Merge pull request #553 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Add-CIPPGroupMember.ps1

@@ -1,27 +1,102 @@
-function Add-CIPPGroupMember(
-    $Headers,
-    [string]$GroupType,
-    [string]$GroupId,
-    [string]$Member,
-    [string]$TenantFilter,
-    [string]$APIName = 'Add Group Member'
-) {
+function Add-CIPPGroupMember {
+    <#
+    .SYNOPSIS
+    Adds one or more members to a specified group in Microsoft Graph.
+
+    .DESCRIPTION
+    This function adds one or more members to a specified group in Microsoft Graph, supporting different group types such as Distribution lists and Mail-Enabled Security groups.
+
+    .PARAMETER Headers
+    The headers to include in the request, typically containing authentication tokens. This is supplied automatically by the API
+
+    .PARAMETER GroupType
+    The type of group to which the member is being added, such as Security, Distribution list or Mail-Enabled Security.
+
+    .PARAMETER GroupId
+    The unique identifier of the group to which the member will be added.
+
+    .PARAMETER Member
+    An array of members to add to the group.
+
+    .PARAMETER TenantFilter
+    The tenant identifier to filter the request.
+
+    .PARAMETER APIName
+    The name of the API operation being performed. Defaults to 'Add Group Member'.
+    #>
+    [CmdletBinding()]
+    param(
+        $Headers,
+        [string]$GroupType,
+        [string]$GroupId,
+        [string[]]$Member,
+        [string]$TenantFilter,
+        [string]$APIName = 'Add Group Member'
+    )
     try {
         if ($Member -like '*#EXT#*') { $Member = [System.Web.HttpUtility]::UrlEncode($Member) }
-        $MemberIDs = 'https://graph.microsoft.com/v1.0/directoryObjects/' + (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($Member)" -tenantid $TenantFilter).id
-        $AddMemberBody = "{ `"[email protected]`": $(ConvertTo-Json @($MemberIDs)) }"
+        $ODataBindString = 'https://graph.microsoft.com/v1.0/directoryObjects/{0}'
+        $Requests = foreach ($m in $Member) {
+            @{
+                id     = $m
+                url    = "users/$($m)?`$select=id,userPrincipalName"
+                method = 'GET'
+            }
+        }
+        $Users = New-GraphBulkRequest -Requests @($Requests) -tenantid $TenantFilter
+
         if ($GroupType -eq 'Distribution list' -or $GroupType -eq 'Mail-Enabled Security') {
-            $Params = @{ Identity = $GroupId; Member = $Member; BypassSecurityGroupManagerCheck = $true }
-            $null = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Add-DistributionGroupMember' -cmdParams $Params -UseSystemMailbox $true
+            $ExoBulkRequests = [System.Collections.Generic.List[object]]::new()
+            $ExoLogs = [System.Collections.Generic.List[object]]::new()
+
+            foreach ($User in $Users) {
+                $Params = @{ Identity = $GroupId; Member = $User.body.userPrincipalName; BypassSecurityGroupManagerCheck = $true }
+                $ExoBulkRequests.Add(@{
+                        CmdletInput = @{
+                            CmdletName = 'Add-DistributionGroupMember'
+                            Parameters = $Params
+                        }
+                    })
+                $ExoLogs.Add(@{
+                        message = "Added member $($User.body.userPrincipalName) to $($GroupId) group"
+                        target  = $User.body.userPrincipalName
+                    })
+            }
+
+            if ($ExoBulkRequests.Count -gt 0) {
+                $RawExoRequest = New-ExoBulkRequest -tenantid $TenantFilter -cmdletArray @($ExoBulkRequests)
+                $LastError = $RawExoRequest | Select-Object -Last 1
+
+                foreach ($ExoError in $LastError.error) {
+                    Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $ExoError -Sev 'Error'
+                    throw $ExoError
+                }
+
+                foreach ($ExoLog in $ExoLogs) {
+                    $ExoError = $LastError | Where-Object { $ExoLog.target -in $_.target -and $_.error }
+                    if (!$LastError -or ($LastError.error -and $LastError.target -notcontains $ExoLog.target)) {
+                        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $ExoLog.message -Sev 'Info'
+                    }
+                }
+            }
         } else {
+            $MemberIDs = foreach ($User in $Users) {
+                $ODataBindString -f $User.body.id
+            }
+            $AddMembers = @{
+                '[email protected]' = @($MemberIDs)
+            }
+            $AddMemberBody = ConvertTo-Json -InputObject $AddMembers
             $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($GroupId)" -tenantid $TenantFilter -type patch -body $AddMemberBody -Verbose
         }
-        $Results = "Successfully added user $($Member) to $($GroupId)."
+        $UserList = ($Users.body.userPrincipalName -join ', ')
+        $Results = "Successfully added user $UserList to $($GroupId)."
         Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Results -Sev 'Info'
         return $Results
     } catch {
         $ErrorMessage = Get-CippException -Exception $_
-        $Results = "Failed to add user $($Member) to $($GroupId) - $($ErrorMessage.NormalizedError)"
+        $UserList = if ($Users) { ($Users.body.userPrincipalName -join ', ') } else { ($Member -join ', ') }
+        $Results = "Failed to add user $UserList to $($GroupId) - $($ErrorMessage.NormalizedError)"
         Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Results -Sev 'error' -LogData $ErrorMessage
         throw $Results
     }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Scheduler/Invoke-AddScheduledItem.ps1

