Feat: Add support for assigning apps to custom groups

kris6673 · kris6673 · commit 74647435c259 · 2025-11-24T23:17:37.000+01:00
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/Applications/Invoke-ExecAssignApp.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/Applications/Invoke-ExecAssignApp.ps1
@@ -1,4 +1,4 @@
-Function Invoke-ExecAssignApp {
+function Invoke-ExecAssignApp {
     <#
     .FUNCTIONALITY
         Entrypoint
@@ -16,37 +16,91 @@ Function Invoke-ExecAssignApp {
     $TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter
     $appFilter = $Request.Query.ID ?? $Request.Body.ID
     $AssignTo = $Request.Query.AssignTo ?? $Request.Body.AssignTo
-    $AssignBody = switch ($AssignTo) {
+    $Intent = $Request.Query.Intent ?? $Request.Body.Intent
+    $AppType = $Request.Query.AppType ?? $Request.Body.AppType
+    $GroupNamesRaw = $Request.Query.GroupNames ?? $Request.Body.GroupNames
+    $GroupIdsRaw = $Request.Query.GroupIds ?? $Request.Body.GroupIds
+    $AssignmentMode = $Request.Query.AssignmentMode ?? $Request.Body.AssignmentMode
 
-        'AllUsers' {
-            @'
-{"mobileAppAssignments":[{"@odata.type":"#microsoft.graph.mobileAppAssignment","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"},"intent":"Required","settings":null}]}
-'@
+    $Intent = if ([string]::IsNullOrWhiteSpace($Intent)) { 'Required' } else { $Intent }
+
+    if ([string]::IsNullOrWhiteSpace($AssignmentMode)) {
+        $AssignmentMode = 'replace'
+    } else {
+        $AssignmentMode = $AssignmentMode.ToLower()
+        if ($AssignmentMode -notin @('replace', 'append')) {
+            throw "Unsupported AssignmentMode value '$AssignmentMode'. Valid options are 'replace' or 'append'."
         }
+    }
+
+    function Get-StandardizedAssignmentList {
+        param($InputObject)
 
-        'AllDevices' {
-            @'
-{"mobileAppAssignments":[{"@odata.type":"#microsoft.graph.mobileAppAssignment","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"},"intent":"Required","settings":null}]}
-'@
+        if ($null -eq $InputObject -or ($InputObject -is [string] -and [string]::IsNullOrWhiteSpace($InputObject))) {
+            return @()
+        }
+        if ($InputObject -is [string]) {
+            return ($InputObject -split ',') | ForEach-Object { $_.Trim() } | Where-Object { $_ }
+        }
+        if ($InputObject -is [System.Collections.IEnumerable]) {
+            return @($InputObject | Where-Object { $_ })
         }
+        return @($InputObject)
+    }
+
+    $GroupNames = Get-StandardizedAssignmentList -InputObject $GroupNamesRaw
+    $GroupIds = Get-StandardizedAssignmentList -InputObject $GroupIdsRaw
+
+    if (-not $AssignTo -and $GroupIds.Count -eq 0 -and $GroupNames.Count -eq 0) {
+        throw 'No assignment target provided. Supply AssignTo, GroupNames, or GroupIds.'
+    }
 
-        'Both' {
-            @'
-{"mobileAppAssignments":[{"@odata.type":"#microsoft.graph.mobileAppAssignment","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"},"intent":"Required","settings":null},{"@odata.type":"#microsoft.graph.mobileAppAssignment","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"},"intent":"Required","settings":null}]}
-'@
+    # Try to get the application type if not provided. Mostly just useful for ppl using the API that dont know the application type.
+    if (-not $AppType) {
+        try {
+            $AppMetadata = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/$appFilter?`$select=id,@odata.type" -tenantid $TenantFilter
+            $odataType = $AppMetadata.'@odata.type'
+            if ($odataType) {
+                $AppType = ($odataType -replace '#microsoft.graph.', '') -replace 'App$'
+            }
+        } catch {
+            Write-Warning "Unable to resolve application type for $appFilter. Continuing without assignment settings."
         }
+    }
+
+    $targetLabel = if ($AssignTo) {
+        $AssignTo
+    } elseif ($GroupNames.Count -gt 0) {
+        ($GroupNames -join ', ')
+    } elseif ($GroupIds.Count -gt 0) {
+        "GroupIds: $($GroupIds -join ',')"
+    } else {
+        'CustomGroupAssignment'
+    }
+
+    $setParams = @{
+        ApplicationId  = $appFilter
+        TenantFilter   = $TenantFilter
+        Intent         = $Intent
+        APIName        = $APIName
+        Headers        = $Headers
+        GroupName      = ($AssignTo ? $AssignTo : $targetLabel)
+        AssignmentMode = $AssignmentMode
+    }
 
