
#Acquire Access token
class PIM: CommandBase
    hidden $APIroot =  [string]::Empty
    hidden $headerParams = "";
    hidden $UserId = "";
    hidden  $AccessToken="";
    hidden $AccountId="" ;

    PIM([string] $subscriptionId, [InvocationInfo] $invocationContext)
    : Base([string] $subscriptionId, [InvocationInfo] $invocationContext)
        $this.AccessToken = "";
        $this.APIroot = "";
    # Using helper method to get current context and access token
    $ResourceAppIdURI = [WebRequestHelper]::GetServiceManagementUrl()
    $this.AccessToken = [Helpers]::GetAccessToken($ResourceAppIdURI);
    $this.AccountId = [Helpers]::GetCurrentSessionUser()
    $this.UserId = (Get-AzADUser -UserPrincipalName  $this.AccountId).Id
    $this.headerParams= @{'Authorization'="Bearer $($this.AccessToken)"}

#Gets the jit assignments for logged-in user
hidden [PSObject] MyJitAssignments($active)
    $urlme = "";
    $urlme = $this.APIroot + "/roleAssignments?`$expand=linkedEligibleRoleAssignment,subject,roleDefinition(`$expand=resource)&`$filter=(subject/id%20eq%20%27$($this.UserId)%27)+and+(assignmentState%20eq%20%27Eligible%27)"
        $urlme = $this.APIroot + "/roleAssignments?`$expand=linkedEligibleRoleAssignment,subject,roleDefinition(`$expand=resource)&`$filter=(subject/id%20eq%20%27$($this.UserId)%27)+and+(assignmentState%20eq%20%27Active%27)" 
    $response = Invoke-WebRequest -UseBasicParsing -Headers $this.headerParams -Uri $urlme -Method Get
    $assignments = ConvertFrom-Json $response.Content
    $assignments = $assignments.value
    $obj = @()
    Write-Host ""
    if(($assignments | Measure-Object).Count -gt 0)
        $i = 0
        foreach ($assignment in $assignments)
            $item = New-Object psobject -Property @{
            Id = ++$i
            IdGuid =  $
            ResourceId =  $
            OriginalId =  $assignment.roleDefinition.resource.externalId
            ResourceName =  $assignment.roleDefinition.resource.displayName
            ResourceType =  $assignment.roleDefinition.resource.type
            RoleId = $
            RoleName = $assignment.roleDefinition.displayName
            ExpirationDate = $assignment.endDateTime
            SubjectId = $
            $obj = $obj + $item
    return $obj

#List resources
hidden [PSObject] ListResources()
    $url = $this.APIroot + "/resources?`$select=id,displayName,type&`$filter=(type%20eq%20%27subscription%27)&`$orderby=displayName&`$top=10&1540887279129" 
    # Write-Host $url

    $response = Invoke-WebRequest -UseBasicParsing -Headers $this.headerParams -Uri $url -Method Get
    $resources = ConvertFrom-Json $response.Content
    $i = 0
    $obj = @()
    foreach ($resource in $resources.value)
        $item = New-Object psobject -Property @{
        Id = ++$i
        ResourceId =  $
        ResourceName =  $resource.DisplayName
        Type =  $resource.type
        ExternalId =  $resource.externalId
    $obj = $obj + $item

return $obj

#List roles
hidden [PSObject] ListRoles($resourceId)
    $url =$this.APIroot + "resources/" + $resourceId + "/roleDefinitions?`$select=id,displayName,type,templateId,resourceId,externalId,subjectCount,eligibleAssignmentCount,activeAssignmentCount&`$orderby=activeAssignmentCount%20desc"
    # Write-Host $url

    $response = Invoke-WebRequest -UseBasicParsing -Headers $this.headerParams -Uri $url -Method Get
    $roles = ConvertFrom-Json $response.Content
    $i = 0
    $obj = @()
    foreach ($role in $roles.value)
        $item = New-Object psobject -Property @{
        Id = ++$i
        RoleDefinitionId =  $
        RoleName =  $role.DisplayName
        SubjectCount = $role.SubjectCount
    $obj = $obj + $item

    return $obj 

#List Assignment
hidden [PSObject] ListAssignmentsWithFilter($resourceId, $roleDefinitionId)
    $url = $this.APIroot + "resources/" + $resourceId + "`/roleAssignments?`$expand=subject,roleDefinition(`$expand=resource)&`$filter=(roleDefinition/id+eq+'" + $roleDefinitionId + "')"
    # Write-Host $url

