Public/Add-IntuneWin32AppAssignmentGroup.ps1

function Add-IntuneWin32AppAssignmentGroup {
    <#
    .SYNOPSIS
        Add a group based assignment to a Win32 app.
 
    .DESCRIPTION
        Add a group based assignment to a Win32 app.
 
    .PARAMETER Include
        Specify the Group Mode of the assignment to be Include for the Win32 app.
 
    .PARAMETER Exclude
        Specify the Group Mode of the assignment to be Exclude for the Win32 app.
 
    .PARAMETER ID
        Specify the ID for a Win32 application.
 
    .PARAMETER GroupID
        Specify the ID for an Azure AD group.
 
    .PARAMETER Intent
        Specify the intent of the assignment, either required, available or uninstall.
 
    .PARAMETER Notification
        Specify the notification setting for the assignment of the Win32 app.
 
    .PARAMETER AvailableTime
        Specify a date time object for the availability of the assignment.
 
    .PARAMETER DeadlineTime
        Specify a date time object for the deadline of the assignment.
 
    .PARAMETER UseLocalTime
        Specify to use either UTC of device local time for the assignment, set to 'True' for device local time and 'False' for UTC.
 
    .PARAMETER DeliveryOptimizationPriority
        Specify to download content in the background using default value of 'notConfigured', or set to download in foreground using 'foreground'.
 
    .PARAMETER EnableRestartGracePeriod
        Specify whether Restart Grace Period functionality for this assignment should be configured, additional parameter input using at least RestartGracePeriod and RestartCountDownDisplay is required.
 
    .PARAMETER RestartGracePeriod
        Specify the device restart grace period in minutes.
 
    .PARAMETER RestartCountDownDisplay
        Specify a count in minutes when the restart count down display box is shown.
 
    .PARAMETER RestartNotificationSnooze
        Specify a count in minutes for snoozing the restart notification, if not specified the snooze functionality is now allowed.
 
    .NOTES
        Author: Nickolaj Andersen
        Contact: @NickolajA
        Created: 2020-09-20
        Updated: 2021-08-31
 
        Version history:
        1.0.0 - (2020-09-20) Function created
        1.0.1 - (2021-04-01) Fixed a warning message text that was referencing an incorrect variable
        1.0.2 - (2021-04-01) Updated token expired message to a warning instead of verbose output
        1.0.3 - (2021-08-31) Updated to use new authentication header
    #>

    [CmdletBinding(SupportsShouldProcess = $true)]
    param(
        [parameter(Mandatory = $true, ParameterSetName = "GroupInclude", HelpMessage = "Specify the Group Mode of the assignment to be Include for the Win32 app.")]
        [switch]$Include,

        [parameter(Mandatory = $true, ParameterSetName = "GroupExclude", HelpMessage = "Specify the Group Mode of the assignment to be Exclude for the Win32 app..")]
        [switch]$Exclude,

        [parameter(Mandatory = $true, ParameterSetName = "GroupInclude", HelpMessage = "Specify the ID for a Win32 application.")]
        [parameter(Mandatory = $true, ParameterSetName = "GroupExclude")]
        [ValidateNotNullOrEmpty()]
        [string]$ID,

        [parameter(Mandatory = $true, ParameterSetName = "GroupInclude", HelpMessage = "Specify the ID for an Azure AD group.")]
        [parameter(Mandatory = $true, ParameterSetName = "GroupExclude")]
        [ValidateNotNullOrEmpty()]
        [string]$GroupID,        

        [parameter(Mandatory = $true, ParameterSetName = "GroupInclude", HelpMessage = "Specify the intent of the assignment, either required, available or uninstall.")]
        [parameter(Mandatory = $true, ParameterSetName = "GroupExclude")]
        [ValidateNotNullOrEmpty()]
        [ValidateSet("required", "available", "uninstall")]
        [string]$Intent,

        [parameter(Mandatory = $false, ParameterSetName = "GroupInclude", HelpMessage = "Specify the notification setting for the assignment of the Win32 app.")]
        [ValidateNotNullOrEmpty()]
        [ValidateSet("showAll", "showReboot", "hideAll")]
        [string]$Notification = "showAll",

        [parameter(Mandatory = $false, ParameterSetName = "GroupInclude", HelpMessage = "Specify a date time object for the availability of the assignment.")]
        [ValidateNotNullOrEmpty()]
        [datetime]$AvailableTime,

        [parameter(Mandatory = $false, ParameterSetName = "GroupInclude", HelpMessage = "Specify a date time object for the deadline of the assignment.")]
        [ValidateNotNullOrEmpty()]
        [datetime]$DeadlineTime,

        [parameter(Mandatory = $false, ParameterSetName = "GroupInclude", HelpMessage = "Specify to use either UTC of device local time for the assignment, set to 'True' for device local time and 'False' for UTC.")]
        [ValidateNotNullOrEmpty()]
        [bool]$UseLocalTime = $false,

