feat: vacation mode exclusions from audit log rules

JohnDuprey · JohnDuprey · commit 6a5801843dfb · 2025-11-20T14:07:35.000-05:00
excluding a user from a location based CA policy will now allow you to exclude the user from a location based audit log rule fixes KelvinTegelaar/CIPP#4965
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Conditional/Invoke-ExecCAExclusion.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Conditional/Invoke-ExecCAExclusion.ps1
@@ -18,6 +18,7 @@ function Invoke-ExecCAExclusion {
         $EndDate = $Request.Body.EndDate
         $PolicyId = $Request.Body.PolicyId
         $ExclusionType = $Request.Body.ExclusionType
+        $ExcludeLocationAuditAlerts = $Request.Body.excludeLocationAuditAlerts
 
         if ($Users) {
             $UserID = $Users.value
@@ -61,6 +62,12 @@ function Invoke-ExecCAExclusion {
         if ($Request.Body.vacation -eq 'true') {
             $StartDate = $Request.Body.StartDate
             $EndDate = $Request.Body.EndDate
+            # Detect if policy targets specific named locations (GUIDs) and user requested audit log exclusion
+            $GuidRegex = '^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$'
+            $LocationIds = @()
+            if ($Policy.conditions.locations.includeLocations) { $LocationIds += $Policy.conditions.locations.includeLocations }
+            if ($Policy.conditions.locations.excludeLocations) { $LocationIds += $Policy.conditions.locations.excludeLocations }
+            $PolicyHasGuidLocations = $LocationIds | Where-Object { $_ -match $GuidRegex }
 
             $Parameters = [PSCustomObject]@{
                 GroupType = 'Security'
@@ -82,6 +89,18 @@ function Invoke-ExecCAExclusion {
             Write-Information ($TaskBody | ConvertTo-Json -Depth 10)
 
