CTGlobal.PimAdmin.psm1
|
Function Get-PimAzureResource { param( [Parameter(Mandatory = $true)] $Token, [Parameter(Mandatory = $true)] $azureResourceId ) #Find pim resource from externalId (ARM ResourceId) <#Debug $roleDisplayName = "Contributor" $azureResourceId = $($rg.resourceId) #> $uri = "https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources?`$filter=externalId eq '$azureResourceId'" $pimResource = $null $pimResource = (Invoke-GraphRequest -url $uri -Token $Token -Method Get).value if ($null -eq $pimResource) { throw "Pim resource not found on url: $uri" } if ($null -ne $pimResource -and $pimResource.Count -gt 1) { throw "More than Pim resource found on url: $uri" } return $pimResource[0] } Function Get-PimAzureResourceRoleDefinition { param( [Parameter(Mandatory = $true)] $Token, [Parameter(Mandatory = $true)] $pimResourceId, [Parameter(Mandatory = $true)] $roleDisplayName ) <#Debug $roleDisplayName = "Contributor" #> #Find Pim Role $uri = "https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleDefinitions?`$filter=resourceId+eq+'$pimResourceId'+and+displayName+eq+'$roleDisplayName'"; #$uri = "https://graph.microsoft.com/beta/privilegedAccess/azureResources/$pimResourceId/roleDefinitions"; $pimRoleDefinition = $null $pimRoleDefinition = (Invoke-GraphRequest -url $uri -Token $Token -Method Get).value if ($null -eq $pimRoleDefinition) { throw "Role definition not found on url : $uri" } if ($null -ne $pimRoleDefinition -and $pimRoleDefinition.Count -gt 1) { throw "More than one role defintion found on url: $uri" } return $pimRoleDefinition[0] } #Function Get-PimResource { Function Get-PimAzureResourceRoleSetting { param( [Parameter(Mandatory = $true)] $Token, [Parameter(Mandatory = $true)] $pimResourceId, [Parameter(Mandatory = $true)] $pimRoleDefinitionId ) #Set pim settings on RG $uri = "https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources/$pimResourceId/roleSettings" #'+and+roleDefinitionId+eq+'$pimRoleDefinitionId'" $uri = "https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleSettings?`$filter=resourceId+eq+'$pimResourceId'+and+roleDefinitionId+eq+'$pimRoleDefinitionId'" $pimGovernanceRoleSetting = $null $pimGovernanceRoleSetting = (Invoke-GraphRequest -url $uri -Token $Token -Method Get).value #$pimGovernanceRoleSettings.Where({$_.roleDefinitionId -eq $pimRoleDefinitionId }) #$pimGovernanceRoleSettings | ogv if ($null -eq $pimGovernanceRoleSetting) { throw "Pim Settings not found on url: $uri" } if ($null -ne $pimGovernanceRoleSetting -and $pimGovernanceRoleSetting.Count -gt 1) { throw "More than one setting found. Cannot continue. $pimGovernanceRoleSetting" } return $pimGovernanceRoleSetting[0] } #Function Get-PimResourceSettings { Function Set-PimAzureResourceRoleSetting { param( [Parameter(Mandatory = $true)] $Token, [Parameter(Mandatory = $true)] $pimGovernanceRoleSetting ) $pimGovernanceRoleSettingId = $pimGovernanceRoleSetting.id #Save Settings $body = $pimGovernanceRoleSetting | ConvertTo-Json $Uri = "https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleSettings/$pimGovernanceRoleSettingId" Invoke-GraphRequest -url $uri -Token $Token -Method Patch -Body $Body } Function New-PimAzureResourceRoleAssignment { param( [Parameter(Mandatory = $true)] $Token, [Parameter(Mandatory = $true)] $userId, [Parameter(Mandatory = $true)] $pimResourceId, [Parameter(Mandatory = $true)] $RoleDefinitionId, [Parameter(Mandatory = $true)] $reason, $startDateTime = [System.DateTime]$(Get-Date).AddMinutes(2), #from Now $endDateTime = $null, $type = "Once" ) #make eligeble #https://docs.microsoft.com/en-us/graph/api/privilegedroleassignment-makeeligible?view=graph-rest-beta&tabs=cs $roleAssignment = @{ roleDefinitionId = $pimRoleDefinitionId resourceId = $pimResourceId subjectId = $userId assignmentState = "Eligible" type = "AdminAdd" reason = $reason #"Added via SharePoint Form" #Todo add sharepoint list or other info. schedule = @{ startDateTime = $startDateTime endDateTime = $endDateTime type = $type } } $body = $roleAssignment | ConvertTo-Json $Uri = "https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests" Invoke-GraphRequest -url $uri -Token $Token -Method Post -Body $Body } Function Get-PimAzureResourceRoleAssignment { param( [Parameter(Mandatory = $true)] $Token, [Parameter(Mandatory = $true)] $pimResourceId ) #get current assignments $Uri = "https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources/$($pimResourceId)/roleAssignments" $rgRoleAssignments = (Invoke-GraphRequest -url $Uri -Token $Token -Method Get).value return $rgRoleAssignments; } Function Get-PimAzureResourceRoleAssignmentRequest { param( [Parameter(Mandatory = $true)] $Token, [Parameter(Mandatory = $true)] $pimResourceId ) #get current assignments $Uri = "https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources/$($pimResourceId)/roleAssignmentRequests" $rgRoleAssignmentRequests = (Invoke-GraphRequest -url $Uri -Token $Token -Method Get).value return $rgRoleAssignmentRequests; } Function Remove-PimAzureResourceRoleAssignment { param( [Parameter(Mandatory = $true)] $Token, [Parameter(Mandatory = $true)] $pimResourceRoleAssignmentRequest ) #Cancel if in progress, AdminRemove if granted if($pimResourceRoleAssignmentRequest.status.status -eq "InProgress"){ $pimResourceRoleAssignmentRequestId = $pimResourceRoleAssignmentRequest.Id $Uri = "https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests/$pimResourceRoleAssignmentRequestId/cancel" } else { $pimResourceRoleAssignmentRequest.type = "AdminRemove" $Body = $pimResourceRoleAssignmentRequest | ConvertTo-Json -Depth 100 $Uri = "https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests" } #$Uri = "https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources/$($pimResourceId)/roleAssignments" (Invoke-GraphRequest -url $Uri -Token $Token -Method POST -Body $Body).value return $rgRoleAssignments; } |