@@ -37,7 +37,6 @@ function Invoke-AddScheduledItem {
             DesiredStartTime      = $Request.Body.DesiredStartTime
         }
         $Result = Add-CIPPScheduledTask @ScheduledTask
-        Write-LogMessage -headers $Request.Headers -API $APINAME -message $Result -Sev 'Info'
     }
     return ([HttpResponseContext]@{
             StatusCode = [HttpStatusCode]::OK

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Conditional/Invoke-ExecCAExclusion.ps1

@@ -28,34 +28,52 @@ function Invoke-ExecCAExclusion {
             }
         }
 
-        $Policy = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$($PolicyId)?`$select=id,displayName" -tenantid $TenantFilter -asApp $true
+        $Policy = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$($PolicyId)?`$select=id,displayName,conditions" -tenantid $TenantFilter -asApp $true
 
         if (-not $Policy) {
             throw "Policy with ID $PolicyId not found in tenant $TenantFilter."
         }
 
+        $SecurityGroups = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/groups?`$select=id,displayName&`$filter=securityEnabled eq true and mailEnabled eq false&`$count=true" -tenantid $TenantFilter
+        $VacationGroup = $SecurityGroups | Where-Object { $_.displayName -contains "Vacation Exclusion - $($Policy.displayName)" }
+
+        if (!$VacationGroup) {
+            Write-Information "Creating vacation group: Vacation Exclusion - $($Policy.displayName)"
+            $Guid = [guid]::NewGuid().ToString()
+            $GroupObject = @{
+                groupType       = 'generic'
+                displayName     = "Vacation Exclusion - $($Policy.displayName)"
+                username        = "vacation$Guid"
+                securityEnabled = $true
+            }
+            $NewGroup = New-CIPPGroup -GroupObject $GroupObject -TenantFilter $TenantFilter -APIName 'Invoke-ExecCAExclusion'
+            $GroupId = $NewGroup.GroupId
+        } else {
+            Write-Information "Using existing vacation group: $($VacationGroup.displayName)"
+            $GroupId = $VacationGroup.id
+        }
+
+        if ($Policy.conditions.users.excludeGroups -notcontains $GroupId) {
+            Set-CIPPCAExclusion -TenantFilter $TenantFilter -ExclusionType 'Add' -PolicyId $PolicyId -Groups @{ value = @($GroupId); addedFields = @{ displayName = @("CIPP-Vacation-$($Policy.displayName)") } } -Headers $Headers
+        }
+
         $PolicyName = $Policy.displayName
         if ($Request.Body.vacation -eq 'true') {
             $StartDate = $Request.Body.StartDate
             $EndDate = $Request.Body.EndDate
 
