull request #1323 from markheydon/fix-intune-policy-assignment
Fixed App Protection policy assignment and group exclusions from Standards run
2 parents f18bbad + 16b314c commit 236715d

File tree

4 files changed

+48
-37
lines changed

4 files changed

+48
-37
lines changed

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/MEM/Invoke-AddPolicy.ps1

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ Function Invoke-AddPolicy {
1818
$displayname = $Request.Body.displayName
1919
$description = $Request.Body.Description
2020
$AssignTo = if ($Request.Body.AssignTo -ne 'on') { $Request.Body.AssignTo }
21+
$ExcludeGroup = $Request.Body.excludeGroup
2122
$Request.body.customGroup ? ($AssignTo = $Request.body.customGroup) : $null
2223
$RawJSON = $Request.Body.RAWJson
2324

@@ -27,7 +28,7 @@ Function Invoke-AddPolicy {
2728
}
2829
try {
2930
Write-Host 'Calling Adding policy'
30-
Set-CIPPIntunePolicy -TemplateType $Request.body.TemplateType -Description $description -DisplayName $displayname -RawJSON $RawJSON -AssignTo $AssignTo -tenantFilter $Tenant -Headers $Request.Headers
31+
Set-CIPPIntunePolicy -TemplateType $Request.body.TemplateType -Description $description -DisplayName $displayname -RawJSON $RawJSON -AssignTo $AssignTo -ExcludeGroup $ExcludeGroup -tenantFilter $Tenant -Headers $Request.Headers
3132
Write-LogMessage -headers $Request.Headers -API $APINAME -tenant $($Tenant) -message "Added policy $($Displayname)" -Sev 'Info'
3233
} catch {
3334
"$($_.Exception.Message)"

Modules/CIPPCore/Public/Set-CIPPAssignedPolicy.ps1

Lines changed: 14 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -2,17 +2,16 @@ function Set-CIPPAssignedPolicy {
22
[CmdletBinding(SupportsShouldProcess = $true)]
33
param(
44
$GroupName,
5-
$excludeGroup,
5+
$ExcludeGroup,
66
$PolicyId,
77
$Type,
88
$TenantFilter,
9-
$PlatformType,
9+
$PlatformType = 'deviceManagement',
1010
$APIName = 'Assign Policy',
1111
$Headers
1212
)
13-
if (!$PlatformType) {
14-
$PlatformType = 'deviceManagement'
15-
}
13+
14+
Write-Host "Assigning policy $PolicyId ($PlatformType/$Type) to $GroupName"
1615

1716
try {
1817
$assignmentsList = New-Object System.Collections.Generic.List[System.Object]
@@ -74,8 +73,9 @@ function Set-CIPPAssignedPolicy {
7473
}
7574
}
7675
}
77-
if ($excludeGroup) {
78-
$ExcludeGroupNames = $excludeGroup.Split(',')
76+
if ($ExcludeGroup) {
77+
Write-Host "We're supposed to exclude a custom group. The group is $ExcludeGroup"
78+
$ExcludeGroupNames = $ExcludeGroup.Split(',')
7979
$ExcludeGroupIds = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/groups?$select=id,displayName&$top=999' -tenantid $TenantFilter |
8080
ForEach-Object {
8181
foreach ($SingleName in $ExcludeGroupNames) {
@@ -104,9 +104,13 @@ function Set-CIPPAssignedPolicy {
104104
$AssignJSON = $assignmentsObject | ConvertTo-Json -Depth 10 -Compress
105105
Write-Host "AssignJSON: $AssignJSON"
106106
if ($PSCmdlet.ShouldProcess($GroupName, "Assigning policy $PolicyId")) {
107-
Write-Host "https://graph.microsoft.com/beta/$($PlatformType)/$Type('$($PolicyId)')/assign"
108-
$null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$($PlatformType)/$Type('$($PolicyId)')/assign" -tenantid $TenantFilter -type POST -body $AssignJSON
109-
Write-LogMessage -headers $Headers -API $APIName -message "Assigned $GroupName and excluded $excludeGroup to Policy $PolicyId" -Sev 'Info' -tenant $TenantFilter
107+
$uri = "https://graph.microsoft.com/beta/$($PlatformType)/$Type('$($PolicyId)')/assign"
108+
$null = New-GraphPOSTRequest -uri $uri -tenantid $TenantFilter -type POST -body $AssignJSON
109+
if ($ExcludeGroup) {
110+
Write-LogMessage -headers $Headers -API $APIName -message "Assigned group '$GroupName' and excluded group '$ExcludeGroup' on Policy $PolicyId" -Sev 'Info' -tenant $TenantFilter
111+
} else {
112+
Write-LogMessage -headers $Headers -API $APIName -message "Assigned group '$GroupName' on Policy $PolicyId" -Sev 'Info' -tenant $TenantFilter
113+
}
110114
}
111115