    $response = Invoke-WebRequest -UseBasicParsing -Headers $this.headerParams -Uri $url -Method Get
    $roleAssignments = ConvertFrom-Json $response.Content
    $i = 0
    $obj = @()
    foreach ($roleAssignment in $roleAssignments.value)
        $item = New-Object psobject -Property @{
        Id = ++$i
        RoleAssignmentId =  $
        ResourceId =  $
        OriginalId =  $roleAssignment.roleDefinition.resource.externalId
        ResourceName =  $roleAssignment.roleDefinition.resource.displayName
        ResourceType =  $roleAssignment.roleDefinition.resource.type
        RoleId = $
        RoleName = $roleAssignment.roleDefinition.displayName
        ExpirationDate = $roleAssignment.endDateTime
        SubjectId = $
        UserName = $roleAssignment.subject.displayName
        AssignmentState = $roleAssignment.AssignmentState
    $obj = $obj + $item

return $obj

#List Users
hidden [PSObject]  ListUsers($user_search)
    $url = $this.APIroot + "users?`$filter=startswith(displayName,'" + $user_search + "')"
    # Write-Host $url

    $response = Invoke-WebRequest -UseBasicParsing -Headers $this.headerParams -Uri $url -Method Get
    $users = ConvertFrom-Json $response.Content
    $i = 0
    $obj = @()
    foreach ($user in $users.value)
        $item = New-Object psobject -Property @{
        Id = ++$i
        UserId =  $
        UserName =  $user.DisplayName
    $obj = $obj + $item

    return $obj

#Activates the user
hidden Activate()
    $assignments =$this.MyJitAssignments(1)
    if(($assignments | Measure-Object).Count -gt 0)
        $this.PublishCustomMessage("Role assignments:",[MessageType]::Default)
        $this.PublishCustomMessage($($assignments | Format-Table -AutoSize -Wrap Id,RoleName,ResourceName,ResourceType,ExpirationDate | Out-String),[MessageType]::Default)
        Write-Host " Enter Id to activate: " -ForegroundColor Cyan -NoNewline 
        $choice = Read-Host 
        while($choice -notin $assignments.Id)
           Write-Host " Invalid input" -ForegroundColor Yellow 
           Write-Host " Enter Id to activate: " -ForegroundColor Cyan -NoNewline
          $choice = Read-Host 

            Write-Host " Enter activation duration in hours between 1 to 8 hours: " -ForegroundColor Cyan -NoNewline
            [int] $hours =  Read-Host
            while($hours -lt 1 -or $hours -gt 8)
                Write-Host " Invalid input" -ForegroundColor Yellow
                Write-Host " Enter activation duration in hours between 1 to 8 hours: " -ForegroundColor Cyan -NoNewline
               [int] $hours = Read-Host 
            Write-Host " Please enter a valid integer value: " -ForegroundColor Yellow -NoNewline
            [int] $hours = Read-Host
            while($hours -lt 1 -or $hours -gt 8)
                Write-Host " Invalid input" -ForegroundColor Yellow
                Write-Host " Enter activation duration in hours between 1 to 8 hours: " -ForegroundColor Cyan -NoNewline
               [int] $hours = Read-Host
        Write-Host " Enter the reason for activation of the role: " -ForegroundColor Cyan -NoNewline
        $reason = Read-Host
        $id = $assignments[$choice-1].IdGuid
        $resourceId = $assignments[$choice-1].ResourceId
        $roleDefinitionId = $assignments[$choice-1].RoleId
        $subjectId = $assignments[$choice-1].SubjectId
        $url = $this.APIroot + "roleAssignmentRequests "
        $postParams = '{"roleDefinitionId":"'+$roleDefinitionId+'","resourceId":"'+$resourceId+'","subjectId":"'+$subjectId+'","assignmentState":"Active","type":"UserAdd","reason":"'+$reason+'","schedule":{"type":"Once","startDateTime":"'+(Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")+'","duration":"PT' + $hours + 'H"},"linkedEligibleRoleAssignmentId":"'+$id+'"}'

            $response = Invoke-WebRequest -UseBasicParsing -Headers $this.headerParams -Uri $url -Method Post -ContentType "application/json" -Body $postParams
            if($response.StatusCode -eq 201)
                $this.PublishCustomMessage("Activation request queued successfully ...",[MessageType]::Update);
             $recursive = $false
        Write-Host " No eligible role found for the logged in context" -ForegroundColor Yellow

#Deactivates the user
hidden Deactivate()
        $assignments = $this.MyJitAssignments(0) | Where-Object{-not [string]::IsNullorEmpty($_.ExpirationDate)}
        if(($assignments | Measure-Object).Count -gt 0)
            $this.PublishCustomMessage("Role assignments: ")
            $this.PublishCustomMessage($($assignments | Format-Table -AutoSize -Wrap Id,RoleName,ResourceName,ResourceType,ExpirationDate | Out-String),[MessageType]::Default)
            Write-Host " Pick Id to deactivate: " -ForegroundColor Cyan -NoNewline
            $choice = Read-Host
            while($choice -notin $assignments.Id)
                 Write-Host " Invalid input" -ForegroundColor Yellow
                 Write-Host " Pick Id to deactivate: " -ForegroundColor Cyan -NoNewline
                $choice = Read-Host 
            $id = $assignments[$choice-1].IdGuid
            $resourceId = $assignments[$choice-1].ResourceId
            $roleDefinitionId = $assignments[$choice-1].RoleId
            $subjectId = $assignments[$choice-1].SubjectId
            $url = $this.APIroot + "/roleAssignmentRequests "
            $postParams = '{"roleDefinitionId":"'+$roleDefinitionId+'","resourceId":"'+$resourceId+'","subjectId":"'+$subjectId+'","assignmentState":"Active","type":"UserRemove","linkedEligibleRoleAssignmentId":"'+$id+'"}'
                $response = Invoke-WebRequest -UseBasicParsing -Headers $this.headerParams -Uri $url -Method Post -ContentType "application/json" -Body $postParams
                if($response.StatusCode -eq '201')
                     $this.PublishCustomMessage("Role deactivated successfully ... ",[MessageType]::Update);
            $this.PublishCustomMessage("No Active assignments found.",[MessageType]::Warning);


#List RoleAssignment
    #List and Pick resource
    $resources = $this.ListResources()
    if(($resources | Measure-Object).Count -gt 0)
        $this.PublishCustomMessage($($resources | Format-Table -AutoSize -Wrap Id, ResourceName, Type, ExternalId | Out-String),[MessageType]::Default)
        Write-Host " Pick a resource Id for assigment: " -ForegroundColor Cyan -NoNewline
        $res_choice = Read-Host 
        while($res_choice -notin $resources.Id)
             Write-Host " Invalid input" -ForegroundColor Yellow
             Write-Host " Pick a resource Id for assigment: " -ForegroundColor Cyan -NoNewline
            $res_choice = Read-Host            
        $resourceId = $resources[$res_choice-1].ResourceId

        #List and Pick a role
        $roles = $this.ListRoles($resourceId) |  Where-Object{ $_.SubjectCount -gt 0}
        $this.PublishCustomMessage($($roles | Format-Table -AutoSize -Wrap Id, RoleName, RoleDefinitionId | Out-String),[MessageType]::Default)
        Write-Host " Pick a role Id: " -ForegroundColor Cyan -NoNewline
        $role_choice = Read-Host
        while($role_choice -notin $roles.Id)
             Write-Host " Invalid input" -ForegroundColor Yellow
             Write-Host " Pick a role Id: " -ForegroundColor Cyan -NoNewline
            $role_choice = Read-Host 
        $roleDefinitionId = $roles[$role_choice-1].RoleDefinitionId
        #write-Host $roleDefinitionId

        #List Member
        $permanentAssignment=$roleAssignments | Where-Object{$_.IsPermanent -eq $true}
        if(($permanentAssignment | Measure-Object).Count -gt 0)
            $this.PublishCustomMessage($($permanentAssignment | Format-Table UserName, ResourceType,ResourceId | Out-String),[MessageType]::Default)
            $this.PublishCustomMessage(" No permanent assignments found for this combination.",[MessageType]::Warning);
        $this.PublishCustomMessage("No active assignments found for the current logged in context.", [MessageType]::Warning )

#Assign a user to Eligible Role
hidden AssignmentEligible() 
    #List and Pick resource
    $resources = $this.ListResources();
    $this.PublishCustomMessage($($resources | Format-Table -AutoSize -Wrap Id, ResourceName, Type, ExternalId | Out-String),[MessageType]::Default)
    if(($resources | Measure-Object).Count -gt 0)
            Write-Host " Pick a resource Id for assigment: " -ForegroundColor Cyan -NoNewline
            $res_choice = Read-Host 
            while($res_choice -notin $resources.Id)
                 Write-Host " Invalid input" -ForegroundColor Yellow
                 Write-Host " Pick a resource Id for assigment: " -ForegroundColor Cyan -NoNewline
                $res_choice = Read-Host 
            $resourceId = $resources[$res_choice-1].ResourceId

