Framework/Core/PIM/PIMScript.ps1
|
#Acquire Access token class PIM: AzCommandBase { hidden $APIroot = [string]::Empty hidden $headerParams = ""; hidden $UserId = ""; hidden $AccessToken = ""; hidden $AccountId = "" ; hidden $abortflow = 0; hidden $controlSettings; PIM([string] $subscriptionId, [InvocationInfo] $invocationContext) : Base([string] $subscriptionId, [InvocationInfo] $invocationContext) { $this.DoNotOpenOutputFolder = $true; $this.AccessToken = ""; $this.AccountId = ""; $this.APIroot = "https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/azureResources"; $this.ControlSettings= [ConfigurationManager]::LoadServerConfigFile("ControlSettings.json"); } #Acquire Access token AcquireToken() { # Using helper method to get current context and access token $ResourceAppIdURI = [WebRequestHelper]::GetServiceManagementUrl() [ContextHelper]::ResetCurrentRMContext if([Helpers]::CheckMember($this.ControlSettings,'PIMAppId')) { if(-not ([string]::IsNullOrEmpty($this.ControlSettings.PIMAppId))) { $this.AccessToken = Get-AzSKAccessToken -ResourceAppIdURI $this.ControlSettings.PIMAppId; } } else { $this.AccessToken = [ContextHelper]::GetAccessToken($ResourceAppIdURI); } $this.headerParams = @{'Authorization' = "Bearer $($this.AccessToken)" } $this.AccountId = [ContextHelper]::GetCurrentSessionUser() $ADUserDetails = Get-AzADUser -UserPrincipalName $this.AccountId if($null -ne $ADUserDetails) { $this.UserId = ($ADUserDetails).Id } } #Gets the jit assignments for logged-in user hidden [PSObject] MyJitAssignments() { $this.AcquireToken(); if( -not [string]::IsNullOrEmpty($this.UserId)) { $urlme = $this.APIroot + "/roleAssignments?`$expand=linkedEligibleRoleAssignment,subject,roleDefinition(`$expand=resource)&`$filter=(subject/id%20eq%20%27$($this.UserId)%27)" $assignments = [WebRequestHelper]::InvokeWebRequest('Get', $urlme, $this.headerParams, $null, [string]::Empty, $false, $false ) $assignments = $assignments | Sort-Object roleDefinition.resource.type , roleDefinition.resource.displayName $obj = @() if (($assignments | Measure-Object).Count -gt 0) { $i = 0 foreach ($assignment in $assignments) { $item = New-Object psobject -Property @{ Id = ++$i IdGuid = $assignment.id ResourceId = $assignment.roleDefinition.resource.id OriginalId = $assignment.roleDefinition.resource.externalId ResourceName = $assignment.roleDefinition.resource.displayName ResourceType = $assignment.roleDefinition.resource.type RoleId = $assignment.roleDefinition.id RoleName = $assignment.roleDefinition.displayName ExpirationDate = $assignment.endDateTime SubjectId = $assignment.subject.id AssignmentState = $assignment.assignmentState } $obj = $obj + $item } } return $obj } else { return $null } } # this method is an overlaod of existing PIMResolver method, this is to facilitate a seperate flow for pim operations at management group scope hidden [PIMResource[]] PIMResourceResolver($ManagementGroupId, $IsActivationRequest) { $resolvedResource = @() if($IsActivationRequest) { $resolvedResource = [array][PIMResource]::new() $eligibleAssignments = $this.MyJitAssignments(); $resolvedResources = @(); if($null -ne $eligibleAssignments) { $resolvedResources = $eligibleAssignments | Where-Object{$_.OriginalId -eq ("/providers/Microsoft.Management/managementGroups/$ManagementGroupId") } foreach($res in $resolvedResources) { $resObj = [PIMResource]::new() $resObj.ExternalId = $res.OriginalId $resObj.ResourceName = $res.ResourceName $resObj.ResourceId = $res.ResourceId $resolvedResource += $resObj } } else { $this.PublishCustomMessage("No PIM Eligible assignment found for the current context: $($this.AccountId).",[MessageType]::Warning) } } else { $resources = $this.ListResources($null, "managementgroup", $ManagementGroupId); $resolvedResource = $resources | Where-Object {$_.ExternalId -eq "/providers/Microsoft.Management/managementGroups/$($ManagementGroupId)"} } return $resolvedResource; } # This function resolves the resource that matches to parameters passed in command hidden [PIMResource[]] PIMResourceResolver( $SubscriptionId, $ResourceGroupName, $ResourceName, $IsActivationRequest) { $this.AcquireToken(); $rtype = 'subscription' $selectedResourceName = $SubscriptionId.Trim() if (-not([string]::IsNullOrEmpty($resourcegroupName))) { $selectedResourceName = $resourcegroupName; $rtype = 'resourcegroup' } if (-not([string]::IsNullOrEmpty($resourceName))) { $selectedResourceName = $resourceName; $rtype = 'resource' } $item = New-Object psobject -Property @{ ResourceType = $rtype ResourceName = $selectedResourceName } $resolvedResource = [PIMResource]::new() if($IsActivationRequest) { $myAssignments = $this.MyJitAssignments(); if($null -ne $myAssignments) { $resolvedResources = ($myAssignments | Where-Object {$_.OriginalId -match $SubscriptionId}) $PIMResources = @(); if(($resolvedResources | Measure-Object).Count -gt 0 ) { if( $item.ResourceType -eq 'subscription') { $resolvedResources = $resolvedResources | Where-Object{$_.OriginalId -eq ("/subscriptions/$($SubscriptionId)") } } if( $item.ResourceType -eq 'resourcegroup') { $rgId = [string]::Format("/subscriptions/{0}/resourceGroups/{1}",$SubscriptionId,$ResourceGroupName) $resolvedResources = $resolvedResources | Where-Object{$_.OriginalId -eq $rgId } } if( $item.ResourceType -eq 'resource'){ $rgId = [string]::Format("/subscriptions/{0}/resourceGroups/{1}",$SubscriptionId,$ResourceGroupName) $resolvedResources = $resolvedResources | Where-Object{$_.OriginalId -like "$rgId*" -and $_.ResourceName-eq $ResourceName } # if multiple resources with same name under one rg are found, ask the end user to choose the resource if(($resolvedResources|Measure-Object).Count -gt 1) { $counter=0; $tempres = @(); foreach ($resource in $resolvedResources) { $item = New-Object psobject -Property @{ id = ++$counter ResourceName = $resource.ResourceName OriginalId = $resource.OriginalId } $tempres+=$item } [int]$choice = -1; $this.PublishCustomMessage("Multiple resources with same resource name are found. ") $this.PublishCustomMessage(($tempres | Format-Table Id, OriginalId | Out-String)) Write-Host "Please enter 'Id' from the above table for the resource you want to activate your assignment on." -ForegroundColor Yellow try{ $choice = Read-Host if($choice -notin $tempres.Id) { throw "Invalid Input provided"; } } catch { throw "Invalid Input provided"; } $resolvedResources= $resolvedResources | Where-Object{$_.OriginalId -eq $tempres[$choice-1].OriginalId } } } if(($resolvedResources|Measure-Object).Count -gt 0) { $resObj = [PIMResource]::new() foreach($res in $resolvedResources) { $resObj.ExternalId = $res.OriginalId $resObj.ResourceName = $res.ResourceName $resObj.ResourceId = $res.ResourceId $PIMResources += $resObj } } } return $PIMResources; } else { $this.PublishCustomMessage("No PIM Eligible assignments found for the current context: $($this.AccountId).",[MessageType]::Warning) return $null } } else { $resources = $this.ListResources($SubscriptionId, $item.ResourceType, $item.ResourceName); if($item.ResourceType -eq 'resource') { $resolvedResource = $resources | Where-Object { $_.ResourceName -eq $item.ResourceName} #If context has access over resourcegroups or resources with same name, get a match based on Subscription and rg passed in param if (($resolvedResource | Measure-Object).Count -gt 1) { $resolvedResource = $resolvedResource | Where-Object { $_.ExternalId -match $SubscriptionId } if (-not([string]::IsNullOrEmpty($ResourceGroupName)) -and ($resolvedResource | Measure-Object).Count -gt 0) { $resolvedResource = $resolvedResource | Where-Object { $_.ExternalId -match $ResourceGroupName } } } } else { if($item.ResourceType -eq 'subscription') { $resolvedResource.ExternalId = "/subscriptions/$($item.ResourceName)" } elseif($item.ResourceType -eq 'resourcegroup') { $resolvedResource.ExternalId = "/subscriptions/$($SubscriptionId.Trim())/resourceGroups/$($item.ResourceName)" } if($null -ne $resources) { $temp = $resources | Where-Object { $_.ExternalId -eq $resolvedResource.ExternalId} if(($temp| Measure-Object).Count -gt 0) { $resolvedResource = $temp } } } return $resolvedResource } } #List all the resources accessible to context. hidden [System.Collections.Generic.List[PIMResource]] ListResources($Guid, $type, $resourceName) { $this.AcquireToken(); $resources = $null $resourceUrl = $null if($type -ne'managementGroup') { Set-AzContext -SubscriptionId $Guid | Out-Null } # This seperation is required due to nature of API, it operates in paging/batching manner when we query for all types # Note: At present, we do not provide PIM operation management for management group. However, if needed in the future, it can be added in the else statement. >> $filter=(type%20eq%20%27managementgroup%27) if($type -eq 'managementGroup') { # Fetch PIM details of the all subscriptions user has access to $resourceUrl = $this.APIroot + "/resources?`$filter=(type%20eq%20%27managementgroup%27)&`$orderby=type" } if($type -eq 'subscription') { # Fetch PIM details of the all subscriptions user has access to $useDiscoveryAPI = $false # If environment variable AzSKPIMLatencyIssue is set to true then use Discovery API to handle latency issue if (Test-Path env:AzSKPIMLatencyIssue ){ if ($Env:AzSKPIMLatencyIssue -eq $true) { $useDiscoveryAPI = $true } } if ($useDiscoveryAPI){ $resourceUrl = $this.APIroot + "/resources?/discovery?`$filter=(registeredDateTime%20ne%20null%20and%20type%20eq%20%27subscription%27)" } else { $resourceUrl = $this.APIroot + "/resources?`$filter=(type%20eq%20%27subscription%27)&`$orderby=type" } } elseif($type -eq 'resourcegroup') { # Fetch PIM details of the specified resource group $resourceUrl = $this.APIroot + "/resources?`$filter=(type%20eq%20%27resourcegroup%27)%20and%20contains(tolower(displayName),%20%27{0}%27)&`$orderby=type" -f $resourceName.ToLower() } elseif($type -eq 'resource') { # Fetch PIM details of the specified resource $resourceUrl = $this.APIroot + "/resources?`$filter=(type%20ne%20%27resourcegroup%27%20and%20type%20ne%20%27subscription%27%20and%20type%20ne%20%27managementgroup%27)%20and%20contains(tolower(displayName),%20%27{0}%27)" -f $resourceName.ToLower() } $response = $null try { $response = Invoke-WebRequest -UseBasicParsing -Headers $this.headerParams -Uri $resourceUrl -Method Get $values = ConvertFrom-Json $response.Content $resources = $values.value $hasOdata = $values | Get-Member -Name '@odata.nextLink' while ($null -ne $hasOdata -and -not([string]::IsNullOrEmpty(($values).'@odata.nextLink'))) { $response = Invoke-WebRequest -UseBasicParsing -Headers $this.headerParams -Uri $(($values).'@odata.nextLink') -Method Get $values = ConvertFrom-Json $response.Content $resources += $values.value $hasOdata = $values | Get-Member -Name '@odata.nextLink' } } catch { if([Helpers]::CheckMember($_,"ErrorDetails.Message")) { $this.PublishCustomMessage($_.ErrorDetails.Message,[MessageType]::Error) } else { $this.PublishCustomMessage($_.Exception, [MessageType]::Error) } return $null; } $i = 0 $obj = New-Object "System.Collections.Generic.List[PIMResource]" foreach ($resource in $resources) { $item = New-Object PIMResource $item.Id = ++$i $item.ResourceId = $resource.id $item.ResourceName = $resource.DisplayName $item.Type = $resource.type $item.ExternalId = $resource.externalId $obj.Add($item); } return $obj } #List roles from PIM API hidden [PSObject] ListRoles($resourceId) { $this.AcquireToken(); $url = $this.APIroot + "/resources/" + $resourceId + "/roleDefinitions?`$select=id,displayName,type,templateId,resourceId,externalId,subjectCount,eligibleAssignmentCount,activeAssignmentCount&`$orderby=activeAssignmentCount%20desc" $roles = [WebRequestHelper]::InvokeWebRequest("Get", $url, $this.headerParams, $null, [string]::Empty, $false, $false ) $i = 0 $obj = @() foreach ($role in $roles) { $item = New-Object psobject -Property @{ Id = ++$i RoleDefinitionId = $role.id RoleName = $role.DisplayName SubjectCount = $role.SubjectCount } $obj = $obj + $item } return $obj } #List Assignment for a particular resource hidden [PSObject] ListAssignmentsWithFilter($resourceId, $IsPermanent) { $this.AcquireToken() $url = $this.APIroot + "/resources/" + $resourceId + "`/roleAssignments?`$expand=subject,roleDefinition(`$expand=resource)" #NextLink handled in the web request $roleAssignments = [WebRequestHelper]::InvokeWebRequest('Get', $url, $this.headerParams, $null, [string]::Empty, @{} ) $i = 0 $obj = @() $assignments = @(); foreach ($roleAssignment in $roleAssignments) { $item = New-Object psobject -Property @{ Id = ++$i RoleAssignmentId = $roleAssignment.id ResourceId = $roleAssignment.roleDefinition.resource.id OriginalId = $roleAssignment.roleDefinition.resource.externalId ResourceName = $roleAssignment.roleDefinition.resource.displayName ResourceType = $roleAssignment.roleDefinition.resource.type RoleId = $roleAssignment.roleDefinition.id IsPermanent = $roleAssignment.IsPermanent RoleName = $roleAssignment.roleDefinition.displayName ExpirationDate = $roleAssignment.endDateTime SubjectId = $roleAssignment.subject.id SubjectType = $roleAssignment.subject.type UserName = $roleAssignment.subject.displayName AssignmentState = $roleAssignment.AssignmentState MemberType = $roleAssignment.memberType PrincipalName = $roleAssignment.subject.principalName linkedEligibleRoleAssignmentId = $roleAssignment.linkedEligibleRoleAssignmentId } $obj = $obj + $item } if (($obj | Measure-Object).Count -gt 0) { if (-not $IsPermanent) { $assignments = $obj | Where-Object { $_.AssignmentState -eq 'Eligible' } } else { # In case of true permanent assignments and permanently eligible active the assignment state will be active. To distiguish it from Permanently Eligible PIM active assignemnts, we need to check LinkedEligibleRoleAssignmentId $assignments = $obj | Where-Object { $_.AssignmentState -eq 'Active' -and ($null -eq $_.linkedEligibleRoleAssignmentId)} } } return $assignments } #List Permanent or PIM assignment for a resource hidden ListAssignment($ManagementGroupId, $SubscriptionId, $ResourceGroupName, $ResourceName, $RoleNames, $CheckPermanent) { $this.AcquireToken(); $criticalRoles = @(); $resources = $null $criticalRoles += $this.ConvertToStringArray($RoleNames) if(-not([string]::IsNullOrEmpty($ManagementGroupId))) { $resources = $this.PIMResourceResolver($ManagementGroupId, $false); } else { $resources = $this.PIMResourceResolver($SubscriptionId, $ResourceGroupName, $ResourceName,$false) } if (($resources | Measure-Object).Count -gt 0 -and (-not [string]::IsNullOrEmpty($resources.ResourceId))) { $roleAssignments = $this.ListAssignmentsWithFilter($resources.ResourceId, $CheckPermanent) if(($roleAssignments | Measure-Object).Count -gt 0) { if(-not [String]::IsNullOrEmpty($RoleNames)) { $roleAssignments = $roleAssignments | Where-Object { $_.RoleName -in $criticalRoles -and $_.MemberType -ne 'Inherited' -and ($_.SubjectType -eq 'User' -or $_.SubjectType -eq 'Group') } } else { $roleAssignments = $roleAssignments | Where-Object { $_.MemberType -ne 'Inherited' -and ($_.SubjectType -eq 'User' -or $_.SubjectType -eq 'Group') } } if (($roleAssignments | Measure-Object).Count -gt 0) { $roleAssignments = $roleAssignments | Sort-Object -Property RoleName, Name, AssignmentState, ResourceId $this.PublishCustomMessage("") $this.PublishCustomMessage("Note: The assignments listed below do not include 'inherited' assignments for the scope.", [MessageType]::Warning) $this.PublishCustomMessage([Constants]::SingleDashLine, [MessageType]::Default) $this.PublishCustomMessage($($roleAssignments | Format-Table -Property PrincipalName, @{Label = "Role"; Expression = { $_.RoleName } }, AssignmentState, @{Label = "Type"; Expression = { $_.SubjectType } } | Out-String), [MessageType]::Default) $objectToExport = $roleAssignments | Select-Object RoleName, PrincipalName, UserName, ResourceType, ResourceName, SubjectType, AssignmentState, IsPermanent $this.ExportCSV($objectToExport) } else { if ($CheckPermanent) { $this.PublishCustomMessage("No permanent assignments found for the current context on the resource for the $($RoleNames -join ', ').", [MessageType]::Warning); } else { $this.PublishCustomMessage("No PIM eligible assignments found for the current context on the resource for the $($RoleNames -join ', ').", [MessageType]::Warning); } } } else { if ($CheckPermanent) { $this.PublishCustomMessage("No permanent assignments found for the provided scope and role. ",[MessageType]::Error) } else { $this.PublishCustomMessage("No PIM eligible assignments found for the provided scope and role.", [MessageType]::Warning); } } } else { $this.PublishCustomMessage( "Unable to find resource on which assignment was requested. Either the resource does not exist or you may not have permissions for the requested operation.", [MessageType]::Error) $this.DisplayActivationHelpMessage($ManagementGroupId, $SubscriptionId, $ResourceGroupName, $ResourceName) } } hidden GetRoleSettings($PIMResourceGuid, $RoleName) { } #Activates the user assignment for a role hidden Activate($ManagementGroupId, $SubscriptionId, $ResourceGroupName, $ResourceName, $roleName, $Justification, $Duration) { $this.AcquireToken(); $assignments = $this.MyJitAssignments() $resource = $null if(-not([string]::IsNullOrEmpty($ManagementGroupId))) { $resource = $this.PIMResourceResolver($ManagementGroupId,$true); } else { $resource = $this.PIMResourceResolver($SubscriptionId, $ResourceGroupName, $ResourceName, $true) } if(($resource | Measure-Object).Count -gt 0 -and (-not [string]::IsNullOrEmpty($resource.ExternalId))) { if (($assignments | Measure-Object).Count -gt 0 ) { $matchingAssignment = $assignments | Where-Object { $_.OriginalId -in $resource.ExternalId -and $_.RoleName -eq $roleName -and $_.AssignmentState -eq 'Eligible' } $matchingAssignment = $matchingAssignment | select -Unique if (($matchingAssignment | Measure-Object).Count -gt 0) { $this.PublishCustomMessage("Requesting activation of your [$($matchingAssignment.RoleName)] role on [$($matchingAssignment.ResourceName)]... ", [MessageType]::Info); $resourceId = $matchingAssignment.ResourceId $roleDefinitionId = $matchingAssignment.RoleId $subjectId = $matchingAssignment.SubjectId $RoleActivationurl = $this.APIroot + "/roleAssignmentRequests " $postParams = '{"roleDefinitionId":"' + $roleDefinitionId + '","resourceId":"' + $resourceId + '","subjectId":"' + $subjectId + '","assignmentState":"Active","type":"UserAdd","reason":"' + $Justification + '","schedule":{"type":"Once","startDateTime":"' + (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ") + '","duration":"PT' + $Duration + 'H"},"linkedEligibleRoleAssignmentId":"' + $matchingAssignment.IdGuid + '"}' try{ $response = [WebRequestHelper]::InvokeWebRequest('Post', $RoleActivationurl, $this.headerParams, $postParams, "application/json", $false, $true ) if ($response.StatusCode -eq 201) { $this.PublishCustomMessage("Activation queued successfully. The role(s) should get activated in a few minutes.", [MessageType]::Update); } } catch { if([Helpers]::CheckMember($_,"ErrorDetails.Message")) { $err = $_ | ConvertFrom-Json if ($err.error.Code -eq "RoleAssignmentRequestAcrsValidationFailed"){ $this.PublishCustomMessage("A Conditional Access policy is enabled for this resource. Your current sign-in does not meet the required criteria.",[MessageType]::Error) } else { $this.PublishCustomMessage($err.error.message,[MessageType]::Error) } } else { $this.PublishCustomMessage($_.Exception, [MessageType]::Error) } } } else { $this.PublishCustomMessage("No matching eligible role found for the current context", [MessageType]::Warning) } } else { $this.PublishCustomMessage("No PIM Eligible assignments found for the current context: $($this.AccountId).",[MessageType]::Warning) } } else { $this.PublishCustomMessage( "Unable to find resource on which activation was requested. Make sure you have PIM eligible assignment on the resource.", [MessageType]::Error) #$this.DisplayActivationHelpMessage($ManagementGroupId, $SubscriptionId, $ResourceGroupName, $ResourceName) } } #Deactivates the activated assignment for user hidden Deactivate($ManagementGroupId, $SubscriptionId, $ResourceGroupName, $ResourceName, $roleName) { $this.AcquireToken(); $assignments = $this.MyJitAssignments() $resource = $null if(($assignments| Measure-Object).Count -gt 0) { $assignments = $assignments|Where-Object { -not [string]::IsNullorEmpty($_.ExpirationDate) } if(-not([string]::IsNullOrEmpty($ManagementGroupId))) { $resource = $this.PIMResourceResolver($ManagementGroupId, $false); } else { $resource = $this.PIMResourceResolver($SubscriptionId, $ResourceGroupName, $ResourceName, $false) } if (($assignments | Measure-Object).Count -gt 0 -and (-not [string]::IsNullOrEmpty($resource.ExternalId))) { $matchingAssignment = $assignments | Where-Object { $_.OriginalId -eq $resource.ExternalId -and $_.RoleName -eq $roleName -and $_.AssignmentState -eq 'Active' } if (($matchingAssignment | Measure-Object).Count -gt 0) { $this.PublishCustomMessage("Requesting deactivation of your [$($matchingAssignment.RoleName)] role on [$($matchingAssignment.ResourceName)]... ", [MessageType]::Info); $id = $matchingAssignment.IdGuid $resourceId = $matchingAssignment.ResourceId $roleDefinitionId = $matchingAssignment.RoleId $subjectId = $matchingAssignment.SubjectId $deactivationurl = $this.APIroot + "/roleAssignmentRequests " $postParams = '{"roleDefinitionId":"' + $roleDefinitionId + '","resourceId":"' + $resourceId + '","subjectId":"' + $subjectId + '","assignmentState":"Active","type":"UserRemove","linkedEligibleRoleAssignmentId":"' + $id + '"}' try { $response = [WebRequestHelper]::InvokeWebRequest('Post', $deactivationurl, $this.headerParams, $postParams, "application/json", $false, $true ) if ($response.StatusCode -eq '201') { $this.PublishCustomMessage("Deactivation queued successfully. The role(s) should get deactivated in a few minutes.", [MessageType]::Update); } } catch { if([Helpers]::CheckMember($_,"ErrorDetails.Message")) { $err = $_ | ConvertFrom-Json $this.PublishCustomMessage($err.error.message,[MessageType]::Error) } else { $this.PublishCustomMessage($_.Exception, [MessageType]::Error) } } } else { $this.PublishCustomMessage("No active assignments found for the current context.", [MessageType]::Warning); } } else { $this.PublishCustomMessage("No active assignments found for the current context.", [MessageType]::Warning); } } else { $this.PublishCustomMessage("No PIM Eligible assignments found for the current context: $($this.AccountId).",[MessageType]::Warning) } } #Assign a user to Eligible Role hidden AssignExtendPIMRoleForUser($ManagementGroupId, $subscriptionId, $resourcegroupName, $resourceName, $roleName, $PrincipalName, $duration,$isExtensionRequest, $force, $isRemoveAssignmentRequest, $assignmentType) { $this.AcquireToken(); $PrincipalName = $this.ConvertToStringArray($PrincipalName); $resolvedResources = $null; if(-not([string]::IsNullOrEmpty($ManagementGroupId))) { $resolvedResources = $this.PIMResourceResolver($ManagementGroupId, $false); } else { $resolvedResources = $this.PIMResourceResolver($SubscriptionId, $ResourceGroupName, $ResourceName, $false) } if (($resolvedResources | Measure-Object).Count -gt 0 -and (-not [string]::IsNullOrEmpty($resolvedResources.ResourceId))) { # if there is same resource name inside and rg for multiple resources, we follow the AzSK standard approach to assign role on both resources foreach($resolvedResource in $resolvedResources) { $resourceId = $resolvedResource.ResourceId $roleDefinitionId ="" $roles = $this.ListRoles($resourceId) try { $roleDefinitionId = ($roles | Where-Object { $_.RoleName -eq $RoleName }).RoleDefinitionId } catch { $this.PublishCustomMessage("Unable to find matching role. Please verify the role name provided is correct.",[MessageType]::Error) return; } $users = @(); $subjectId = @(); $PrincipalName | ForEach-Object{ try { $users += Get-AzADUser -UserPrincipalName $_ if(($users | Measure-Object).Count -eq 0) { $users += Get-AzADGroup -DisplayName $_ } $subjectId +=$users.Id } catch { $this.PublishCustomMessage("Unable to find provided UPN. If it corresponds to an AD group, use Display name instead of principal name", [MessageType]::Warning) return; } } if (($subjectId | Measure-Object).Count -lt 0) { $this.PublishCustomMessage("Unable to fetch details of the principal name provided.", [MessageType]::Error) return; } #"If" block will exceute when -ExtendExpiringAssignments parameter is used if($isExtensionRequest) { $roleAssignments = $this.ListAssignmentsWithFilter($resourceId, $false) if(($roleAssignments| Measure-Object).Count -gt 0) { $roleAssignments = $roleAssignments | Where-Object{$_.SubjectId -in $subjectId -and $_.RoleName -eq $roleName -and $_.MemberType -ne 'Inherited'} if(($roleAssignments| Measure-Object).Count -gt 0) { $urlrole = $this.APIroot+"/roleSettingsV2?`$expand=resource,roleDefinition(`$expand=resource)&`$filter=(resource/id+eq+%27$($resourceId)%27)+and+(roleDefinition/id+eq+%27$($roleAssignments[0].RoleId)%27)" $rolesettings = [WebRequestHelper]::InvokeWebRequest("Get", $urlrole, $this.headerParams, $null, [string]::Empty, $false, $false ) $maxAllowedDays = ((($($($($rolesettings.lifeCycleManagement | Where-Object {$_.caller -eq 'Admin' -and $_.level -eq 'Eligible'}).value) | Where-Object{$_.RuleIdentifier -eq 'ExpirationRule'}).setting | ConvertFrom-Json).maximumGrantPeriodInMinutes)/60)/24 $roleAssignments | ForEach-Object{ $days= $DurationInDays [DateTime]$startDate = $_.ExpirationDate $extendedDate = (($startDate).AddDays($DurationInDays).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")) $activeForDays = [math]::Round((([DateTime]$startDate).ToUniversalTime().Subtract([DateTime](get-date).ToUniversalTime())).TotalDays) if($extendedDate -gt ((get-date).AddDays($maxAllowedDays).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))) { $days = $maxAllowedDays $extendedDate = ((get-date).AddDays($maxAllowedDays).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")) } $url = $this.APIroot +"/roleAssignmentRequests " $postParams = '{"roleDefinitionId":"'+ $_.RoleId+'","resourceId":"'+$_.ResourceId+'","subjectId":"'+ $_.SubjectId+'","assignmentState":"Eligible","type":"AdminExtend","reason":"Admin Extend by '+$this.AccountId+'","schedule":{"type":"Once","startDateTime":"'+ ((get-date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))+'","endDateTime":"'+($extendedDate)+'"}}' $this.PublishCustomMessage("Requesting assignment extension for [$($_.PrincipalName)] by $days days...") if(($null -ne $startDate) -and ($activeForDays -ne $maxAllowedDays)){ try { $extresponse = [WebRequestHelper]::InvokeWebRequest('Post', $url, $this.headerParams, $postParams, "application/json", $false, $true ) if ($extresponse.StatusCode -eq 201) { $this.PublishCustomMessage("Assignment extension request for [$($_.PrincipalName)] for the [$RoleName] role on [$($_.ResourceName)] queued successfully.", [MessageType]::Update); } elseif ($extresponse.StatusCode -eq 401) { $this.PublishCustomMessage("You are not eligible to assign a role. If you have recently elevated/activated your permissions, please run Connect-AzAccount and re-run the script.", [MessageType]::Error); } } catch { if([Helpers]::CheckMember($_,"ErrorDetails.Message")) { $err = $_ | ConvertFrom-Json $this.PublishCustomMessage($err.error.message,[MessageType]::Error) } else { $this.PublishCustomMessage($_.Exception, [MessageType]::Error) } } $this.PublishCustomMessage(""); } else{ $this.PublishCustomMessage("Assignment of [$($_.PrincipalName)] for the [$($_.RoleName)] role is already set to its maximum limit.", [MessageType]::Warning); $this.PublishCustomMessage(""); } } } else { $this.PublishCustomMessage("No PIM eligible roles found for the principalName(s) provided",[MessageType]::Warning) } } else { $this.PublishCustomMessage("No PIM eligible roles found on the resource",[MessageType]::Warning) } } #"ElseIf" block will exceute when -RemoveRole parameter is used elseif ($isRemoveAssignmentRequest) { $userResp = '' $users | ForEach-Object{ $this.PublishCustomMessage(($_ | Format-Table -AutoSize -Wrap -Property UserPrincipalName, DisplayName | Out-String), [MessageType]::Default) if(!$Force) { Write-Host "The above PIM eligible assignments will be removed. `nPlease confirm (Y/N): " -ForegroundColor Yellow -NoNewline $userResp = Read-Host } if ($userResp -eq 'y' -or $Force) { $url = $this.APIroot + "/roleAssignmentRequests" $postParams = '{"assignmentState":"Eligible","type":"AdminRemove","roleDefinitionId":"' + $roleDefinitionId + '","scopedResourceId": null ,"resourceId":"' + $resourceId + '","subjectId":"' + $_.Id + '"}' $this.PublishCustomMessage("Initiating removal of assignment on [$($resolvedResource.ResourceName)] for [$RoleName] role...") $this.PublishCustomMessage([Constants]::SingleDashLine) try{ $response = [WebRequestHelper]::InvokeWebRequest('Post', $url, $this.headerParams, $postParams, "application/json", $false, $true ) if ($response.StatusCode -eq 201) { $this.PublishCustomMessage("Assignment removal request queued successfully.", [MessageType]::Update); } elseif ($response.StatusCode -eq 401) { $this.PublishCustomMessage("You are not eligible to revoke a role. If you have recently elevated/activated your permissions, please run Connect-AzAccount and re-run the script.", [MessageType]::Error); } } catch { if([Helpers]::CheckMember($_,"ErrorDetails.Message")) { $err = $_ | ConvertFrom-Json $this.PublishCustomMessage($err.error.message,[MessageType]::Error) } else { $this.PublishCustomMessage($_.Exception, [MessageType]::Error) } } $this.PublishCustomMessage([Constants]::SingleDashLine) $this.PublishCustomMessage(""); } } } #"Else" block will exceute when -AssignRole parameter is used else { $users | ForEach-Object{ $url = $this.APIroot + "/roleAssignmentRequests" $ts = New-TimeSpan -Days $duration #Assign Role based on selected Assignment Type (Eligible by default) if($assignmentType -eq "Active") { $assignmentState = "Active" #AssignmentState is case sensitive in request body } else{ $assignmentState = 'Eligible' #AssignmentState is Eligible by default } $postParams = '{"assignmentState":"' + $assignmentState + '","type":"AdminAdd","reason":"Assign","roleDefinitionId":"' + $roleDefinitionId + '","resourceId":"' + $resourceId + '","subjectId":"' + $_.Id + '","schedule":{"startDateTime":"' + (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ") + '","endDateTime":"' + ((get-date) + $ts).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ") + '","type":"Once"}}' $this.PublishCustomMessage("Requesting assignment on [$($resolvedResource.ResourceName)] for [$RoleName] role...") try{ $response = [WebRequestHelper]::InvokeWebRequest('Post', $url, $this.headerParams, $postParams, "application/json", $false, $true ) if ($response.StatusCode -eq 201) { $this.PublishCustomMessage("Assignment request queued successfully.", [MessageType]::Update); $this.PublishCustomMessage(""); } elseif ($response.StatusCode -eq 401) { $this.PublishCustomMessage("You are not eligible to assign a role. If you have recently elevated/activated your permissions, please run Connect-AzAccount and re-run the script.", [MessageType]::Error); } } catch { if([Helpers]::CheckMember($_,"ErrorDetails.Message")) { $err = $_ | ConvertFrom-Json $this.PublishCustomMessage($err.error.message,[MessageType]::Error) } else { $this.PublishCustomMessage($_.Exception, [MessageType]::Error) } } $this.PublishCustomMessage(""); } } } } else { $this.PublishCustomMessage( "Unable to find resource on which assignment was requested. Either the resource does not exist or you may not have permissions for assigning a role on it.", [MessageType]::Error) $this.DisplayActivationHelpMessage($ManagementGroupId, $SubscriptionId, $ResourceGroupName, $ResourceName) } } hidden ListMyEligibleRoles() { $assignments = $this.MyJitAssignments() | Sort-Object -Property ResourceName,AssignmentState if (($assignments | Measure-Object).Count -gt 0) { $this.PublishCustomMessage("Your eligible role assignments:", [MessageType]::Default) $this.PublishCustomMessage(""); $this.PublishCustomMessage([Constants]::SingleDashLine, [MessageType]::Default) $this.PublishCustomMessage(($assignments | Format-Table -Wrap @{Label = "ResourceId"; Expression = { $_.OriginalId }; Width =52}, ResourceName, RoleName, ResourceType, AssignmentState, ExpirationDate | Out-String), [MessageType]::Default) $this.PublishCustomMessage([Constants]::SingleDashLine, [MessageType]::Default) $this.PublishCustomMessage(""); $objectToExport = $assignments | Select-Object @{Label = "ResourceId"; Expression = { $_.OriginalId } }, ResourceName, ResourceType, RoleName, AssignmentState $this.ExportCSV($objectToExport) } else { $this.PublishCustomMessage("No PIM Eligible assignments found for the current context: $($this.AccountId).",[MessageType]::Warning) } } # Below method is intended to assign equivalent PIM eligible roles for permanent assignments for a given role on a particular resource hidden AssignPIMforPermanentAssignemnts($ManagementGroupId, $SubscriptionId, $ResourceGroupName, $ResourceName, $RoleNames, $DurationInDays, $PrincipalNames, $Force) { $principalTransitioned = @(); $resolvedResource = $null; if(-not([string]::IsNullOrEmpty($ManagementGroupId))) { $resolvedResource = $this.PIMResourceResolver($ManagementGroupId, $false); } else { $resolvedResource = $this.PIMResourceResolver($SubscriptionId, $ResourceGroupName, $ResourceName, $false) } if (($resolvedResource | Measure-Object).Count -gt 0 -and (-not [string]::IsNullOrEmpty($resolvedResource.ResourceId))) { $resourceId = $resolvedResource.ResourceId $roles = $this.ListRoles($resourceId) $roles = ($roles | Where-Object { $_.RoleName -in $($RoleNames.split(",").Trim()) }) $CriticalRoles = $roles.RoleName $this.PublishCustomMessage("Fetching permanent assignment for [$(($criticalRoles) -join ", ")] role on $($resolvedResource.Type) [$($resolvedResource.ResourceName)]...",[MessageType]::Info) $permanentRoles = $this.ListAssignmentsWithFilter($resourceId, $true) $permanentRolesForTransition = @(); if (($permanentRoles | Measure-Object).Count -gt 0) { $permanentRoles = $permanentRoles | Where-Object { ($_.SubjectType -eq 'User' -or $_.SubjectType -eq 'Group' )-and $_.MemberType -ne 'Inherited' -and $_.RoleName -in $CriticalRoles } if(($PrincipalNames | Measure-Object).Count -gt 0) # checking if assignment only for certain UPNs are to be removed { $principalNames = $principalNames.Split(',').Trim() $permanentRolesForTransition += $permanentRoles | Where-Object {$_.PrincipalName -in $principalNames} if( ($permanentRolesForTransition | Measure-Object).Count -eq 0) { $this.PublishCustomMessage("Unable to find matching permanent assignments for the principal names provided in `$PrincipalNames parameter.",[MessageType]::Warning) return; } } else { $permanentRolesForTransition += $permanentRoles } if (($permanentRolesForTransition | Measure-Object).Count -gt 0) { $ToContinue = '' if(!