112116
} catch {

Modules/CIPPCore/Public/Set-CIPPIntunePolicy.ps1

Lines changed: 29 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -6,126 +6,132 @@ function Set-CIPPIntunePolicy {
66
$DisplayName,
77
$RawJSON,
88
$AssignTo,
9-
$excludeGroup,
9+
$ExcludeGroup,
1010
$Headers,
1111
$APINAME,
1212
$tenantFilter
1313
)
1414
try {
1515
switch ($TemplateType) {
1616
'AppProtection' {
17+
$PlatformType = 'deviceAppManagement'
1718
$TemplateType = ($RawJSON | ConvertFrom-Json).'@odata.type' -replace '#microsoft.graph.', ''
1819
$PolicyFile = $RawJSON | ConvertFrom-Json
1920
$Null = $PolicyFile | Add-Member -MemberType NoteProperty -Name 'description' -Value $description -Force
2021
$null = $PolicyFile | Add-Member -MemberType NoteProperty -Name 'displayName' -Value $displayname -Force
2122
$RawJSON = ConvertTo-Json -InputObject $PolicyFile -Depth 20
2223
$TemplateTypeURL = if ($TemplateType -eq 'windowsInformationProtectionPolicy') { 'windowsInformationProtectionPolicies' } else { "$($TemplateType)s" }
23-
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceAppManagement/$TemplateTypeURL" -tenantid $tenantFilter
24+
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter
2425
if ($displayname -in $CheckExististing.displayName) {
2526
$PostType = 'edited'
2627
$ExistingID = $CheckExististing | Where-Object -Property displayName -EQ $displayname
27-
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceAppManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenantFilter -type PATCH -body $RawJSON
28+
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenantFilter -type PATCH -body $RawJSON
2829
$CreateRequest = $CheckExististing | Where-Object -Property displayName -EQ $DisplayName
2930
} else {
3031
$PostType = 'added'
31-
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceAppManagement/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $RawJSON
32+
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $RawJSON
3233
}
3334
}
3435
'deviceCompliancePolicies' {
36+
$PlatformType = 'deviceManagement'
3537
$TemplateTypeURL = 'deviceCompliancePolicies'
36-
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenantFilter
38+
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter
3739
$JSON = $RawJSON | ConvertFrom-Json | Select-Object * -ExcludeProperty id, createdDateTime, lastModifiedDateTime, version, '[email protected]', '@odata.context'
3840
$JSON.scheduledActionsForRule = @($JSON.scheduledActionsForRule | Select-Object * -ExcludeProperty '[email protected]')
3941
if ($displayname -in $CheckExististing.displayName) {
4042
$RawJSON = ConvertTo-Json -InputObject ($JSON | Select-Object * -ExcludeProperty 'scheduledActionsForRule') -Depth 20 -Compress
4143
$PostType = 'edited'
4244
$ExistingID = $CheckExististing | Where-Object -Property displayName -EQ $displayname
43-
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenantFilter -type PATCH -body $RawJSON
45+
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenantFilter -type PATCH -body $RawJSON
4446
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenantFilter) -message "Updated policy $($DisplayName) to template defaults" -Sev 'info'
4547
$CreateRequest = $CheckExististing | Where-Object -Property displayName -EQ $DisplayName
4648
} else {
4749
$RawJSON = ConvertTo-Json -InputObject $JSON -Depth 20 -Compress
4850
$PostType = 'added'
49-
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $RawJSON
51+
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $RawJSON
5052
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenantFilter) -message "Added policy $($DisplayName) via template" -Sev 'info'
5153
}
5254
}
5355
'Admin' {
56+
$PlatformType = 'deviceManagement'
5457
$TemplateTypeURL = 'groupPolicyConfigurations'
5558
$CreateBody = '{"description":"' + $description + '","displayName":"' + $displayname + '","roleScopeTagIds":["0"]}'
56-
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenantFilter
59+
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter
5760
if ($displayname -in $CheckExististing.displayName) {
5861
$ExistingID = $CheckExististing | Where-Object -Property displayName -EQ $displayname
59-
$ExistingData = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($ExistingID.id)')/definitionValues" -tenantid $tenantFilter
62+
$ExistingData = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL('$($ExistingID.id)')/definitionValues" -tenantid $tenantFilter
6063
$DeleteJson = $RawJSON | ConvertFrom-Json -Depth 10
6164
$DeleteJson.deletedIds = @($ExistingData.id)
6265
$DeleteJson.added = @()
6366
$DeleteJson = ConvertTo-Json -Depth 10 -InputObject $DeleteJson
64-
$DeleteRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($ExistingID.id)')/updateDefinitionValues" -tenantid $tenantFilter -type POST -body $DeleteJson
65-
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($ExistingID.id)')/updateDefinitionValues" -tenantid $tenantFilter -type POST -body $RawJSON
67+
$DeleteRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL('$($ExistingID.id)')/updateDefinitionValues" -tenantid $tenantFilter -type POST -body $DeleteJson
68+
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL('$($ExistingID.id)')/updateDefinitionValues" -tenantid $tenantFilter -type POST -body $RawJSON
6669
$CreateRequest = $CheckExististing | Where-Object -Property displayName -EQ $DisplayName
6770
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenantFilter) -message "Updated policy $($Displayname) to template defaults" -Sev 'info'
6871
$PostType = 'edited'
6972
} else {
7073
$PostType = 'added'
71-
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $CreateBody
72-
$UpdateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($CreateRequest.id)')/updateDefinitionValues" -tenantid $tenantFilter -type POST -body $RawJSON
74+
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $CreateBody
75+
$UpdateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL('$($CreateRequest.id)')/updateDefinitionValues" -tenantid $tenantFilter -type POST -body $RawJSON
7376
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenantFilter) -message "Added policy $($Displayname) to template defaults" -Sev 'info'
7477