            #List and Pick a role
            $roles = $this.ListRoles($resourceId)
            $this.PublishCustomMessage($($roles | Format-Table -AutoSize -Wrap Id, RoleName, RoleDefinitionId | Out-String),[MessageType]::Default)
            Write-Host " Pick a role Id: " -ForegroundColor Cyan -NoNewline
            $role_choice = Read-Host 
             while($role_choice -notin $roles.Id)
                Write-Host " Invalid input" -ForegroundColor Yellow
                Write-Host " Pick a role Id: " -ForegroundColor Cyan -NoNewline
                $role_choice = Read-Host 
            $roleDefinitionId = $roles[$role_choice-1].RoleDefinitionId
            #Get Object Id of usesr by Name, and get input for allowed time of role assignment
            Write-Host " Please enter the Principal Name ( e.g. '') of the user to whom role has to be assigned: " -ForegroundColor Cyan -NoNewline
            $user_search = Read-Host 
                $users = Get-AzADUser -UserPrincipalName $user_search
                while(($users | Measure-Object).Count -ne 1)
                    $this.PublishCustomMessage("Unable to fetch details of the principal name provided, please make sure to enter the correct values.", [MessageType]::Warning)
                    Write-Host " Please enter the Principal Name ( e.g. '') of the user to whom role has to be assigned: " -ForegroundColor Cyan -NoNewline
                    $user_search = Read-Host 
                    $users = Get-AzADUser -UserPrincipalName $user_search
                $this.PublishCustomMessage("Unable to fetch details of the principal name provided, please make sure to enter the correct values.", [MessageType]::Warning)
            $this.PublishCustomMessage($($users | Format-Table -Property  * | Out-String),[MessageType]::Default);
            $subjectId = $users.Id
                Write-Host " Enter the period in days between 1 to 90 days for role assignment: " -ForegroundColor Cyan -NoNewline
                [int]$days= Read-Host 
                while($days -gt 90 -or $days -lt 1)
                    Write-Host " Invalid input" -ForegroundColor Yellow
                    Write-Host " Enter the period in days between 1 to 90 days for role assignment: " -ForegroundColor Cyan -NoNewline
                    $days= Read-Host 
                Write-Host " Please enter a integer value between 1 to 90" -ForegroundColor Yellow -NoNewline
                Write-Host " Enter the period in days between 1 to 90 days for role assignment: " -ForegroundColor Cyan
                [int]$days= Read-Host 
                while($days -gt 90 -or $days -lt 1)
                    Write-Host " Invalid input" -ForegroundColor Yellow
                    Write-Host " Enter the period in days between 1 to 90 days for role assignment: " -ForegroundColor Cyan -NoNewline
                    $days= Read-Host 

            $url = $this.APIroot+"/roleAssignmentRequests"
            # Update end time
            $ts = New-TimeSpan -Days $days
            $postParams = '{"assignmentState":"Eligible","type":"AdminAdd","reason":"Assign","roleDefinitionId":"' + $roleDefinitionId + '","resourceId":"' + $resourceId + '","subjectId":"' + $subjectId + '","schedule":{"startDateTime":"' + (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ") + '","endDateTime":"' + ((get-date) + $ts).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ") + '","type":"Once"}}'
                $response = Invoke-WebRequest -UseBasicParsing -Headers $this.headerParams -Uri $url -Method Post -ContentType "application/json" -Body $postParams
                if($response.StatusCode -eq 201)
                $this.PublishCustomMessage("Assignment request queued successfully ...",[MessageType]::Update);
                $recursive = $false
       $this.PublishCustomMessage("You are not elligible to assign a role. If you have recently elevated/activated your permissions, please run Connect-AzAccount and re-run the script.",[MessageType]::Warning)

 #Show menu
            $this.PublishCustomMessage("Azure PIM Assignment Menu")
            $this.PublishCustomMessage(" 1. List your eligible role assignments")
            $this.PublishCustomMessage(" 2. Activate an eligible role" )
            $this.PublishCustomMessage(" 3. Deactivate an active role" )
            $this.PublishCustomMessage(" 4. Assign a role to user" )
            $this.PublishCustomMessage(" 5. Check permanent access on subscription for a role")
            $this.PublishCustomMessage(" 6. Exit")

hidden [void] PIMScript()
        Write-Host "Unable to fetch access token. Run Connect-AzAccount and then execute this command" -ForegroundColor Red
            Write-Host " Enter your selection: " -ForegroundColor Cyan -NoNewline
            $input = Read-Host 
            switch ($input)
                        $assignments = $this.MyJitAssignments(1)
                        if(($assignments | Measure-Object).Count -gt 0)
                        $this.PublishCustomMessage("Role assignments:",[MessageType]::Default)
                        $this.PublishCustomMessage(($assignments | Format-Table -AutoSize Id,RoleName,ResourceName,ResourceType,ExpirationDate| Out-String),[MessageType]::Default)
                            $this.PublishCustomMessage("No eligible roles found for the current login",[MessageType]::Warning);
        while ($input -gt 6 -or ($input -lt 1) )