        [parameter(Mandatory = $false, ParameterSetName = "GroupInclude", HelpMessage = "Specify to download content in the background using default value of 'notConfigured', or set to download in foreground using 'foreground'.")]
        [ValidateNotNullOrEmpty()]
        [ValidateSet("notConfigured", "foreground")]
        [string]$DeliveryOptimizationPriority = "notConfigured",

        [parameter(Mandatory = $false, ParameterSetName = "GroupInclude", HelpMessage = "Specify whether Restart Grace Period functionality for this assignment should be configured, additional parameter input using at least RestartGracePeriod and RestartCountDownDisplay is required.")]
        [ValidateNotNullOrEmpty()]
        [bool]$EnableRestartGracePeriod = $false,

        [parameter(Mandatory = $false, ParameterSetName = "GroupInclude", HelpMessage = "Specify the device restart grace period in minutes.")]
        [ValidateNotNullOrEmpty()]
        [ValidateRange("1", "20160")]
        [int]$RestartGracePeriod = 1440,

        [parameter(Mandatory = $false, ParameterSetName = "GroupInclude", HelpMessage = "Specify a count in minutes when the restart count down display box is shown.")]
        [ValidateNotNullOrEmpty()]
        [ValidateRange("1", "240")]
        [int]$RestartCountDownDisplay = 15,
        
        [parameter(Mandatory = $false, ParameterSetName = "GroupInclude", HelpMessage = "Specify a count in minutes for snoozing the restart notification, if not specified the snooze functionality is now allowed.")]
        [ValidateNotNullOrEmpty()]
        [ValidateRange("1", "712")]
        [int]$RestartNotificationSnooze = 240
    )
    Begin {
        # Ensure required authentication header variable exists
        if ($Global:AuthenticationHeader -eq $null) {
            Write-Warning -Message "Authentication token was not found, use Connect-MSIntuneGraph before using this function"; break
        }
        else {
            $TokenLifeTime = ($Global:AuthenticationHeader.ExpiresOn - (Get-Date).ToUniversalTime()).Minutes
            if ($TokenLifeTime -le 0) {
                Write-Warning -Message "Existing token found but has expired, use Connect-MSIntuneGraph to request a new authentication token"; break
            }
            else {
                Write-Verbose -Message "Current authentication token expires in (minutes): $($TokenLifeTime)"
            }
        }

        # Set script variable for error action preference
        $ErrorActionPreference = "Stop"

        # Validate that Available parameter input datetime object is in the past if the Deadline parameter is not passed on the command line
        if ($PSBoundParameters["AvailableTime"]) {
            if (-not($PSBoundParameters["DeadlineTime"])) {
                if ($AvailableTime -gt (Get-Date).AddDays(-1)) {
                    Write-Warning -Message "Validation failed for parameter input, available date time needs to be before the current used 'as soon as possible' deadline date and time, with a offset of 1 day"; break
                }
            }
        }

        # Validate that Deadline parameter input datetime object is in the future if the Available parameter is not passed on the command line
        if ($PSBoundParameters["DeadlineTime"]) {
            if (-not($PSBoundParameters["AvailableTime"])) {
                if ($DeadlineTime -lt (Get-Date)) {
                    Write-Warning -Message "Validation failed for parameter input, deadline date time needs to be after the current used 'as soon as possible' available date and time"; break
                }
            }
        }

        # Output warning message that additional required parameters for restart grace period was not specified and default values will be used
        if ($PSBoundParameters["EnableRestartGracePeriod"]) {
            if (-not($PSBoundParameters["RestartGracePeriod"])) {
                Write-Warning -Message "EnableRestartGracePeriod parameter was specified but required parameter RestartGracePeriod was not, using default value of: $($RestartGracePeriod)"
            }

            if (-not($PSBoundParameters["RestartCountDownDisplay"])) {
                Write-Warning -Message "EnableRestartGracePeriod parameter was specified but required parameter RestartCountDownDisplay was not, using default value of: $($RestartCountDownDisplay)"
            }
        }

        # Disable RestartNotificationSnooze functionality and set object to null if not passed on command line
        if (-not($PSBoundParameters["RestartNotificationSnooze"])) {
            [System.Object]$RestartNotificationSnooze = $null
            Write-Verbose -Message "RestartNotificationSnooze parameter was not specified, which means 'Allow user to snooze the restart notification' functionality will be disabled for this assignment"
        }        
    }
    Process {
        # Retrieve Win32 app by ID from parameter input
        Write-Verbose -Message "Querying for Win32 app using ID: $($ID)"
        $Win32App = Invoke-IntuneGraphRequest -APIVersion "Beta" -Resource "mobileApps/$($ID)" -Method "GET"
        if ($Win32App -ne $null) {
            $Win32AppID = $Win32App.id