$Force) { $this.PublishCustomMessage($($permanentRolesForTransition | Format-Table -AutoSize -Wrap PrincipalName, ResourceName, SubjectType, ResourceType, RoleName | Out-String), [MessageType]::Default) $this.PublishCustomMessage(""); Write-Host "The above role assignments will be moved from 'permanent' to 'PIM'. `nPlease confirm (Y/N): " -ForegroundColor Yellow -NoNewline $ToContinue = Read-Host } if ($ToContinue -eq 'y' -or $Force) { $Assignmenturl = $this.APIroot + "/roleAssignmentRequests" $roles = $this.ListRoles($resourceId) $ts = $DurationInDays; $totalPermanentAssignments = ($permanentRolesForTransition | Measure-Object).Count $this.PublishCustomMessage("Initiating PIM assignment for [$totalPermanentAssignments] permanent assignments..."); #TODO: Check the color $i = 1 $permanentRolesForTransition | ForEach-Object { $roleName = $_.RoleName $roleDefinitionId = ($roles | Where-Object { $_.RoleName -eq $roleName }).RoleDefinitionId $subjectId = $_.SubjectId $PrincipalName = $_.PrincipalName $postParams = '{"assignmentState":"Eligible","type":"AdminAdd","reason":"Assign","roleDefinitionId":"' + $roleDefinitionId + '","resourceId":"' + $resourceId + '","subjectId":"' + $subjectId + '","schedule":{"startDateTime":"' + (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ") + '","endDateTime":"' + ((get-date).AddDays($ts).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")) + '","type":"Once"}}' $this.PublishCustomMessage([Constants]::SingleDashLine) try{ $response = Invoke-WebRequest -UseBasicParsing -Headers $this.headerParams -Uri $Assignmenturl -Method Post -ContentType "application/json" -Body $postParams if ($response.StatusCode -eq 201) { $this.PublishCustomMessage("[$i`/$totalPermanentAssignments] Successfully requested PIM assignment for [$PrincipalName]", [MessageType]::Update); $principalTransitioned += $PrincipalName } $this.PublishCustomMessage([Constants]::SingleDashLine) } catch { $err = $_ | ConvertFrom-Json if ($err.error.code -eq "RoleAssignmentExists") { $this.PublishCustomMessage("[$i`/$totalPermanentAssignments] PIM Assignment for [$PrincipalName] already exists.", [MessageType]::Warning) $principalTransitioned += $PrincipalName } else { $this.PublishCustomMessage("[$i`/$totalPermanentAssignments] $($err.error.message)", [MessageType]::Error) } } $i++; }#foreach [string] $cmdmsg = "To remove the permanent assignments, please run `n setpim -RemovePermanentAssignments" if([string]::IsNullOrEmpty($ManagementGroupId)) { $cmdmsg += " -SubscriptionId $SubscriptionId" if(-not [string]::IsNullOrEmpty($ResourceGroupName)) { $cmdmsg += " -ResourceGroupName $ResourceGroupName "} if(-not [string]::IsNullOrEmpty($ResourceName)) { $cmdmsg += " -ResourceName $ResourceName "} } else { $cmdmsg += " -ManagementGroupId $ManagementGroupId " } $cmdmsg += '-RoleNames "'+($Rolenames)+ '"' if(-not [string]::IsNullOrEmpty($PrincipalNames)) {$cmdmsg += '-PrincipalNames "'+($principalTransitioned -join ', ')+ '"'} $this.PublishCustomMessage("") $this.PublishCustomMessage("This command will assign equivelant eligible role assignments for the above permanent assignments. $cmdmsg", [MessageType]::Warning) } else { return; } } else { $this.PublishCustomMessage("No permanent assignments eligible for PIM assignment found.", [MessageType]::Warning); } } else { $this.PublishCustomMessage("No permanent assignments found on the requested resource.", [MessageType]::Warning); } } else { $this.PublishCustomMessage( "Unable to find resource on which assignment was requested. Either the resource does not exist or you may not have permissions for assigning a role on it.", [MessageType]::Error) $this.DisplayActivationHelpMessage($ManagementGroupId, $SubscriptionId, $ResourceGroupName, $ResourceName) } } # Remove permanent assignments for a particular role on a given resource hidden RemovePermanentAssignments($ManagementGroupId, $SubscriptionId, $ResourceGroupName, $ResourceName, $RoleNames, $RemoveAssignmentFor, $PrincipalNames, $Force) { $this.AcquireToken(); $resolvedResource = $null; if(-not([string]::IsNullOrEmpty($ManagementGroupId))) { $resolvedResource = $this.PIMResourceResolver($ManagementGroupId, $false); } else { $resolvedResource = $this.PIMResourceResolver($SubscriptionId, $ResourceGroupName, $ResourceName, $false) } if($null -ne $resolvedResource -and (-not [String]::IsNullOrEmpty($resolvedResource.ResourceId))) { $resourceId = ($resolvedResource).ResourceId $users = @(); $CriticalRoles = $RoleNames.split(",").Trim() $this.PublishCustomMessage("Note: This command will *not* remove your permanent assignment if one exists.", [MessageType]::Warning) $this.PublishCustomMessage("Fetching permanent assignment for [$(($criticalRoles) -join ", ")] role on $($resolvedResource.Type) [$($resolvedResource.ResourceName)]...", [MessageType]::Info) $permanentRoles = $this.ListAssignmentsWithFilter($resourceId, $true) $eligibleAssignments = $this.ListAssignmentsWithFilter($resourceId, $false) $eligibleAssignments = $eligibleAssignments | Where-Object { ($_.SubjectType -eq 'User' -or $_.SubjectType -eq 'Group') -and $_.MemberType -ne 'Inherited' -and $_.RoleName -in $CriticalRoles } if (($permanentRoles | Measure-Object).Count -gt 0) { $permanentRolesForTransition = $permanentRoles | Where-Object {($_.SubjectType -eq 'User' -or $_.SubjectType -eq 'Group') -and $_.MemberType -ne 'Inherited' -and $_.RoleName -in $CriticalRoles } $successfullyassignedRoles = @(); $currentContext = [ContextHelper]::GetCurrentRmContext(); $permanentRolesForTransition = $permanentRolesForTransition | Where-Object { $_.PrincipalName -ne $currentContext.Account.Id } if(($PrincipalNames |Measure-Object).Count -gt 0) # checking if assignment only for certain UPNs are to be removed { $PrincipalNames = $PrincipalNames.Split(',').Trim() $permanentRolesForTransition = $permanentRolesForTransition | Where-Object{$_.PrincipalName -in $PrincipalNames} if( ($permanentRolesForTransition | Measure-Object).Count -eq 0) { $this.PublishCustomMessage("Permanent assignments matching with principal names provided in `$PrincipalNames parameter are not found.",[MessageType]::Warning) return; } } if ($RemoveAssignmentFor -ne "AllExceptMe") { $eligibleAssignments | ForEach-Object { $allUser = $_; $permanentRolesForTransition | ForEach-Object { if ($_.SubjectId -eq $allUser.SubjectId -and $_.RoleName -eq $allUser.RoleName) { $successfullyassignedRoles += $_ } } } $users = $successfullyassignedRoles } else { $users = $permanentRolesForTransition } } else { $this.PublishCustomMessage("No PIM eligible assignments found on the requested resource.", [MessageType]::Warning); } if (($users | Measure-Object).Count -gt 0) { $userResp = '' $totalRemovableAssignments = ($users | Measure-Object).Count if(!$Force) { $this.PublishCustomMessage($($users | Format-Table -AutoSize -Wrap -Property PrincipalName, RoleName, OriginalId | Out-String), [MessageType]::Default) Write-Host "The above listed role assignments will be removed. `nPlease confirm (Y/N): " -ForegroundColor Yellow -NoNewline $userResp = Read-Host } if ($userResp -eq 'y' -or $Force) { $i = 0 $this.PublishCustomMessage("Initiating removal of [$totalRemovableAssignments] permanent assignments...") # Remove permanent assignments of specified roles, at the specified scope foreach ($user in $users) { try { $i++; $this.PublishCustomMessage([Constants]::SingleDashLine); Remove-AzRoleAssignment -ObjectId $user.SubjectId -RoleDefinitionName $user.RoleName -Scope $user.OriginalId -ErrorAction Stop $this.PublishCustomMessage("[$i`/$totalRemovableAssignments]Successfully removed permanent assignment", [MessageType]::Update ) $this.PublishCustomMessage([Constants]::SingleDashLine); } catch { # This code block is to capture any exception while removing role assignment at a specified scope # If exception is captured, stop the command after printing the error message if ([Helpers]::CheckMember($_.Exception, "Response.StatusCode") -and $_.Exception.Response.StatusCode -eq '403') { # Authorization denied exception $this.PublishCustomMessage("[$i`/$totalRemovableAssignments] You do not have the authorization to delete role assignments or the scope is invalid. If access was recently granted, please refresh your credentials.", [MessageType]::Error) } else { # Other exception $this.PublishCustomMessage("[$i`/$totalRemovableAssignments] $($_.Exception.Message)", [MessageType]::Error) } break; } } #foreach end } } else { $this.PublishCustomMessage("No permanent assignments found for the scope.", [MessageType]::Warning) } } else { $this.PublishCustomMessage( "Unable to find resource on which assignment was requested. Either the resource does not exist or you may not have active permissions for the assignment removal", [MessageType]::Error) $this.DisplayActivationHelpMessage($ManagementGroupId, $SubscriptionId, $ResourceGroupName, $ResourceName) } } # Get the assignments that are expiring in n days hidden [PSObject] ListSoonToExpireAssignments($ManagementGroupId, $SubscriptionId, $ResourceGroupName, $ResourceName, $RoleNames, $ExpiringInDays) { $this.AcquireToken(); $criticalRoles = @(); $soonToExpireAssignments = @(); $criticalRoles += $this.ConvertToStringArray($RoleNames) $resources = $null; if(-not([string]::IsNullOrEmpty($ManagementGroupId))) { $resources = $this.PIMResourceResolver($ManagementGroupId, $false); } else { $resources = $this.PIMResourceResolver($SubscriptionId, $ResourceGroupName, $ResourceName, $false) } if(($resources | Measure-Object).Count -gt 0 -and (-not [string]::IsNullOrEmpty($resources.ResourceId))) { $roleAssignments = $this.ListAssignmentsWithFilter($resources.ResourceId, $false) $roleAssignments = $roleAssignments | Where-Object{($_.SubjectType -eq 'User' -or $_.SubjectType -eq 'Group') -and $_.memberType -ne 'Inherited' -and -not([string]::IsNullOrEmpty($_.ExpirationDate))} if(($roleAssignments | Measure-Object).Count -gt 0) { [int]$soonToExpireWindow = $ExpiringInDays; $soonToExpireAssignments += $roleAssignments | Where-Object {([DateTime]::UTCNow).AddDays($soonToExpireWindow) -gt $_.ExpirationDate -and $_.RoleName -in $criticalRoles -and $_.AssignmentState -eq 'Eligible'} if(($soonToExpireAssignments| Measure-Object).Count -gt 0) { $this.PublishCustomMessage($($soonToExpireAssignments | Sort-Object -Property ExpirationDate | Format-Table -Wrap 'SubjectId', 'PrincipalName', 'SubjectType','RoleName', @{Label = "ExpiringInDays"; Expression = { [math]::Round((([DateTime]$_.ExpirationDate).ToUniversalTime().Subtract([DateTime](get-date).ToUniversalTime())).TotalDays) } } | Out-String), [MessageType]::Default) $objectToExport = $soonToExpireAssignments | Select-Object RoleName, PrincipalName, UserName, ResourceType, ResourceName, SubjectType, AssignmentState, IsPermanent, @{Label = "ExpiringInDays"; Expression = { [math]::Round((([DateTime]$_.ExpirationDate).ToUniversalTime().Subtract([DateTime](get-date).ToUniversalTime())).TotalDays) } } $this.ExportCSV($objectToExport) } else { $this.PublishCustomMessage("No assignment found for `"$($criticalRoles -join ", ")`" role expiring in $ExpiringInDays days. ",[MessageType]::Error) } } else { $this.PublishCustomMessage("No eligible assignments found for the provided scope and role. ",[MessageType]::Error) } } else { $this.PublishCustomMessage( "Unable to find resource on which assignment was requested. Either the resource does not exist or you may not have permissions for assigning a role on it", [MessageType]::Error) $this.DisplayActivationHelpMessage($ManagementGroupId, $SubscriptionId, $ResourceGroupName, $ResourceName) } return $soonToExpireAssignments } # Extend assignments for roles by n days from expiration date hidden [void] ExtendSoonToExpireAssignments($managementGroupId, $SubscriptionId, $ResourceGroupName, $ResourceName, $RoleName, $ExpiringInDays, $DurationInDays, $force) { $soonToExpireAssignments = @(); if(-not([string]::IsNullOrEmpty($ManagementGroupId))) { $soonToExpireAssignments = $this.ListSoonToExpireAssignments($ManagementGroupId, $SubscriptionId, $ResourceGroupName, $ResourceName, $RoleName, $ExpiringInDays); } else { $soonToExpireAssignments = $this.ListSoonToExpireAssignments($null, $SubscriptionId, $ResourceGroupName, $ResourceName, $RoleName, $ExpiringInDays); } $AssignmentCount = ($soonToExpireAssignments | Measure-Object).Count if($AssignmentCount -gt 0) { $ts =$DurationInDays $url = $this.APIroot +"/roleAssignmentRequests " # get maximum number of days an assigment $urlrole = $this.APIroot+"/roleSettingsV2?`$expand=resource,roleDefinition(`$expand=resource)&`$filter=(resource/id+eq+%27$($soonToExpireAssignments[0].ResourceId)%27)+and+(roleDefinition/id+eq+%27$($soonToExpireAssignments[0].RoleId)%27)" $rolesettings = [WebRequestHelper]::InvokeWebRequest("Get", $urlrole, $this.headerParams, $null, [string]::Empty, $false, $false ) $maxAllowedDays= ((($($($($roleSettings.lifeCycleManagement | Where-Object {$_.caller -eq 'Admin' -and $_.level -eq 'Eligible'}).value) | Where-Object{$_.RuleIdentifier -eq 'ExpirationRule'}).setting | ConvertFrom-Json).maximumGrantPeriodInMinutes)/60)/24 # If force switch is used extend to expire without any prompt $this.PublishCustomMessage(""); $this.PublishCustomMessage("Initiating assignment extension for [$AssignmentCount] PIM assignments..."); #TODO: Check the color $UserResponse = 'N' [int] $i =1 $soonToExpireAssignments | ForEach-Object{ if(-not $force) { $this.PublishCustomMessage(""); $this.PublishCustomMessage([Constants]::SingleDashLine, [MessageType]::Default) Write-Host "[$i/$AssignmentCount] Do you want to extend assignment for [$($_.PrincipalName)]? `nPlease confirm (Y/N): " -ForegroundColor Yellow -NoNewline #TODO: Check the color $UserResponse = Read-Host } else { $this.PublishCustomMessage(""); $this.PublishCustomMessage([Constants]::SingleDashLine); $this.PublishCustomMessage("[$i/$AssignmentCount] Requesting assignment extension for [$($_.PrincipalName)] by $DurationInDays days",[MessageType]::Default) } if($force -or ($UserResponse -eq 'Y')) { [DateTime]$startDate = $_.ExpirationDate $activeForDays = [math]::Round((([DateTime]$startDate).ToUniversalTime().Subtract([DateTime](get-date).ToUniversalTime())).TotalDays) #If Block executes for the condition when Assignment days of User are less than Maximum Assignment Days for the Role if(($null -ne $startDate) -and ($activeForDays -ne $maxAllowedDays)) { $extendedDate = (($startDate).AddDays($ts).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")) if($extendedDate -gt ((get-date).AddDays($maxAllowedDays).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))) { $extendedDate = ((get-date).AddDays($maxAllowedDays).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")) } $postParams = '{"roleDefinitionId":"'+ $_.RoleId+'","resourceId":"'+$_.ResourceId+'","subjectId":"'+ $_.SubjectId+'","assignmentState":"Eligible","type":"AdminExtend","reason":"Admin Extend by '+$this.AccountId+'","schedule":{"type":"Once","startDateTime":"'+ ((get-date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))+'","endDateTime":"'+($extendedDate)+'"}}' try{ $response = [WebRequestHelper]::InvokeWebRequest('Post', $url, $this.headerParams, $postParams, "application/json", $false, $true ) if ($response.StatusCode -eq 201) { $this.PublishCustomMessage("[$i/$AssignmentCount] Assignment extension request for [$($_.PrincipalName)] for the [$($_.RoleName)] role queued successfully.", [MessageType]::Update); } elseif ($response.StatusCode -eq 401) { $this.PublishCustomMessage("You are not eligible to extend a role. If you have recently elevated/activated your permissions, please run Connect-AzAccount and re-run the script.", [MessageType]::Error); } else { $this.PublishCustomMessage($response, [MessageType]::Error); } } catch { if([Helpers]::CheckMember($_,"ErrorDetails.Message")) { $err = $_ | ConvertFrom-Json $this.PublishCustomMessage($err.error.message,[MessageType]::Error) } else { $this.PublishCustomMessage($_.Exception, [MessageType]::Error) } } } else # To notify user that Assignment of User is already equal to maximum Assignment for the Role { $this.PublishCustomMessage("Assignment of [$($_.PrincipalName)] for the [$($_.RoleName)] role is already set to its maximum limit.") } } ++$i; } }# in case no assignments it would error while fetching } # configure PIM role settings for a particular role on a resource hidden [void] ConfigureRoleSettings($ManagementGroupId, $SubscriptionId, $ResourceGroupName, $ResourceName, $RoleName, $RoleSettingsRawInput, $RequireMFAOnActivation,$RequireConditionalAccessOnActivation) { # 1) get PIM resource id for the resource provided $resolvedResource = $null; if(-not([string]::IsNullOrEmpty($ManagementGroupId))) { $resolvedResource = $this.PIMResourceResolver($ManagementGroupId, $false); } else { $resolvedResource = $this.PIMResourceResolver($SubscriptionId, $ResourceGroupName, $ResourceName, $false) } # 2) get PIM identifier for the particular role on resource identified in 1 if (($resolvedResource | Measure-Object).Count -gt 0 -and (-not [string]::IsNullOrEmpty($resolvedResource.ResourceId))) { $roleforResource = @($this.ListRoles($resolvedResource.ResourceId)) | Where-Object {$_.RoleName -eq $RoleName} # 3) Get json object for role setting $rolesettings = [string]::Empty if(($roleforResource|Measure-Object).Count -gt 0) { try { $url = $this.APIroot+"/roleSettingsV2?