fix group management

JohnDuprey · JohnDuprey · commit 36af8d4eb057 · 2025-11-12T14:49:47.000-05:00
fixes KelvinTegelaar/CIPP#4882
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Groups/Invoke-AddGroupTemplate.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Groups/Invoke-AddGroupTemplate.ps1
@@ -29,7 +29,7 @@ function Invoke-AddGroupTemplate {
             '*unified*' { 'm365'; break }
             '*m365*' { 'm365'; break }
             '*generic*' { 'generic'; break }
-            '*security*' { 'generic'; break }
+            '*security*' { 'security'; break }
             '*distribution*' { 'distribution'; break }
             '*mail*' { 'distribution'; break }
             default { $Request.Body.groupType }
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Groups/Invoke-ListGroups.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Groups/Invoke-ListGroups.ps1
@@ -87,13 +87,21 @@ function Invoke-ListGroups {
             $GraphRequest = [PSCustomObject]@{
                 groupInfo              = ($RawGraphRequest | Where-Object { $_.id -eq 1 }).body | Select-Object *, @{ Name = 'primDomain'; Expression = { $_.mail -split '@' | Select-Object -Last 1 } },
                 @{Name = 'teamsEnabled'; Expression = { if ($_.resourceProvisioningOptions -like '*Team*') { $true } else { $false } } },
-                @{Name = 'calculatedGroupType'; Expression = {
+                @{Name = 'groupType'; Expression = {
                         if ($_.groupTypes -contains 'Unified') { 'Microsoft 365' }
                         elseif ($_.mailEnabled -and $_.securityEnabled) { 'Mail-Enabled Security' }
                         elseif (-not $_.mailEnabled -and $_.securityEnabled) { 'Security' }
                         elseif (([string]::isNullOrEmpty($_.groupTypes)) -and ($_.mailEnabled) -and (-not $_.securityEnabled)) { 'Distribution List' }
                     }
-                }, @{Name = 'dynamicGroupBool'; Expression = { if ($_.groupTypes -contains 'DynamicMembership') { $true } else { $false } } }
+                },
+                @{Name = 'calculatedGroupType'; Expression = {
+                        if ($_.groupTypes -contains 'Unified') { 'm365' }
+                        elseif ($_.mailEnabled -and $_.securityEnabled) { 'security' }
+                        elseif (-not $_.mailEnabled -and $_.securityEnabled) { 'generic' }
+                        elseif (([string]::isNullOrEmpty($_.groupTypes)) -and ($_.mailEnabled) -and (-not $_.securityEnabled)) { 'distributionList' }
+                    }
+                },
+                @{Name = 'dynamicGroupBool'; Expression = { if ($_.groupTypes -contains 'DynamicMembership') { $true } else { $false } } }
                 members                = ($RawGraphRequest | Where-Object { $_.id -eq 2 }).body.value
                 owners                 = ($RawGraphRequest | Where-Object { $_.id -eq 3 }).body.value
                 allowExternal          = (!$OnlyAllowInternal)
@@ -104,13 +112,20 @@ function Invoke-ListGroups {
             $GraphRequest = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/groups/$($GroupID)/$($members)?`$top=999&select=$SelectString" -tenantid $TenantFilter | Select-Object *, @{ Name = 'primDomain'; Expression = { $_.mail -split '@' | Select-Object -Last 1 } },
             @{Name = 'membersCsv'; Expression = { $_.members.userPrincipalName -join ',' } },
             @{Name = 'teamsEnabled'; Expression = { if ($_.resourceProvisioningOptions -like '*Team*') { $true }else { $false } } },
-            @{Name = 'calculatedGroupType'; Expression = {
+            @{Name = 'groupType'; Expression = {
                     if ($_.groupTypes -contains 'Unified') { 'Microsoft 365' }
                     elseif ($_.mailEnabled -and $_.securityEnabled) { 'Mail-Enabled Security' }
                     elseif (-not $_.mailEnabled -and $_.securityEnabled) { 'Security' }
                     elseif (([string]::isNullOrEmpty($_.groupTypes)) -and ($_.mailEnabled) -and (-not $_.securityEnabled)) { 'Distribution List' }
                 }
             },
+            @{Name = 'calculatedGroupType'; Expression = {
+                    if ($_.groupTypes -contains 'Unified') { 'm365' }
+                    elseif ($_.mailEnabled -and $_.securityEnabled) { 'security' }
+                    elseif (-not $_.mailEnabled -and $_.securityEnabled) { 'generic' }
+                    elseif (([string]::isNullOrEmpty($_.groupTypes)) -and ($_.mailEnabled) -and (-not $_.securityEnabled)) { 'distributionList' }
+                }
+            },
             @{Name = 'dynamicGroupBool'; Expression = { if ($_.groupTypes -contains 'DynamicMembership') { $true } else { $false } } }
             $GraphRequest = @($GraphRequest | Sort-Object displayName)
         }
diff --git a/Modules/CIPPCore/Public/New-CIPPGroup.ps1 b/Modules/CIPPCore/Public/New-CIPPGroup.ps1
@@ -43,6 +43,7 @@ function New-CIPPGroup {
     try {
         # Normalize group type for consistent handling (accept camelCase from templates)
         $NormalizedGroupType = switch -Wildcard ($GroupObject.groupType.ToLower()) {
+            'mail-enabled security' { 'Security'; break }
             '*dynamicdistribution*' { 'DynamicDistribution'; break }  # Check this first before *dynamic* and *distribution*
             '*dynamic*' { 'Dynamic'; break }
             '*generic*' { 'Generic'; break }
@@ -57,7 +58,7 @@ function New-CIPPGroup {
         }
 
