/
Add-ApplicationPermissionToManagedIdentity.ps1
135 lines (117 loc) · 5.38 KB
/
Add-ApplicationPermissionToManagedIdentity.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
#Requires -Version 2.0
<#
Copyright (c) Alya Consulting, 2019-2024
This file is part of the Alya Base Configuration.
https://alyaconsulting.ch/Loesungen/BasisKonfiguration
The Alya Base Configuration is free software: you can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
Alya Base Configuration is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details: https://www.gnu.org/licenses/gpl-3.0.txt
Diese Datei ist Teil der Alya Basis Konfiguration.
https://alyaconsulting.ch/Loesungen/BasisKonfiguration
Die Alya Basis Konfiguration ist eine Freie Software: Sie können sie unter den
Bedingungen der GNU General Public License, wie von der Free Software
Foundation, Version 3 der Lizenz oder (nach Ihrer Wahl) jeder neueren
veröffentlichten Version, weiter verteilen und/oder modifizieren.
Die Alya Basis Konfiguration wird in der Hoffnung, dass sie nützlich sein wird,
aber OHNE JEDE GEWÄHRLEISTUNG, bereitgestellt; sogar ohne die implizite
Gewährleistung der MARKTFÄHIGKEIT oder EIGNUNG FUER EINEN BESTIMMTEN ZWECK.
Siehe die GNU General Public License fuer weitere Details:
https://www.gnu.org/licenses/gpl-3.0.txt
History:
Date Author Description
---------- -------------------- ----------------------------
23.09.2022 Konrad Brunner Initial Version
31.05.2023 Konrad Brunner Switched to MsGraph
#>
[CmdletBinding()]
Param(
[string]$ServicePrincipalNameRequestingPermission = $null,
[string]$ServicePrincipalIdRequestingPermission = $null,
[string]$ServicePrincipalNameProvidingPermission = $null,
[string]$ServicePrincipalIdProvidingPermission = $null,
[string]$PermissionToAssign = $null
)
#Reading configuration
. $PSScriptRoot\..\..\01_ConfigureEnv.ps1
#Starting Transscript
Start-Transcript -Path "$($AlyaLogs)\scripts\aad\Add-ApplicationPermissionToManagedIdentity-$($AlyaTimeString).log" | Out-Null
# Checking modules
Write-Host "Checking modules" -ForegroundColor $CommandInfo
Install-ModuleIfNotInstalled "Microsoft.Graph.Authentication"
Install-ModuleIfNotInstalled "Microsoft.Graph.Beta.Applications"
# Logging in
Write-Host "Logging in" -ForegroundColor $CommandInfo
LoginTo-MgGraph -Scopes @("Directory.Read.All","AppRoleAssignment.ReadWrite.All")
# =============================================================
# Azure stuff
# =============================================================
Write-Host "`n`n=====================================================" -ForegroundColor $CommandInfo
Write-Host "ENTAPPS | Add-ApplicationPermissionToManagedIdentity | AZURE" -ForegroundColor $CommandInfo
Write-Host "=====================================================`n" -ForegroundColor $CommandInfo
Write-Host "Getting ServicePrincipal Requesting" -ForegroundColor $CommandInfo
$App = $null
if ($ServicePrincipalNameRequestingPermission)
{
$App = Get-MgBetaServicePrincipal -Filter "DisplayName eq '$($ServicePrincipalNameRequestingPermission)'"
if (-Not $App)
{
throw "ServicePrincipal with name '$($ServicePrincipalNameRequestingPermission)' not found"
}
}
if ($ServicePrincipalIdRequestingPermission)
{
$App = Get-MgBetaServicePrincipal -Filter "AppId eq '$($ServicePrincipalIdRequestingPermission)'"
if (-Not $App)
{
throw "ServicePrincipal with id '$($ServicePrincipalIdRequestingPermission)' not found"
}
}
if (-not $App)
{
throw "Please provide ServicePrincipalNameRequestingPermission or ServicePrincipalIdRequestingPermission"
}
Write-Host "Getting ServicePrincipal Providing" -ForegroundColor $CommandInfo
$ToApp = $null
if ($ServicePrincipalNameProvidingPermission)
{
$ToApp = Get-MgBetaServicePrincipal -Filter "DisplayName eq '$($ServicePrincipalNameProvidingPermission)'"
if (-Not $ToApp)
{
throw "ServicePrincipal with name '$($ServicePrincipalNameProvidingPermission)' not found"
}
}
if ($ServicePrincipalIdProvidingPermission)
{
$ToApp = Get-MgBetaServicePrincipal -Filter "AppId eq '$($ServicePrincipalIdProvidingPermission)'"
if (-Not $ToApp)
{
throw "ServicePrincipal with id '$($ServicePrincipalIdProvidingPermission)' not found"
}
}
if (-not $ToApp)
{
throw "Please provide ServicePrincipalNameProvidingPermission or ServicePrincipalIdProvidingPermission"
}
Write-Host "Getting Role" -ForegroundColor $CommandInfo
$AppRole = $ToApp.AppRoles | Where-Object {$_.Value -eq $PermissionToAssign -and $_.AllowedMemberTypes -contains "Application"}
if (-not $AppRole)
{
throw "App role $PermissionToAssign not found on $($ToApp.DisplayName) with id $($ToApp.AppId)"
}
Write-Host "Checking assignment" -ForegroundColor $CommandInfo
$Assignments = Get-MgBetaServicePrincipalAppRoleAssignment -ServicePrincipalId $App.Id -All
if ($null -eq ($Assignments | Where-Object { $_.AppRoleId -eq $AppRole.Id -and $_.ResourceId -eq $ToApp.Id}))
{
New-MgBetaServicePrincipalAppRoleAssignment -ServicePrincipalId $App.Id -PrincipalId $App.Id -ResourceId $ToApp.Id -AppRoleId $AppRole.Id
}
else
{
Write-Host "Assignment already exists"
}
#Stopping Transscript
Stop-Transcript