Functions/Remove-CMPCAdminRelationshipAccessAssignment.ps1

function Remove-CMPCAdminRelationshipAccessAssignment {
    #REQUIRES -Version 4.0
    #REQUIRES -Modules Microsoft.PowerShell.Utility

    <#
    .SYNOPSIS
    This function ends an access assignment.

    .DESCRIPTION
    This function validates that the requested access assignment is an active access assignment and ends the access assignment.
    You can specify either the security group that has an active access assignment or the access assignment ID.

    .PARAMETER AdminRelationshipId
    Specify the admin relationship on which you want to remove an access assignment.

    .PARAMETER SecurityGroup
    Specify the security group that has an active access assignment that you want to end.

    .PARAMETER AccessAssignmentId
    Specify the access assignment ID that has an active status and that you want to end.

    .INPUTS
    This function accepts the admin relationship ID as an input.
    Also, either a security group or access assignment ID is accepted as input.

    .OUTPUTS
    The function will either fail and throw an error, or run successfully and output a string.

    .LINK
    Online version: https://github.com/nordbymikael/microsoft-partner-center#remove-cmpcadminrelationshipaccessassignment

    .NOTES
    This function starts to validate the parameters.
    This includes a validation that the access assignments are still active and that this function will indeed have an impact on the access assignment.
    
    Afterwards, the function retrieves the etag and status of the access assignment and adds the etag to the request header to end the access assignment later.
    A switch statement is going through the possible statuses and the function ends the access assignment if the access assignment is active.

    .EXAMPLE
    Remove-CMPCAdminRelationshipAccessAssignment -AdminRelationshipId "xxxxxxxx-xxxx-xxxx-yxxx-xxxxxxxxxxxx-xxxxxxxx-xxxx-xxxx-yxxx-xxxxxxxxxxxx" -SecurityGroup "xxxxxxxx-xxxx-xxxx-yxxx-xxxxxxxxxxxx"
    This example shows how to end an access assignment based on the security group ID.

    .EXAMPLE
    Remove-CMPCAdminRelationshipAccessAssignment -AdminRelationshipId "xxxxxxxx-xxxx-xxxx-yxxx-xxxxxxxxxxxx-xxxxxxxx-xxxx-xxxx-yxxx-xxxxxxxxxxxx" -AccessAssignmentId "xxxxxxxx-xxxx-xxxx-yxxx-xxxxxxxxxxxx"
    This example shows how to end an access assignment based on the access assignment ID.
    #>

    
    [CmdletBinding(
        ConfirmImpact = "High",
        DefaultParameterSetName = "AccessAssignmentId",
        HelpUri = "https://github.com/nordbymikael/microsoft-partner-center#remove-cmpcadminrelationshipaccessassignment",
        SupportsPaging = $false,
        SupportsShouldProcess = $true,
        PositionalBinding = $true
    )]
    
    param (
        [Parameter(Mandatory = $true, ParameterSetName = "SecurityGroup", ValueFromPipeline = $true)]
        [Parameter(Mandatory = $true, ParameterSetName = "AccessAssignmentId", ValueFromPipeline = $true)]
        [ValidatePattern('^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$')]
        [ValidateScript({
            Confirm-AdminRelationshipExistence -AdminRelationshipId $_
        })]
        [System.String]$adminRelationshipId,

        [Parameter(Mandatory = $true, ParameterSetName = "SecurityGroup")]
        [ValidatePattern("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$")]
        [ValidateScript({
            $SecurityGroup = $_
            $allAccessAssignments = Get-AllGraphAPIResponses -uri "https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminRelationships/$($adminRelationshipId)/accessAssignments?`$select=@odata.etag,id,status,accessContainer"
            $accessAssignmentId = ($allAccessAssignments | Where-Object {$_.status -eq "active"} | Where-Object {$_.accessContainer.accessContainerId -eq $SecurityGroup}).id

            if ($null -eq $accessAssignmentId)
            {
                throw "There are no active access assignments on the security group you specified."
            }
        })]
        [System.String]$SecurityGroup,

        [Parameter(Mandatory = $true, ParameterSetName = "AccessAssignmentId")]
        [ValidatePattern("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$")]
        [ValidateScript({
            try {
                Invoke-RestMethod -Method "Get" -Uri "https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminRelationships/$($adminRelationshipId)/accessAssignments/$($_)"
            }
            catch {
                throw "The specified access assignment does not exist."
            }
        })]
        [System.String]$accessAssignmentId
    )
    
    begin
    {
        
    }

    process
    {
        $headers = @{
            Authorization = "Bearer $($authTokenManager.GetValidToken())"
        }

        if ($PSCmdlet.ParameterSetName -eq "SecurityGroup") {
            $allAccessAssignments = Get-AllGraphAPIResponses -uri "https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminRelationships/$($adminRelationshipId)/accessAssignments?`$select=@odata.etag,id,status,accessContainer"
            $accessAssignment = $allAccessAssignments | Where-Object {$_.status -eq "active"} | Where-Object {$_.accessContainer.accessContainerId -eq $SecurityGroup}
            $accessAssignmentId = $accessAssignment.id
        }
        elseif ($PSCmdlet.ParameterSetName -eq "AccessAssignmentId")
        {
            $accessAssignment = Invoke-RestMethod -Method "Get" -Uri "https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminRelationships/$($adminRelationshipId)/accessAssignments/$($accessAssignmentId)?`$select=@odata.etag" -Headers $headers
        }

        $headers."If-Match" = $accessAssignment."@odata.etag"

        switch ($accessAssignment.status)
        {
            "active" {
                Invoke-RestMethod -Method "Delete" -Uri "https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminRelationships/$($adminRelationshipId)/accessAssignments/$($accessAssignment.id)" -Headers $headers > $null
                return "Ended the access assignment with the id $($accessAssignmentId) and security group $($SecurityGroup), associated with the admin relationship with the id $($adminRelationshipId)."
            }
            "pending" {
                return "Failed to delete the access assignment. The access assignment with id $($accessAssignmentId) on admin relationship with id $($adminRelationshipId) is still in the creation state. Wait a few seconds and try again."
            }
            "deleting" {
                return "Failed to delete the access assignment. The access assignment with id $($accessAssignmentId) on admin relationship with id $($adminRelationshipId) is already in the deletion process."
            }
            "deleted" {
                return "Failed to delete the access assignment. The access assignment with id $($accessAssignmentId) on admin relationship with id $($adminRelationshipId) is already deleted."
            }
            default {
                throw "Failed to delete the access assignment. The access assignment with id $($accessAssignmentId) on admin relationship with id $($adminRelationshipId) does not exist."
            }
        }
    }

    end
    {

    }
}