         # Determine if this group type needs an email address
-        $GroupTypesNeedingEmail = @('M365', 'Distribution', 'DynamicDistribution')
+        $GroupTypesNeedingEmail = @('M365', 'Distribution', 'DynamicDistribution', 'Security')
         $NeedsEmail = $NormalizedGroupType -in $GroupTypesNeedingEmail
 
         # Determine email address only for group types that need it
@@ -95,13 +96,13 @@ function New-CIPPGroup {
         Write-LogMessage -API $APIName -tenant $TenantFilter -message "Creating group $($GroupObject.displayName) of type $NormalizedGroupType$(if ($NeedsEmail) { " with email $Email" })" -Sev Info
 
         # Handle Graph API groups (Security, Generic, AzureRole, Dynamic, M365)
-        if ($NormalizedGroupType -in @('Generic', 'Security', 'AzureRole', 'Dynamic', 'M365')) {
+        if ($NormalizedGroupType -in @('Generic', 'AzureRole', 'Dynamic', 'M365')) {
             Write-Information "Creating group $($GroupObject.displayName) of type $NormalizedGroupType$(if ($NeedsEmail) { " with email $Email" })"
             $BodyParams = [PSCustomObject]@{
                 'displayName'        = $GroupObject.displayName
                 'description'        = $GroupObject.description
                 'mailNickname'       = $MailNickname
-                'mailEnabled'        = ($NormalizedGroupType -in @('Security', 'M365'))
+                'mailEnabled'        = ($NormalizedGroupType -eq 'M365')
                 'securityEnabled'    = $true
                 'isAssignableToRole' = ($NormalizedGroupType -eq 'AzureRole')
             }
@@ -194,13 +195,17 @@ function New-CIPPGroup {
 
                 $ExoParams = @{
                     Name                               = $GroupObject.displayName
-                    Alias                              = $GroupObject.username
+                    Alias                              = $MailNickname
                     Description                        = $GroupObject.description
                     PrimarySmtpAddress                 = $Email
                     Type                               = $GroupObject.groupType
                     RequireSenderAuthenticationEnabled = [bool]!$GroupObject.allowExternal
                 }
 
+                if ($NormalizedGroupType -eq 'Security') {
+                    $ExoParams.Type = 'Security'
+                }
+
                 # Add owners
                 if ($GroupObject.owners -and $GroupObject.owners.Count -gt 0) {
                     $OwnerEmails = $GroupObject.owners | ForEach-Object {