             $Parameters = [PSCustomObject]@{
-                ExclusionType = 'Add'
-                PolicyId      = $PolicyId
-            }
-
-            if ($Users) {
-                $Parameters | Add-Member -NotePropertyName Users -NotePropertyValue $Users
-            } else {
-                $Parameters | Add-Member -NotePropertyName UserID -NotePropertyValue $UserID
+                GroupType = 'Security'
+                GroupId   = $GroupId
+                Member    = $Users.addedFields.userPrincipalName ?? $Users.value ?? $Users ?? $UserID
             }
 
             $TaskBody = [pscustomobject]@{
                 TenantFilter  = $TenantFilter
                 Name          = "Add CA Exclusion Vacation Mode: $PolicyName"
                 Command       = @{
-                    value = 'Set-CIPPCAExclusion'
-                    label = 'Set-CIPPCAExclusion'
+                    value = 'Add-CIPPGroupMember'
+                    label = 'Add-CIPPGroupMember'
                 }
                 Parameters    = [pscustomobject]$Parameters
                 ScheduledTime = $StartDate
@@ -65,7 +83,10 @@ function Invoke-ExecCAExclusion {
 
             Add-CIPPScheduledTask -Task $TaskBody -hidden $false
             #Removal of the exclusion
-            $TaskBody.Parameters.ExclusionType = 'Remove'
+            $TaskBody.Command = @{
+                label = 'Remove-CIPPGroupMember'
+                value = 'Remove-CIPPGroupMember'
+            }
             $TaskBody.Name = "Remove CA Exclusion Vacation Mode: $PolicyName"
             $TaskBody.ScheduledTime = $EndDate
             Add-CIPPScheduledTask -Task $TaskBody -hidden $false

