Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #-----------------------------------------------------------
- # Script variables
- #-----------------------------------------------------------
- $principalNames = ""
- $apiPrincipalName = "Microsoft Graph"
- $apiRoleNames = "User.Read.All", "Group.Read.All"
- #-----------------------------------------------------------
- # Some general prechecks - no actual execution logic here
- #-----------------------------------------------------------
- function Write-Log {
- param([string] $Title, [string] $Detail, [ConsoleColor] $Color)
- Write-Host $Title -NoNewline
- Write-Host $Detail -ForegroundColor $Color
- }
- function Test-Singular {
- param ($obj)
- $obj
- if ($null -eq $obj) {
- Write-Host "Not found." -ForegroundColor Red
- return $false
- } else {
- if ($obj.length -gt 1) {
- Write-Host "Found multiple objects when one expected. Listing..." -ForegroundColor Red
- foreach ($one in $obj) {
- $one
- }
- return $false
- }
- }
- return $true
- }
- # Check if logged in
- try {
- $tenantInfo = Get-AzureADTenantDetail -ErrorAction Ignore
- }
- catch {
- Write-Host "Not logged in. Logging in... " -NoNewline
- Connect-AzureAD
- $tenantInfo = Get-AzureADTenantDetail | Out-Null
- }
- Write-Log "Logged to " $($tenantInfo.displayName) Yellow
- # Check Azure Module
- Write-Host "Checking AzureAD modules"
- $modules = Get-Module -Name "AzureAD*"
- foreach ($module in $modules) {
- Write-Log "Module " "$($module.Name) v$($module.Version)" Yellow
- }
- #-----------------------------------------------------------
- # Business Logic - Assign permissions
- #-----------------------------------------------------------
- # Looking for API principal
- Write-Log "Looking for service principal " $apiPrincipalName Cyan
- $apiPrincipal = Get-AzureADServicePrincipal -SearchString $apiPrincipalName
- if (Test-Singular $apiPrincipal) {
- Write-Log "API Principal App Id: " $apiPrincipal.AppId DarkGray
- Write-Log "API Principal Object Id: " $apiPrincipal.ObjectId DarkGray
- foreach ($principalName in $principalNames) {
- Write-Log "Looking for service principal " $principalName Cyan
- # Get Principal
- $principal = Get-AzureADServicePrincipal -Filter "DisplayName eq '$principalName'"
- if (Test-Singular $principal) {
- Write-Log "Principal DisplayName Id: " $principal.DisplayName DarkGray
- Write-Log "Principal App Id: " $principal.AppId DarkGray
- Write-Log "Principal Object Id: " $principal.ObjectId DarkGray
- Write-Host "Getting current roles"
- $principalRoles = Get-AzureADServiceAppRoleAssignedTo -ObjectId $principal.ObjectId
- Write-Host "Found $($principalRoles.Count) roles"
- Write-Host Assigning permissions
- foreach ($roleName in $apiRoleNames) {
- Write-Log "Assigning Role " $roleName Green
- $role = $apiPrincipal.AppRoles | Where-Object { $_.Value -eq $roleName }
- if (Test-Singular $role) {
- Write-Log "Role Id: " $role.Id DarkGray
- Write-Log "Role Description: " $role.Description DarkGray
- $principalRole = $principalRoles | Where-Object { $_.Id -eq $role.Id }
- if ($null -ne $principalRole) {
- Write-Host "Principal already has $roleName assigned. Skipping..." -ForegroundColor DarkGreen
- } else {
- try
- {
- New-AzureADServiceAppRoleAssignment `
- -Id $role.Id `
- -ObjectId $principal.ObjectId `
- -PrincipalId $principal.ObjectId `
- -ResourceId $apiPrincipal.ObjectId
- Write-Log "Result " "Role Assigned." Green
- }
- Catch
- {
- $errorMessage = $_.Exception.Message
- if ($errorMessage -like '*Message: Insufficient privileges to complete the operation.*') {
- $principalRoles = Get-AzureADServiceAppRoleAssignedTo -ObjectId $principal.ObjectId
- $principalRole = $principalRoles | Where-Object { $_.Id -eq $role.Id }
- if ($null -ne $principalRole) {
- Write-Log "Info " "Known Error Ocurred. Checking assignment." Gray
- Write-Log "" "Role Assigned. OK." Green
- } else {
- throw;
- }
- } else {
- throw;
- }
- }
- }
- }
- }
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement