CustomMicrosoftPartnerCenter

0.9.1

Functions/Remove-CMPCAdminRelationshipAccessAssignment.ps1

                                function Remove-CMPCAdminRelationshipAccessAssignment {

    #REQUIRES -Version 4.0

    #REQUIRES -Modules Microsoft.PowerShell.Utility

    <#

    .SYNOPSIS

    This function ends an access assignment.

    .DESCRIPTION

    This function validates that the requested access assignment is an active access assignment and ends the access assignment.

    You can specify either the security group that has an active access assignment or the access assignment ID.

    .PARAMETER AdminRelationshipId

    Specify the admin relationship on which you want to remove an access assignment.

    .PARAMETER SecurityGroup

    Specify the security group that has an active access assignment that you want to end.

    .PARAMETER AccessAssignmentId

    Specify the access assignment ID that has an active status and that you want to end.

    .INPUTS

    This function accepts the admin relationship ID as an input.

    Also, either a security group or access assignment ID is accepted as input.

    .OUTPUTS

    The function will either fail and throw an error, or run successfully and output a string.

    .LINK

    Online version: https://github.com/nordbymikael/microsoft-partner-center#remove-cmpcadminrelationshipaccessassignment

    .NOTES

    This function starts to validate the parameters.

    This includes a validation that the access assignments are still active and that this function will indeed have an impact on the access assignment.

    Afterwards, the function retrieves the etag and status of the access assignment and adds the etag to the request header to end the access assignment later.

    A switch statement is going through the possible statuses and the function ends the access assignment if the access assignment is active.

    .EXAMPLE

    Remove-CMPCAdminRelationshipAccessAssignment -AdminRelationshipId "xxxxxxxx-xxxx-xxxx-yxxx-xxxxxxxxxxxx-xxxxxxxx-xxxx-xxxx-yxxx-xxxxxxxxxxxx" -SecurityGroup "xxxxxxxx-xxxx-xxxx-yxxx-xxxxxxxxxxxx"

    This example shows how to end an access assignment based on the security group ID.

    .EXAMPLE

    Remove-CMPCAdminRelationshipAccessAssignment -AdminRelationshipId "xxxxxxxx-xxxx-xxxx-yxxx-xxxxxxxxxxxx-xxxxxxxx-xxxx-xxxx-yxxx-xxxxxxxxxxxx" -AccessAssignmentId "xxxxxxxx-xxxx-xxxx-yxxx-xxxxxxxxxxxx"

    This example shows how to end an access assignment based on the access assignment ID.

    #>

    [CmdletBinding(

        ConfirmImpact = "High",

        DefaultParameterSetName = "AccessAssignmentId",

        HelpUri = "https://github.com/nordbymikael/microsoft-partner-center#remove-cmpcadminrelationshipaccessassignment",

        SupportsPaging = $false,

        SupportsShouldProcess = $true,

        PositionalBinding = $true

    )]

    param (

        [Parameter(Mandatory = $true, ParameterSetName = "SecurityGroup", ValueFromPipeline = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "AccessAssignmentId", ValueFromPipeline = $true)]

        [ValidatePattern('^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$')]

        [ValidateScript({

            Confirm-AdminRelationshipExistence -AdminRelationshipId $_

        })]

        [System.String]$AdminRelationshipId,

        [Parameter(Mandatory = $true, ParameterSetName = "SecurityGroup")]

        [ValidatePattern("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$")]

        [ValidateScript({

            $SecurityGroup = $_

            $allAccessAssignments = Get-AllGraphAPIResponses -Uri "https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminRelationships/$($AdminRelationshipId)/accessAssignments?`$select=id,status,accessContainer"

            $accessAssignment = $allAccessAssignments | Where-Object {$_.status -eq "active"} | Where-Object {$_.accessContainer.accessContainerId -eq $SecurityGroup}

            return $true

            if ($null -eq $accessAssignment.id)

            {

                throw "There are no active access assignments on the security group you specified."

            }

        })]

        [System.String]$SecurityGroup,

        [Parameter(Mandatory = $true, ParameterSetName = "AccessAssignmentId")]

        [ValidatePattern("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$")]

        [ValidateScript({

            try {

                $headers = @{

                    Authorization = "Bearer $($authTokenManager.GetValidToken())"

                }

                $AccessAssignmentId = $_

                Invoke-RestMethod -Method "Get" -Uri "https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminRelationships/$($AdminRelationshipId)/accessAssignments/$($AccessAssignmentId)" -Headers $headers

            }

            catch {

                throw "The specified access assignment does not exist."

            }

        })]

        [System.String]$AccessAssignmentId

    )

    begin

    {

        Confirm-AccessTokenExistence

    }

    process

    {

        $headers = @{

            Authorization = "Bearer $($authTokenManager.GetValidToken())"

        }

        if ($PSCmdlet.ParameterSetName -eq "SecurityGroup") {

            $allAccessAssignments = Get-AllGraphAPIResponses -uri "https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminRelationships/$($AdminRelationshipId)/accessAssignments?`$select=id,status,accessContainer"

            $accessAssignment = $allAccessAssignments | Where-Object {$_.status -eq "active"} | Where-Object {$_.accessContainer.accessContainerId -eq $SecurityGroup}

            $AccessAssignmentId = $accessAssignment.id

        }

        $accessAssignment = Invoke-RestMethod -Method "Get" -Uri "https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminRelationships/$($AdminRelationshipId)/accessAssignments/$($AccessAssignmentId)" -Headers $headers        

        $headers."If-Match" = $accessAssignment."@odata.etag"

        switch ($accessAssignment.status)

        {

            "active" {

                Invoke-RestMethod -Method "Delete" -Uri "https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminRelationships/$($AdminRelationshipId)/accessAssignments/$($AccessAssignmentId)" -Headers $headers > $null

                return "Ended the access assignment with the id $($AccessAssignmentId) associated with the admin relationship with the id $($AdminRelationshipId)."

            }

            "pending" {

                return "Failed to delete the access assignment. The access assignment with id $($AccessAssignmentId) on admin relationship with id $($AdminRelationshipId) is still in the creation state. Wait a few seconds and try again."

            }

            "deleting" {

                return "Failed to delete the access assignment. The access assignment with id $($AccessAssignmentId) on admin relationship with id $($AdminRelationshipId) is already in the deletion process."

            }

            "deleted" {

                return "Failed to delete the access assignment. The access assignment with id $($AccessAssignmentId) on admin relationship with id $($AdminRelationshipId) is already deleted."

            }

            default {

                throw "Failed to delete the access assignment. The access assignment with id $($AccessAssignmentId) on admin relationship with id $($AdminRelationshipId) does not exist."

            }

        }

    }

    end

    {

    }

}