7578
}
7679
}
7780
'Device' {
81+
$PlatformType = 'deviceManagement'
7882
$TemplateTypeURL = 'deviceConfigurations'
7983
$PolicyFile = $RawJSON | ConvertFrom-Json
8084
$Null = $PolicyFile | Add-Member -MemberType NoteProperty -Name 'description' -Value "$description" -Force
8185
$null = $PolicyFile | Add-Member -MemberType NoteProperty -Name 'displayName' -Value $displayname -Force
82-
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenantFilter
86+
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter
8387
$ExistingID = $CheckExististing | Where-Object -Property displayName -EQ $DisplayName | Select-Object -Last 1
8488
$PolicyFile = $policyFile | Select-Object * -ExcludeProperty 'featureUpdatesWillBeRolledBack', 'qualityUpdatesWillBeRolledBack', 'qualityUpdatesPauseStartDate', 'featureUpdatesPauseStartDate'
8589
$RawJSON = ConvertTo-Json -InputObject $PolicyFile -Depth 100 -Compress
8690
if ($ExistingID) {
8791
$PostType = 'edited'
8892
Write-Host "Raw JSON is $RawJSON"
89-
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenantFilter -type PATCH -body $RawJSON
93+
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenantFilter -type PATCH -body $RawJSON
9094
$CreateRequest = $CheckExististing | Where-Object -Property displayName -EQ $DisplayName
9195
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenantFilter) -message "Updated policy $($DisplayName) to template defaults" -Sev 'info'
9296
} else {
9397
$PostType = 'added'
94-
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $RawJSON
98+
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $RawJSON
9599
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenantFilter) -message "Added policy $($DisplayName) via template" -Sev 'info'
96100

97101
}
98102
}
99103
'Catalog' {
104+
$PlatformType = 'deviceManagement'
100105
$TemplateTypeURL = 'configurationPolicies'
101106
$DisplayName = ($RawJSON | ConvertFrom-Json).Name
102-
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenantFilter
107+
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter
103108
if ($DisplayName -in $CheckExististing.name) {
104109
$ExistingID = $CheckExististing | Where-Object -Property Name -EQ $DisplayName
105-
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenantFilter -type PUT -body $RawJSON
110+
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenantFilter -type PUT -body $RawJSON
106111
$CreateRequest = $CheckExististing | Where-Object -Property Name -EQ $DisplayName
107112
$PostType = 'edited'
108113
} else {
109114
$PostType = 'added'
110-
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $RawJSON
115+
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $RawJSON
111116
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenantFilter) -message "Added policy $($DisplayName) via template" -Sev 'info'
112117
}
113118
}
114119
'windowsDriverUpdateProfiles' {
120+
$PlatformType = 'deviceManagement'
115121
$TemplateTypeURL = 'windowsDriverUpdateProfiles'
116122
$File = ($RawJSON | ConvertFrom-Json)
117123
$DisplayName = $File.displayName ?? $File.Name
118-
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenantFilter
124+
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter
119125
if ($DisplayName -in $CheckExististing.displayName) {
120126
$PostType = 'edited'
121127
$ExistingID = $CheckExististing | Where-Object -Property displayName -EQ $displayname
122128
Write-Host 'We are editing'
123-
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenantFilter -type PUT -body $RawJSON
129+
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenantFilter -type PUT -body $RawJSON
124130
$CreateRequest = $CheckExististing | Where-Object -Property displayName -EQ $DisplayName
125131

126132
} else {
127133
$PostType = 'added'
128-
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $RawJSON
134+
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $RawJSON
129135
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenantFilter) -message "Added policy $($DisplayName) via template" -Sev 'info'
130136
}
131137
}
@@ -136,7 +142,7 @@ function Set-CIPPIntunePolicy {
136142
Write-Host "Assigning policy to $($AssignTo) with ID $($CreateRequest.id) and type $TemplateTypeURL for tenant $tenantFilter"
137143
Write-Host "ID is $($CreateRequest.id)"
138144

139-
Set-CIPPAssignedPolicy -GroupName $AssignTo -PolicyId $CreateRequest.id -Type $TemplateTypeURL -TenantFilter $tenantFilter -excludeGroup $excludeGroup
145+
Set-CIPPAssignedPolicy -GroupName $AssignTo -PolicyId $CreateRequest.id -PlatformType $PlatformType -Type $TemplateTypeURL -TenantFilter $tenantFilter -ExcludeGroup $ExcludeGroup
140146
}
141147
return "Successfully $($PostType) policy for $($tenantFilter) with display name $($Displayname)"
142148
} catch {

0 commit comments

Comments
 (0)