            # Construct target assignment body
            switch ($PSCmdlet.ParameterSetName) {
                "GroupInclude" {
                    $DataType = "#microsoft.graph.groupAssignmentTarget"
                }
                "GroupExclude" {
                    $DataType = "#microsoft.graph.exclusionGroupAssignmentTarget"
                }
            }
            $TargetAssignment = @{
                "@odata.type" = $DataType
                "deviceAndAppManagementAssignmentFilterId" = $null
                "deviceAndAppManagementAssignmentFilterType" = "none"
                "groupId" = $GroupID
            }

            # Construct table for Win32 app assignment body
            $Win32AppAssignmentBody = [ordered]@{
                "@odata.type" = "#microsoft.graph.mobileAppAssignment"
                "intent" = $Intent
                "source" = "direct"
                "target" = $TargetAssignment
            }
            switch ($PSCmdlet.ParameterSetName) {
                "GroupInclude" {
                    $SettingsTable = @{
                        "@odata.type" = "#microsoft.graph.win32LobAppAssignmentSettings"
                        "notifications" = $Notification
                        "restartSettings" = $null
                        "deliveryOptimizationPriority" = $DeliveryOptimizationPriority
                        "installTimeSettings" = $null
                    }
                    $Win32AppAssignmentBody.Add("settings", $SettingsTable)
                }
                "GroupExclude" {
                    $Win32AppAssignmentBody.Add("settings", $null)
                }
            }

            # Amend installTimeSettings property if Available parameter is specified
            if (($PSBoundParameters["AvailableTime"]) -and (-not($PSBoundParameters["DeadlineTime"]))) {
                $Win32AppAssignmentBody.settings.installTimeSettings = @{
                    "useLocalTime" = $UseLocalTime
                    "startDateTime" = (ConvertTo-JSONDate -InputObject $AvailableTime)
                    "deadlineDateTime" = $null
                }
            }

            # Amend installTimeSettings property if Deadline parameter is specified
            if (($PSBoundParameters["DeadlineTime"]) -and (-not($PSBoundParameters["AvailableTime"]))) {
                $Win32AppAssignmentBody.settings.installTimeSettings = @{
                    "useLocalTime" = $UseLocalTime
                    "startDateTime" = $null
                    "deadlineDateTime" = (ConvertTo-JSONDate -InputObject $DeadlineTime)
                }
            }

            # Amend installTimeSettings property if Available and Deadline parameter is specified
            if (($PSBoundParameters["AvailableTime"]) -and ($PSBoundParameters["DeadlineTime"])) {
                $Win32AppAssignmentBody.settings.installTimeSettings = @{
                    "useLocalTime" = $UseLocalTime
                    "startDateTime" = (ConvertTo-JSONDate -InputObject $AvailableTime)
                    "deadlineDateTime" = (ConvertTo-JSONDate -InputObject $DeadlineTime)
                }
            }

            # Amend restartSettings if app restart behavior is set to baseOnReturnCode and EnableRestartGracePeriod is set to True
            if ($EnableRestartGracePeriod -eq $true) {
                if ($Win32App.installExperience.deviceRestartBehavior -like "basedOnReturnCode") {
                    Write-Verbose -Message "Detected that Win32 app was configured for restart settings, adding parameter inputs to request"

                    $Win32AppAssignmentBody.settings.restartSettings = @{
                        "gracePeriodInMinutes" = $RestartGracePeriod
                        "countdownDisplayBeforeRestartInMinutes" = $RestartCountDownDisplay
                        "restartNotificationSnoozeDurationInMinutes" = $RestartNotificationSnooze
                    }
                }
                else {
                    Write-Warning -Message "Win32 app was not configured for restart settings, ensure restart behavior is configured with 'Based on return code'"
                }
            }

            $DuplicateAssignment = Test-IntuneWin32AppAssignment -ID $Win32AppID -Target "Group"
            if ($DuplicateAssignment -eq $false) {
                try {
                    # Attempt to call Graph and create new assignment for Win32 app
                    $Win32AppAssignmentResponse = Invoke-IntuneGraphRequest -APIVersion "Beta" -Resource "mobileApps/$($Win32AppID)/assignments" -Method "POST" -Body ($Win32AppAssignmentBody | ConvertTo-Json) -ContentType "application/json" -ErrorAction Stop
                    if ($Win32AppAssignmentResponse.id) {
                        Write-Verbose -Message "Successfully created Win32 app assignment with ID: $($Win32AppAssignmentResponse.id)"
                        Write-Output -InputObject $Win32AppAssignmentResponse
                    }
                }
                catch [System.Exception] {
                    Write-Warning -Message "An error occurred while creating a Win32 app assignment. Error message: $($_.Exception.Message)"
                }
            }
        }
        else {
            Write-Warning -Message "Query for Win32 app returned an empty result, no apps matching the specified search criteria with ID '$($ID)' was found"
        }
    }
}