             Add-CIPPScheduledTask -Task $TaskBody -hidden $false
+            # Optional: schedule audit log exclusion add task if requested and policy has location GUIDs
+            if ($ExcludeLocationAuditAlerts -and $PolicyHasGuidLocations) {
+                $AuditUsers = $Users.addedFields.userPrincipalName ?? $Users.value ?? $Users ?? $UserID
+                $AuditAddTask = [pscustomobject]@{
+                    TenantFilter  = $TenantFilter
+                    Name          = "Add Audit Log Location Exclusion: $PolicyName"
+                    Command       = @{ value = 'Set-CIPPAuditLogUserExclusion'; label = 'Set-CIPPAuditLogUserExclusion' }
+                    Parameters    = [pscustomobject]@{ Users = $AuditUsers; Action = 'Add'; Type = 'Location' }
+                    ScheduledTime = $StartDate
+                }
+                Add-CIPPScheduledTask -Task $AuditAddTask -hidden $true
+            }
             #Removal of the exclusion
             $TaskBody.Command = @{
                 label = 'Remove-CIPPGroupMember'
@@ -90,6 +109,17 @@ function Invoke-ExecCAExclusion {
             $TaskBody.Name = "Remove CA Exclusion Vacation Mode: $PolicyName"
             $TaskBody.ScheduledTime = $EndDate
             Add-CIPPScheduledTask -Task $TaskBody -hidden $false
+            if ($ExcludeLocationAuditAlerts -and $PolicyHasGuidLocations) {
+                $AuditUsers = $Users.addedFields.userPrincipalName ?? $Users.value ?? $Users ?? $UserID
+                $AuditRemoveTask = [pscustomobject]@{
+                    TenantFilter  = $TenantFilter
+                    Name          = "Remove Audit Log Location Exclusion: $PolicyName"
+                    Command       = @{ value = 'Set-CIPPAuditLogUserExclusion'; label = 'Set-CIPPAuditLogUserExclusion' }
+                    Parameters    = [pscustomobject]@{ Users = $AuditUsers; Action = 'Remove'; Type = 'Location' }
+                    ScheduledTime = $EndDate
+                }
+                Add-CIPPScheduledTask -Task $AuditRemoveTask -hidden $true
+            }
             $body = @{ Results = "Successfully added vacation mode schedule for $Username." }
         } else {
             $Parameters = @{
diff --git a/Modules/CIPPCore/Public/Set-CIPPAuditLogUserExclusion.ps1 b/Modules/CIPPCore/Public/Set-CIPPAuditLogUserExclusion.ps1
@@ -0,0 +1,66 @@
+function Set-CIPPAuditLogUserExclusion {
+    <#
+    .SYNOPSIS
+        Sets user exclusions for Audit Log alerting.
+    .DESCRIPTION
+        This function allows you to add or remove user exclusions for Audit Log alerting in a specified tenant
+        by updating the AuditLogUserExclusions CIPP table.
+    .PARAMETER TenantFilter
+        The tenant identifier for which to set the user exclusions.
+    .PARAMETER Users
+        An array of user identifiers (GUIDs or UPNs) to be added or removed from the exclusion list.
+    .PARAMETER Action
+        The action to perform: 'Add' to add users to the exclusion list, 'Remove' to remove users from the exclusion list.
+    .PARAMETER Headers
+        The headers to include in the request, typically containing authentication tokens. This is supplied automatically by the API.
+    #>
+    [CmdletBinding(SupportsShouldProcess = $true)]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter,
+        [Parameter(Mandatory = $true)]
+        [string[]]$Users,
+        [ValidateSet('Add', 'Remove')]
+        [string]$Action = 'Add',
+        [ValidateSet('Location')]
+        [string]$Type = 'Location',
+        $Headers
+    )
+
+    $AuditLogExclusionsTable = Get-CIPPTable -tablename 'AuditLogUserExclusions'
+    $ExistingEntries = Get-CIPPAzDataTableEntity @AuditLogExclusionsTable -Filter "PartitionKey eq '$TenantFilter'"
+
+    $Results = foreach ($User in $Users) {
+        if ($Action -eq 'Add') {
+            $ExistingUser = $ExistingEntries | Where-Object { $_.RowKey -eq $User -and $_.PartitionKey -eq $TenantFilter -and $_.Type -eq $Type }
+            if (!$ExistingUser) {
+                $NewEntry = [PSCustomObject]@{
+                    PartitionKey = $TenantFilter
+                    RowKey       = $User
+                    ExcludedOn   = (Get-Date).ToString('o')
+                    Type         = $Type
+                }
+                if ($PSCmdlet.ShouldProcess("Adding exclusion for user: $User")) {
+                    Add-CIPPAzDataTableEntity @AuditLogExclusionsTable -Entity $NewEntry
+                    "Added audit log exclusion for user: $User"
+                    Write-LogMessage -headers $Headers -API 'Set-CIPPAuditLogUserExclusion' -message "Added audit log exclusion for user: $User" -Sev 'Info' -tenant $TenantFilter -LogData $NewEntry
+                }
+            } else {
+                "User $User is already excluded."
+            }
+        } elseif ($Action -eq 'Remove') {
+            if ($ExistingEntries.RowKey -contains $User) {
+                if ($PSCmdlet.ShouldProcess("Removing exclusion for user: $User")) {
+                    $Entity = $ExistingEntries | Where-Object { $_.RowKey -eq $User -and $_.PartitionKey -eq $TenantFilter -and $_.Type -eq $Type }
+                    Remove-AzDataTableEntity @AuditLogExclusionsTable -Entity $Entity
+                    Write-LogMessage -headers $Headers -API 'Set-CIPPAuditLogUserExclusion' -message "Removed audit log exclusion for user: $User" -Sev 'Info' -tenant $TenantFilter -LogData $Entity
+                    "Removed audit log exclusion for user: $User"
+                }
+            } else {
+                "User $User is not in the exclusion list."
+            }
+        }
+    }
+    return @($Results)
+}
+
diff --git a/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1 b/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1
@@ -185,6 +185,9 @@ function Test-CIPPAuditLogRules {
             throw $_
         }
 
+        $AuditLogUserExclusions = Get-CIPPTable -TableName 'AuditLogUserExclusions'
+        $ExcludedUsers = Get-CIPPAzDataTableEntity @AuditLogUserExclusions -Filter "PartitionKey eq '$TenantFilter'"
+
         if ($LogCount -gt 0) {
             $LocationTable = Get-CIPPTable -TableName 'knownlocationdbv2'
             $ProcessedData = foreach ($AuditRecord in $SearchResults) {
@@ -341,6 +344,13 @@ function Test-CIPPAuditLogRules {
                         if ($condition.Property.label -eq 'CIPPGeoLocation' -and !$AddedLocationCondition) {
                             $conditionStrings.Add("`$_.HasLocationData -eq `$true")
                             $CIPPClause.Add('HasLocationData is true')
+                            $ExcludedUsers = $ExcludedUsers | Where-Object { $_.Type -eq 'Location' }
+                            # Build single -notin condition against all excluded user keys
+                            $ExcludedUserKeys = @($ExcludedUsers.RowKey)
+                            if ($ExcludedUserKeys.Count -gt 0) {
+                                $conditionStrings.Add("`$(`$_.CIPPUserKey) -notin @('$($ExcludedUserKeys -join "', '")')")
+                                $CIPPClause.Add("CIPPUserKey not in [$($ExcludedUserKeys -join ', ')]")
+                            }
                             $AddedLocationCondition = $true
                         }
                         $value = if ($condition.Input.value -is [array]) {
