Skip to content

Commit 8d103ea

Browse files
JohnDupreyJohnDuprey
committed
Refactor CA exclusion to use vacation security group
Updates the CA exclusion logic to create or use a dedicated 'CIPP-Vacation' security group per policy, and schedules group membership changes for vacation mode. The scheduled tasks now add or remove users from the vacation group instead of directly modifying policy exclusions.
1 parent 5d93e5e commit 8d103ea

File tree

1 file changed

+30
-12
lines changed

1 file changed

+30
-12
lines changed

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Conditional/Invoke-ExecCAExclusion.ps1

Lines changed: 30 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -28,34 +28,49 @@ function Invoke-ExecCAExclusion {
2828
}
2929
}
3030

31-
$Policy = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$($PolicyId)?`$select=id,displayName" -tenantid $TenantFilter -asApp $true
31+
$Policy = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$($PolicyId)?`$select=id,displayName,conditions" -tenantid $TenantFilter -asApp $true
3232

3333
if (-not $Policy) {
3434
throw "Policy with ID $PolicyId not found in tenant $TenantFilter."
3535
}
3636

37+
$SecurityGroups = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/identity/groups?`$select=id,displayName&`$filter=securityEnabled eq true and mailEnabled eq false&`$count=true" -tenantid $TenantFilter
38+
$VacationGroup = $SecurityGroups | Where-Object { $_.displayName -contains "CIPP-Vacation-$($Policy.displayName)" }
39+
40+
if (!$VacationGroup) {
41+
Write-Information "Creating vacation group: CIPP-Vacation-$($Policy.displayName)"
42+
$GroupObject = @{
43+
displayName = "CIPP-Vacation-$($Policy.displayName)"
44+
securityEnabled = $true
45+
}
46+
$NewGroup = New-CIPPGroup -GroupObject $GroupObject -TenantFilter $TenantFilter -APIName 'Invoke-ExecCAExclusion'
47+
$GroupId = $NewGroup.GroupId
48+
} else {
49+
Write-Information "Using existing vacation group: $($VacationGroup.displayName)"
50+
$GroupId = $VacationGroup.id
51+
}
52+
53+
if ($Policy.conditions.users.excludeGroups -notcontains $GroupId) {
54+
Set-CIPPCAExclusion -TenantFilter $TenantFilter -ExclusionType 'Add' -PolicyId $PolicyId -Groups @{ value = @($GroupId); addedFields = @{ displayName = @("CIPP-Vacation-$($Policy.displayName)") } } -Headers $Headers
55+
}
56+
3757
$PolicyName = $Policy.displayName
3858
if ($Request.Body.vacation -eq 'true') {
3959
$StartDate = $Request.Body.StartDate
4060
$EndDate = $Request.Body.EndDate
4161

4262
$Parameters = [PSCustomObject]@{
43-
ExclusionType = 'Add'
44-
PolicyId = $PolicyId
45-
}
46-
47-
if ($Users) {
48-
$Parameters | Add-Member -NotePropertyName Users -NotePropertyValue $Users
49-
} else {
50-
$Parameters | Add-Member -NotePropertyName UserID -NotePropertyValue $UserID
63+
GroupType = 'Security'
64+
GroupId = $GroupId
65+
Member = $Users.addedFields.userPrincipalName ?? $Users.value ?? $Users ?? $UserID
5166
}
5267

5368
$TaskBody = [pscustomobject]@{
5469
TenantFilter = $TenantFilter
5570
Name = "Add CA Exclusion Vacation Mode: $PolicyName"
5671
Command = @{
57-
value = 'Set-CIPPCAExclusion'
58-
label = 'Set-CIPPCAExclusion'
72+
value = 'Add-CIPPGroupMember'
73+
label = 'Add-CIPPGroupMember'
5974
}
6075
Parameters = [pscustomobject]$Parameters
6176
ScheduledTime = $StartDate
@@ -65,7 +80,10 @@ function Invoke-ExecCAExclusion {
6580

6681
Add-CIPPScheduledTask -Task $TaskBody -hidden $false
6782
#Removal of the exclusion
68-
$TaskBody.Parameters.ExclusionType = 'Remove'
83+
$TaskBody.Command = @{
84+
label = 'Remove-CIPPGroupMember'
85+
value = 'Remove-CIPPGroupMember'
86+
}
6987
$TaskBody.Name = "Remove CA Exclusion Vacation Mode: $PolicyName"
7088
$TaskBody.ScheduledTime = $EndDate
7189
Add-CIPPScheduledTask -Task $TaskBody -hidden $false

0 commit comments

Comments
 (0)