`$expand=resource,roleDefinition(`$expand=resource)&`$filter=(resource/id+eq+%27$($resolvedResource.ResourceId)%27)+and+(roleDefinition/id+eq+%27$($roleforResource.RoleDefinitionId)%27)" $rolesettings = [WebRequestHelper]::InvokeWebRequest("Get", $url, $this.headerParams, $null, [string]::Empty, $false, $false ) } catch { if([Helpers]::CheckMember($_,"ErrorDetails.Message")) { $err = $_ | ConvertFrom-Json $this.PublishCustomMessage($err.error.message,[MessageType]::Error) } else { $this.PublishCustomMessage("Unable to retrieve existing role settings for provided role. Please verify you have required permissions to view requested role for the given scope.", [MessageType]::Error) } return } $existingroleSetting = $rolesettings $RequireJustificationOnActivation = $null; # 4) Modify the role settings obtained above by the parameters passed in cmdlet if( [string]::IsNullOrEmpty($RoleSettingsRawInput.RequireJustificationOnActivation)){ $RequireJustificationOnActivation = ($($($($existingroleSetting.lifeCycleManagement | Where-Object {$_.caller -eq 'EndUser' -and $_.level -eq 'Member'}).value) | Where-Object{$_.RuleIdentifier -eq 'JustificationRule'}).setting | ConvertFrom-Json).required } else { $RequireJustificationOnActivation = $RoleSettingsRawInput.RequireJustificationOnActivation } if( [string]::IsNullOrEmpty($RequireMFAOnActivation)){ $RequireMFAOnActivation = ($($($($existingroleSetting.lifeCycleManagement | Where-Object {$_.caller -eq 'EndUser' -and $_.level -eq 'Member'}).value) | Where-Object{$_.RuleIdentifier -eq 'MfaRule'}).setting | ConvertFrom-Json).mfaRequired } $MaximumActivationDuration = $null; $ExpireEligibleAssignmentsAfter = $null; $MaxActivationDurationConstant = 60 #To convert hours to minutes $ExpireEligibleAssignmentsAfterConstant = 24*60 #To convert days to minutes $isPermanentAdminEligible = ($($($($existingroleSetting.lifeCycleManagement | Where-Object {$_.caller -eq 'Admin' -and $_.level -eq 'Eligible'}).value) | Where-Object{$_.RuleIdentifier -eq 'ExpirationRule'}).setting | ConvertFrom-Json).permanentAssignment $isPermanentuserMember = ($($($($existingroleSetting.lifeCycleManagement | Where-Object {$_.caller -eq 'EndUser' -and $_.level -eq 'Member'}).value) | Where-Object{$_.RuleIdentifier -eq 'ExpirationRule'}).setting | ConvertFrom-Json).permanentAssignment if($RoleSettingsRawInput.MaximumActivationDuration -eq -1) { $MaximumActivationDuration = ($($($($existingroleSetting.lifeCycleManagement | Where-Object {$_.caller -eq 'EndUser' -and $_.level -eq 'Member'}).value) | Where-Object{$_.RuleIdentifier -eq 'ExpirationRule'}).setting | ConvertFrom-Json).maximumGrantPeriodInMinutes } else { $MaximumActivationDuration = $RoleSettingsRawInput.MaximumActivationDuration*$MaxActivationDurationConstant } if($RoleSettingsRawInput.ExpireEligibleAssignmentsAfter -eq -1) { $ExpireEligibleAssignmentsAfter = ($($($($existingroleSetting.lifeCycleManagement | Where-Object {$_.caller -eq 'Admin' -and $_.level -eq 'Eligible'}).value) | Where-Object{$_.RuleIdentifier -eq 'ExpirationRule'}).setting | ConvertFrom-Json).maximumGrantPeriodInMinutes } else { $ExpireEligibleAssignmentsAfter =$RoleSettingsRawInput.ExpireEligibleAssignmentsAfter*$ExpireEligibleAssignmentsAfterConstant } $ExpireActiveAssignmentsAfter = $null; if($RoleSettingsRawInput.ExpireActiveAssignmentsAfter -eq -1){ $ExpireActiveAssignmentsAfter = ($($($($existingroleSetting.lifeCycleManagement | Where-Object {$_.caller -eq 'Admin' -and $_.level -eq 'Member'}).value) | Where-Object{$_.RuleIdentifier -eq 'ExpirationRule'}).setting | ConvertFrom-Json).maximumGrantPeriodInMinutes } else{ # converting input duration into minutes $ExpireActiveAssignmentsAfter = $RoleSettingsRawInput.ExpireActiveAssignmentsAfter*$ExpireEligibleAssignmentsAfterConstant } $RequireMFAOnActiveAssignment = $null; if( [string]::IsNullOrEmpty($RoleSettingsRawInput.RequireMFAOnActiveAssignment)){ $RequireMFAOnActiveAssignment = ($($($($existingroleSetting.lifeCycleManagement | Where-Object {$_.caller -eq 'Admin' -and $_.level -eq 'Member'}).value) | Where-Object{$_.RuleIdentifier -eq 'MfaRule'}).setting | ConvertFrom-Json).mfaRequired } else{ $RequireMFAOnActiveAssignment =$RoleSettingsRawInput.RequireMFAOnActiveAssignment } $RequireJustificationOnActiveAssignment = $null; if( [string]::IsNullOrEmpty($RoleSettingsRawInput.RequireJustificationOnActiveAssignment)){ $RequireJustificationOnActiveAssignment = ($($($($existingroleSetting.lifeCycleManagement | Where-Object {$_.caller -eq 'Admin' -and $_.level -eq 'Member'}).value) | Where-Object{$_.RuleIdentifier -eq 'JustificationRule'}).setting | ConvertFrom-Json).required } else{ $RequireJustificationOnActiveAssignment =$RoleSettingsRawInput.RequireJustificationOnActiveAssignment } # Check for the conditional policy enforcement in Org settings, if applied to accordingly $roleSettingId = $existingroleSetting.id $policyString = [string]::Empty $policyTag= [string]::Empty $setFlag = $false #flag to identify if both $RequireConditionalAccessOnActivation and $RequireMFAOnActivation to remain unchanged if ($RequireConditionalAccessOnActivation -eq $false -and $RequireMFAOnActivation -eq $false){ $setFlag = $true $RequireConditionalAccessOnActivation = $null $RequireMFAOnActivation = $null } if($setFlag -eq $false) { if($null -ne $RequireConditionalAccessOnActivation) { if($RequireConditionalAccessOnActivation) { if([Helpers]::CheckMember($this.ControlSettings,"PIMCAPolicyTags")) { $policyTag = $this.ControlSettings.PIMCAPolicyTags } else { $this.PublishCustomMessage("Error: Conditional Access policy tag was not found.",[MessageType]::Error) $this.PublishCustomMessage("This could happen because DevOps Kit is not configured with the correct org policy. Make sure you install DevOps Kit using the correct `"iwr`" command for your organization. ", [MessageType]::Warning) return } $policyString= '{"ruleIdentifier":"AcrsRule","setting":"{\"acrsRequired\":true,\"acrs\":\"'+$policyTag+'\"}"}' } else { $policyString= '{"ruleIdentifier":"AcrsRule","setting":"{\"acrsRequired\":false,\"acrs\":\"'+$policyTag+'\"}"}' } } if($null -ne $RequireMFAOnActivation) { if($RequireMFAOnActivation) { # TODO: if we turn on MFA on activation CA policy cannot be simultaneously applied. Need to check if the API still throws the error $policyString= '' } } } # 5) Create json body for patch request $body="" $updateUrl="" if(-not [string]::IsNullOrEmpty($policyString)) { $body= '{"id": "'+$roleSettingId+'","lifeCycleManagement": [{"caller":"Admin","level":"Eligible","operation": "ALL","value":[{"ruleIdentifier":"ExpirationRule","setting":"{\"permanentAssignment\":'+$isPermanentAdminEligible+',\"maximumGrantPeriodInMinutes\":'+$ExpireEligibleAssignmentsAfter+'}"}]},{"caller": "EndUser","level": "Member","operation": "ALL","value":[{"ruleIdentifier":"ExpirationRule","setting":"{\"permanentAssignment\":'+$isPermanentuserMember+',\"maximumGrantPeriodInMinutes\":'+$MaximumActivationDuration+'}"},{"ruleIdentifier":"MfaRule","setting":"{\"mfaRequired\":'+$false+'}"},{"ruleIdentifier":"JustificationRule","setting":"{\"required\":'+$RequireJustificationOnActivation+'}"},'+$policyString+']}, {"caller":"Admin","level":"Member","operation": "ALL","value":[{"ruleIdentifier": "ExpirationRule","setting": "{\"permanentAssignment\":false,\"maximumGrantPeriodInMinutes\":'+$ExpireActiveAssignmentsAfter+'}"},{"ruleIdentifier": "MfaRule","setting": "{\"mfaRequired\":'+$RequireMFAOnActiveAssignment+'}"},{"ruleIdentifier": "JustificationRule","setting": "{\"required\":'+ $RequireJustificationOnActiveAssignment+'}"}]}],"roleDefinition":{"id":"'+$rolesettings.roleDefinitionId+'"}}' } else { if($setFlag) { $body='{"id": "'+$roleSettingId+'","lifeCycleManagement": [{"caller":"Admin","level":"Eligible","operation": "ALL","value":[{"ruleIdentifier":"ExpirationRule","setting":"{\"permanentAssignment\":'+$isPermanentAdminEligible+',\"maximumGrantPeriodInMinutes\":'+$ExpireEligibleAssignmentsAfter+'}"}]},{"caller": "EndUser","level": "Member","operation": "ALL","value":[{"ruleIdentifier":"ExpirationRule","setting":"{\"permanentAssignment\":'+$isPermanentuserMember+',\"maximumGrantPeriodInMinutes\":'+$MaximumActivationDuration+'}"},{"ruleIdentifier":"JustificationRule","setting":"{\"required\":'+$RequireJustificationOnActivation+'}"}]}, {"caller":"Admin","level":"Member","operation": "ALL","value":[{"ruleIdentifier": "ExpirationRule","setting": "{\"permanentAssignment\":false,\"maximumGrantPeriodInMinutes\":'+$ExpireActiveAssignmentsAfter+'}"},{"ruleIdentifier": "MfaRule","setting": "{\"mfaRequired\":'+$RequireMFAOnActiveAssignment+'}"},{"ruleIdentifier": "JustificationRule","setting": "{\"required\":'+ $RequireJustificationOnActiveAssignment+'}"}]}],"roleDefinition":{"id":"'+$rolesettings.roleDefinitionId+'"}}' } else { $body='{"id": "'+$roleSettingId+'","lifeCycleManagement": [{"caller":"Admin","level":"Eligible","operation": "ALL","value":[{"ruleIdentifier":"ExpirationRule","setting":"{\"permanentAssignment\":'+$isPermanentAdminEligible+',\"maximumGrantPeriodInMinutes\":'+$ExpireEligibleAssignmentsAfter+'}"}]},{"caller": "EndUser","level": "Member","operation": "ALL","value":[{"ruleIdentifier":"ExpirationRule","setting":"{\"permanentAssignment\":'+$isPermanentuserMember+',\"maximumGrantPeriodInMinutes\":'+$MaximumActivationDuration+'}"},{"ruleIdentifier":"MfaRule","setting":"{\"mfaRequired\":'+$RequireMFAOnActivation+'}"},{"ruleIdentifier":"JustificationRule","setting":"{\"required\":'+$RequireJustificationOnActivation+'}"}]}, {"caller":"Admin","level":"Member","operation": "ALL","value":[{"ruleIdentifier": "ExpirationRule","setting": "{\"permanentAssignment\":false,\"maximumGrantPeriodInMinutes\":'+$ExpireActiveAssignmentsAfter+'}"},{"ruleIdentifier": "MfaRule","setting": "{\"mfaRequired\":'+$RequireMFAOnActiveAssignment+'}"},{"ruleIdentifier": "JustificationRule","setting": "{\"required\":'+ $RequireJustificationOnActiveAssignment+'}"}]}],"roleDefinition":{"id":"'+$rolesettings.roleDefinitionId+'"}}' } } $updateUrl = $this.APIroot+"/roleSettingsV2/$roleSettingId" $body = $body -replace "True" ,"true" # the api does not accept "True" so need to lower the casing $body = $body -replace "False", "false" try { $result = [WebRequestHelper]::InvokeWebRequest('PATCH', $updateUrl, $this.headerParams, $body, "application/json", $false, $true ) if($result.StatusCode -eq 204) { $this.PublishCustomMessage( "Updation request for [$rolename] role setting queued successfully. ", [MessageType]::Update) } elseif ($result.StatusCode -eq 401) { $this.PublishCustomMessage("You are not eligible to configure role settings. If you have recently elevated/activated your permissions, please run Connect-AzAccount and re-run the script.", [MessageType]::Error); } else { $this.PublishCustomMessage($result, [MessageType]::Error); } } catch { if([Helpers]::CheckMember($_,"ErrorDetails.Message")) { $err = $_ | ConvertFrom-Json $this.PublishCustomMessage($err.error.message,[MessageType]::Error) } else { $this.PublishCustomMessage($_.Exception, [MessageType]::Error) } } } else { $this.PublishCustomMessage( "Unable to find role on which configuration was requested. Either the role does not exist or you may not have sufficient permissions.", [MessageType]::Warning) } } else { $this.PublishCustomMessage( "Unable to find resource on which role configuration was requested. Either the resource does not exist or you may not have permissions for configuring role settings on it", [MessageType]::Error) $this.DisplayActivationHelpMessage($ManagementGroupId, $SubscriptionId, $ResourceGroupName, $ResourceName) } } hidden [void] ExportCSV($exportObject) { $assignmentsCSV = New-Object -TypeName WriteCSVData $assignmentsCSV.FileName = 'SecurityReport-' + $this.RunIdentifier $assignmentsCSV.FileExtension = 'csv' $assignmentsCSV.FolderPath = '' $assignmentsCSV.MessageData = $exportObject $this.PublishAzSKRootEvent([AzSKRootEvent]::WriteCSV, $assignmentsCSV); } hidden [void] DisplayActivationHelpMessage($ManagementGroupId, $SubscriptionId, $ResourceGroupName, $ResourceName) { [string] $cmdmsg = "" if(-not([string]::IsNullOrEmpty($ManagementGroupId))) { $cmdmsg = "-ManagementGroupId $ManagementGroupId" } else { $cmdmsg += "-SubscriptionId $SubscriptionId" if(-not [string]::IsNullOrEmpty($ResourceGroupName)) { $cmdmsg += " -ResourceGroupName $ResourceGroupName "} if(-not [string]::IsNullOrEmpty($ResourceName)) { $cmdmsg += " -ResourceName $ResourceName "} } $this.PublishCustomMessage("Note: If you have PIM eligible role on the resource, make sure you have activated your access before running the above command. Use setpim -ActivateMyRole "+$cmdmsg+" -DurationInHours `$durationinHrs -Justification `$justification -RoleName `$roleDefinitionName ",[MessageType]::Warning) } #List exixting settings for a specific role hidden [void] ListRoleSettings( $ManagementGroupId, $SubscriptionId, $ResourceGroupName, $ResourceName, $RoleName) { $resolvedResource = $null; if(-not([string]::IsNullOrEmpty($ManagementGroupId))) { $resolvedResource = $this.PIMResourceResolver($ManagementGroupId, $false); } else { $resolvedResource = $this.PIMResourceResolver($SubscriptionId, $ResourceGroupName, $ResourceName,$false) } if (($resolvedResource | Measure-Object).Count -gt 0 -and (-not [string]::IsNullOrEmpty($resolvedResource.ResourceId))) { $roleforResource = @($this.ListRoles($resolvedResource.ResourceId)) | Where-Object {$_.RoleName -eq $RoleName} $rolesettings = [string]::Empty if(($roleforResource|Measure-Object).Count -gt 0) { #API call to get existing role settings try { $url = $this.APIroot+"/roleSettingsV2?`$expand=resource,roleDefinition(`$expand=resource)&`$filter=(resource/id+eq+%27$($resolvedResource.ResourceId)%27)+and+(roleDefinition/id+eq+%27$($roleforResource.RoleDefinitionId)%27)" $existingroleSetting = [WebRequestHelper]::InvokeWebRequest("Get", $url, $this.headerParams, $null, [string]::Empty, $false, $false ) } catch { if([Helpers]::CheckMember($_,"ErrorDetails.Message")) { $err = $_ | ConvertFrom-Json $this.PublishCustomMessage($err.error.message,[MessageType]::Error) } else { $this.PublishCustomMessage("Unable to retrieve existing role settings for provided role. Please verify you have required permissions to view requested role for the given scope.", [MessageType]::Error) } return } #Fetch the role settings :ExpireEligibleAssignmentsInDays, RequireJustificationOnActivation, RequireMFAOnActivation, MaximumActivationDuration, ConditionalAccess $ExpireEligibleAssignmentsSetting = ((($($($($existingroleSetting.lifeCycleManagement | Where-Object {$_.caller -eq 'Admin' -and $_.level -eq 'Eligible'}).value) | Where-Object{$_.RuleIdentifier -eq 'ExpirationRule'}).setting | ConvertFrom-Json).maximumGrantPeriodInMinutes)/60)/24 $MaximumActivationDurationSetting = (($($($($existingroleSetting.lifeCycleManagement | Where-Object {$_.caller -eq 'EndUser' -and $_.level -eq 'Member'}).value) | Where-Object{$_.RuleIdentifier -eq 'ExpirationRule'}).setting | ConvertFrom-Json).maximumGrantPeriodInMinutes )/60 $JustificationOnActivationSetting = ($($($($existingroleSetting.lifeCycleManagement | Where-Object {$_.caller -eq 'EndUser' -and $_.level -eq 'Member'}).value) | Where-Object{$_.RuleIdentifier -eq 'JustificationRule'}).setting | ConvertFrom-Json).required $MFAOnActivationSetting = ($($($($existingroleSetting.lifeCycleManagement | Where-Object {$_.caller -eq 'EndUser' -and $_.level -eq 'Member'}).value) | Where-Object{$_.RuleIdentifier -eq 'MfaRule'}).setting | ConvertFrom-Json).mfaRequired $ConditionalAccessSetting = ($($($($existingroleSetting.lifeCycleManagement | Where-Object {$_.caller -eq 'EndUser' -and $_.level -eq 'Member'}).value) | Where-Object{$_.RuleIdentifier -eq 'acrsRule'}).setting | ConvertFrom-Json).acrsRequired #Fetch the role settings :ExpireActiveAssignmentsInDays, RequireJustificationOnActiveAssignment, RequireMFAOnActiveAssignment $ExpireActiveAssignmentsSetting = ((($($($($existingroleSetting.lifeCycleManagement | Where-Object {$_.caller -eq 'Admin' -and $_.level -eq 'Member'}).value) | Where-Object{$_.RuleIdentifier -eq 'ExpirationRule'}).setting | ConvertFrom-Json).maximumGrantPeriodInMinutes)/60)/24 $JustificationOnActiveAssignmentSetting = ($($($($existingroleSetting.lifeCycleManagement | Where-Object {$_.caller -eq 'Admin' -and $_.level -eq 'Member'}).value) | Where-Object{$_.RuleIdentifier -eq 'JustificationRule'}).setting | ConvertFrom-Json).required $MFAOnActiveAssignmentSetting = ($($($($existingroleSetting.lifeCycleManagement | Where-Object {$_.caller -eq 'Admin' -and $_.level -eq 'Member'}).value) | Where-Object{$_.RuleIdentifier -eq 'MfaRule'}).setting | ConvertFrom-Json).mfaRequired if($MFAOnActivationSetting -eq $true) { $MFAOnActivationSetting = "Yes"} else { $MFAOnActivationSetting = "No"} if($ConditionalAccessSetting -eq $true) { $ConditionalAccessSetting = "Yes"} else { $ConditionalAccessSetting = "No"} if($JustificationOnActivationSetting -eq $true) { $JustificationOnActivationSetting = "Yes"} else { $JustificationOnActivationSetting = "No"} if($JustificationOnActiveAssignmentSetting -eq $true) { $JustificationOnActiveAssignmentSetting = "Yes"} else { $JustificationOnActiveAssignmentSetting = "No"} if($MFAOnActiveAssignmentSetting -eq $true) { $MFAOnActiveAssignmentSetting = "Yes"} else { $MFAOnActiveAssignmentSetting = "No"} $item = New-Object psobject -Property @{ "Activation maximum duration (hours)" = $MaximumActivationDurationSetting "Require justification on activation" = $JustificationOnActivationSetting "On activation, require Azure MFA" = $MFAOnActivationSetting "On activation, require conditional access" = $ConditionalAccessSetting "Expire eligible assignments after (days)" = $ExpireEligibleAssignmentsSetting "Expire active assignments after (days)" = $ExpireActiveAssignmentsSetting "Require justification on active assignment" = $JustificationOnActiveAssignmentSetting "Require Azure Multi-Factor Authentication on active assignment" = $MFAOnActiveAssignmentSetting } #Display existing role settings on host $obj = $item| Format-List | Out-String $this.PublishCustomMessage($obj) } } } } class PIMResource { [int] $Id [string] $ResourceId #Id refered by PIM API to uniquely identify a resource [string] $ResourceName [string] $Type [string] $ExternalId #ARM resourceId } |