+    if ($AppType) {
+        $setParams.AppType = $AppType
     }
+
+    if ($GroupIds.Count -gt 0) {
+        $setParams.GroupIds = $GroupIds
+    }
+
     try {
-        $null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/$appFilter/assign" -tenantid $TenantFilter -body $AssignBody
-        $Result = "Successfully assigned app $($appFilter) to $($AssignTo)"
-        Write-LogMessage -headers $Headers -API $APIName -tenant $($TenantFilter) -message $Result -Sev Info
+        $Result = Set-CIPPAssignedApplication @setParams
         $StatusCode = [HttpStatusCode]::OK
-
     } catch {
-        $ErrorMessage = Get-CippException -Exception $_
-        $Result = "Failed to assign app $($appFilter) to $($AssignTo). Error: $($ErrorMessage.NormalizedError)"
-        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Result -Sev 'Error' -LogData $ErrorMessage
+        $Result = $_.Exception.Message
         $StatusCode = [HttpStatusCode]::InternalServerError
     }
 
diff --git a/Modules/CIPPCore/Public/Set-CIPPAssignedApplication.ps1 b/Modules/CIPPCore/Public/Set-CIPPAssignedApplication.ps1
@@ -6,11 +6,36 @@ function Set-CIPPAssignedApplication {
         $AppType,
         $ApplicationId,
         $TenantFilter,
+        $GroupIds,
+        $AssignmentMode = 'replace',
         $APIName = 'Assign Application',
         $Headers
     )
     Write-Host "GroupName: $GroupName Intent: $Intent AppType: $AppType ApplicationId: $ApplicationId TenantFilter: $TenantFilter APIName: $APIName"
     try {
+        $assignmentSettings = $null
+        if ($AppType) {
+            $assignmentSettings = @{
+                '@odata.type' = "#microsoft.graph.$($AppType)AppAssignmentSettings"
+            }
+
+            switch ($AppType) {
+                'Win32Lob' {
+                    $assignmentSettings.notifications = 'hideAll'
+                }
+                'WinGet' {
+                    $assignmentSettings.notifications = 'hideAll'
+                }
+                'macOsVpp' {
+                    $assignmentSettings.useDeviceLicensing = $true
+                }
+                default {
+                    # No additional settings
+                }
+            }
+        }
+
+        # Build the assignment object
         $MobileAppAssignment = switch ($GroupName) {
             'AllUsers' {
                 @(@{
@@ -19,12 +44,7 @@ function Set-CIPPAssignedApplication {
                             '@odata.type' = '#microsoft.graph.allLicensedUsersAssignmentTarget'
                         }
                         intent        = $Intent
-                        settings      = @{
-                            '@odata.type'       = "#microsoft.graph.$($appType)AppAssignmentSettings"
-                            notifications       = 'hideAll'
-                            installTimeSettings = $null
-                            restartSettings     = $null
-                        }
+                        settings      = $assignmentSettings
                     })
                 break
             }
@@ -35,12 +55,7 @@ function Set-CIPPAssignedApplication {
                             '@odata.type' = '#microsoft.graph.allDevicesAssignmentTarget'
                         }
                         intent        = $Intent
-                        settings      = @{
-                            '@odata.type'       = "#microsoft.graph.$($appType)AppAssignmentSettings"
-                            notifications       = 'hideAll'
-                            installTimeSettings = $null
-                            restartSettings     = $null
-                        }
+                        settings      = $assignmentSettings
                     })
                 break
             }
@@ -52,71 +67,110 @@ function Set-CIPPAssignedApplication {
                             '@odata.type' = '#microsoft.graph.allLicensedUsersAssignmentTarget'
                         }
                         intent        = $Intent
-                        settings      = @{
-                            '@odata.type'       = "#microsoft.graph.$($appType)AppAssignmentSettings"
-                            notifications       = 'hideAll'
-                            installTimeSettings = $null
-                            restartSettings     = $null
-                        }
+                        settings      = $assignmentSettings
                     },
                     @{
                         '@odata.type' = '#microsoft.graph.mobileAppAssignment'
                         target        = @{
                             '@odata.type' = '#microsoft.graph.allDevicesAssignmentTarget'
                         }
                         intent        = $Intent
-                        settings      = @{
-                            '@odata.type'       = "#microsoft.graph.$($appType)AppAssignmentSettings"
-                            notifications       = 'hideAll'
-                            installTimeSettings = $null
-                            restartSettings     = $null
-                        }
+                        settings      = $assignmentSettings
                     }
                 )
             }
             default {
-                $GroupNames = $GroupName.Split(',')
-                $GroupIds = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/groups' -tenantid $TenantFilter | ForEach-Object {
-                    $Group = $_
-                    foreach ($SingleName in $GroupNames) {
-                        if ($_.displayname -like $SingleName) {