Modules/CIPPCore/Public/Remove-CIPPGroupMember.ps1

@@ -1,37 +1,125 @@
-function Remove-CIPPGroupMember(
-    $Headers,
-    [string]$GroupType,
-    [string]$GroupId,
-    [string]$Member,
-    [string]$TenantFilter,
-    [string]$APIName = 'Remove Group Member'
-) {
+function Remove-CIPPGroupMember {
+    <#
+    .SYNOPSIS
+    Removes members from a Microsoft 365 group.
+
+    .DESCRIPTION
+    Removes one or more members from Security Groups, Distribution Groups, or Mail-Enabled Security Groups.
+    Uses bulk request operations for Exchange groups to improve performance.
+
+    .PARAMETER Headers
+    The headers for the API request, typically containing authentication information.
+
+    .PARAMETER TenantFilter
+    The tenant identifier for the target tenant.
+
+    .PARAMETER GroupType
+    The type of group. Valid values: 'Distribution list', 'Mail-Enabled Security', or standard security groups.
+
+    .PARAMETER GroupId
+    The unique identifier (GUID or name) of the group.
+
+    .PARAMETER Member
+    An array of member identifiers (user GUIDs or UPNs) to remove from the group.
+
+    .PARAMETER APIName
+    The API operation name for logging purposes. Default: 'Remove Group Member'.
+
+    .EXAMPLE
+    Remove-CIPPGroupMember -Headers $Headers -TenantFilter 'contoso.onmicrosoft.com' -GroupType 'Distribution list' -GroupId 'Sales-DL' -Member @('[email protected]', '[email protected]') -APIName 'Remove DL Members'
+
+    .EXAMPLE
+    Remove-CIPPGroupMember -Headers $Headers -TenantFilter 'contoso.onmicrosoft.com' -GroupType 'Security' -GroupId '12345-guid' -Member @('user1-guid')
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter,
+
+        [Parameter(Mandatory = $true)]
+        [string]$GroupType,
+
+        [Parameter(Mandatory = $true)]
+        [string]$GroupId,
+
+        [Parameter(Mandatory = $true)]
+        [string[]]$Member,
+
+        [Parameter(Mandatory = $false)]
+        [string]$APIName = 'Remove Group Member',
+
+        $Headers
+    )
+
     try {
+        $Requests = foreach ($m in $Member) {
+            if ($m -like '*#EXT#*') { $m = [System.Web.HttpUtility]::UrlEncode($m) }
+            @{
+                id     = $m
+                url    = "users/$($m)?`$select=id,userPrincipalName"
+                method = 'GET'
+            }
+        }
+        $Users = New-GraphBulkRequest -Requests @($Requests) -tenantid $TenantFilter
+
         if ($GroupType -eq 'Distribution list' -or $GroupType -eq 'Mail-Enabled Security') {
-            $Params = @{ Identity = $GroupId; Member = $Member; BypassSecurityGroupManagerCheck = $true }
-            $null = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Remove-DistributionGroupMember' -cmdParams $Params -UseSystemMailbox $true
+            $ExoBulkRequests = [System.Collections.Generic.List[object]]::new()
+            $ExoLogs = [System.Collections.Generic.List[object]]::new()
+
+            foreach ($User in $Users) {
+                $Params = @{ Identity = $GroupId; Member = $User.body.userPrincipalName; BypassSecurityGroupManagerCheck = $true }
+                $ExoBulkRequests.Add(@{
+                        CmdletInput = @{
+                            CmdletName = 'Remove-DistributionGroupMember'
+                            Parameters = $Params
+                        }
+                    })
+                $ExoLogs.Add(@{
+                        message = "Removed member $($User.body.userPrincipalName) from $($GroupId) group"
+                        target  = $User.body.userPrincipalName
+                    })
+            }
+
+            if ($ExoBulkRequests.Count -gt 0) {
+                $RawExoRequest = New-ExoBulkRequest -tenantid $TenantFilter -cmdletArray @($ExoBulkRequests)
+                $LastError = $RawExoRequest | Select-Object -Last 1
+
+                foreach ($ExoError in $LastError.error) {
+                    Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $ExoError -Sev 'Error'
+                    throw $ExoError
+                }
+
+                foreach ($ExoLog in $ExoLogs) {
+                    $ExoError = $LastError | Where-Object { $ExoLog.target -in $_.target -and $_.error }
+                    if (!$LastError -or ($LastError.error -and $LastError.target -notcontains $ExoLog.target)) {
+                        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $ExoLog.message -Sev 'Info'
+                    }
+                }
+            }
         } else {
-            if ($Member -match '^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$') {
-                Write-Information "Member $Member is a GUID, proceeding with removal."
-            } else {
-                Write-Information "Member $Member is not a GUID, attempting to resolve to object ID."
-                if ($Member -like '*#EXT#*') { $Member = [System.Web.HttpUtility]::UrlEncode($Member) }
-                $UserObject = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users/$($Member)?`$select=id" -tenantid $TenantFilter
-                if ($null -eq $UserObject.id) {
-                    throw "Could not resolve user $Member to an object ID."
+            $RemovalRequests = foreach ($User in $Users) {
+                @{
+                    id     = $User.body.id
+                    method = 'DELETE'
+                    url    = "/groups/$($GroupId)/members/$($User.body.id)/`$ref"
+                }
+            }
+            $RemovalResults = New-GraphBulkRequest -tenantid $TenantFilter -Requests @($RemovalRequests)
+            foreach ($Result in $RemovalResults) {
+                if ($Result.status -ne 204) {
+                    throw "Failed to remove member $($Result.id): $($Result.body.error.message)"
                 }
-                $Member = $UserObject.id
-                Write-Information "Resolved member to object ID: $Member"
             }
-            $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($GroupId)/members/$($Member)/`$ref" -tenantid $TenantFilter -type DELETE -body '{}' -Verbose
         }
-        $Results = "Successfully removed user $($Member) from $($GroupId)."
+        $UserList = ($Users.body.userPrincipalName -join ', ')
+        $Results = "Successfully removed user $UserList from $($GroupId)."
         Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Results -Sev Info
         return $Results
 
     } catch {
         $ErrorMessage = Get-CippException -Exception $_
-        $Results = "Failed to remove user $($Member) from $($GroupId): $($ErrorMessage.NormalizedError)"
+        $UserList = if ($Users) { ($Users.body.userPrincipalName -join ', ') } else { ($Member -join ', ') }
+        $Results = "Failed to remove user $UserList from $($GroupId): $($ErrorMessage.NormalizedError)"
         Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Results -Sev Error -LogData $ErrorMessage
         throw $Results
     }