-                            $group.id
+                $resolvedGroupIds = @()
+                if ($PSBoundParameters.ContainsKey('GroupIds') -and $GroupIds) {
+                    $resolvedGroupIds = $GroupIds
+                } else {
+                    $GroupNames = $GroupName.Split(',')
+                    $resolvedGroupIds = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/groups' -tenantid $TenantFilter | ForEach-Object {
+                        $Group = $_
+                        foreach ($SingleName in $GroupNames) {
+                            if ($_.displayName -like $SingleName) {
+                                $group.id
+                            }
                         }
                     }
+                    Write-Information "found $($resolvedGroupIds) groups"
+                }
+
+                # We ain't found nothing so we panic
+                if (-not $resolvedGroupIds) {
+                    throw 'No matching groups resolved for assignment request.'
                 }
-                Write-Information "found $($GroupIds) groups"
-                foreach ($Group in $GroupIds) {
+
+                foreach ($Group in $resolvedGroupIds) {
                     @{
                         '@odata.type' = '#microsoft.graph.mobileAppAssignment'
                         target        = @{
                             '@odata.type' = '#microsoft.graph.groupAssignmentTarget'
                             groupId       = $Group
                         }
                         intent        = $Intent
-                        settings      = @{
-                            '@odata.type'       = "#microsoft.graph.$($appType)AppAssignmentSettings"
-                            notifications       = 'hideAll'
-                            installTimeSettings = $null
-                            restartSettings     = $null
-                        }
+                        settings      = $assignmentSettings
                     }
                 }
             }
         }
+
+        # If we're appending, we need to get existing assignments
+        if ($AssignmentMode -eq 'append') {
+            try {
+                $ExistingAssignments = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/$($ApplicationId)/assignments" -tenantid $TenantFilter
+            } catch {
+                Write-Warning "Unable to retrieve existing assignments for $ApplicationId. Proceeding with new assignments only. Error: $($_.Exception.Message)"
+                $ExistingAssignments = @()
+            }
+        }
+
+        # Deduplicate current assignments so the new ones override existing ones
+        if ($ExistingAssignments) {
+            $ExistingAssignments = $ExistingAssignments | ForEach-Object {
+                if ($_.target.groupId -notin $MobileAppAssignment.target.groupId) {
+                    $_
+                }
+            }
+        }
+
+        $FinalAssignments = [System.Collections.Generic.List[object]]::new()
+        if ($AssignmentMode -eq 'append' -and $ExistingAssignments) {
+            $ExistingAssignments | ForEach-Object {
+                $FinalAssignments.Add(@{
+                        '@odata.type' = '#microsoft.graph.mobileAppAssignment'
+                        target        = $_.target
+                        intent        = $_.intent
+                        settings      = $_.settings
+                    })
+            }
+
+            $MobileAppAssignment | ForEach-Object {
+                $FinalAssignments.Add(@{
+                        '@odata.type' = '#microsoft.graph.mobileAppAssignment'
+                        target        = $_.target
+                        intent        = $_.intent
+                        settings      = $_.settings
+                    })
+            }
+        } else {
+            $FinalAssignments = $MobileAppAssignment
+        }
+
         $DefaultAssignmentObject = [PSCustomObject]@{
             mobileAppAssignments = @(
-                $MobileAppAssignment
+                $FinalAssignments
             )
         }
         if ($PSCmdlet.ShouldProcess($GroupName, "Assigning Application $ApplicationId")) {
             Start-Sleep -Seconds 1
             $null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/$($ApplicationId)/assign" -tenantid $TenantFilter -type POST -body ($DefaultAssignmentObject | ConvertTo-Json -Compress -Depth 10)
-            Write-LogMessage -headers $Headers -API $APIName -message "Assigned Application to $($GroupName)" -Sev 'Info' -tenant $TenantFilter
+            Write-LogMessage -headers $Headers -API $APIName -message "Assigned Application $ApplicationId to $($GroupName)" -Sev 'Info' -tenant $TenantFilter
         }
-        return "Assigned Application to $($GroupName)"
+        return "Assigned Application $ApplicationId to $($GroupName)"
     } catch {
         $ErrorMessage = Get-CippException -Exception $_
-        Write-LogMessage -headers $Headers -API $APIName -message "Could not assign application to $GroupName. Error: $($ErrorMessage.NormalizedError)" -Sev 'Error' -tenant $TenantFilter -LogData $ErrorMessage
-        return "Could not assign application to $GroupName. Error: $($ErrorMessage.NormalizedError)"
+        Write-LogMessage -headers $Headers -API $APIName -message "Could not assign application $ApplicationId to $GroupName. Error: $($ErrorMessage.NormalizedError)" -Sev 'Error' -tenant $TenantFilter -LogData $ErrorMessage
+        throw "Could not assign application $ApplicationId to $GroupName. Error: $($ErrorMessage.NormalizedError)"
     }
 }
