From abfbb0fff4d319c54858a51b4bee47c90acc0778 Mon Sep 17 00:00:00 2001 From: Mark Wahl Date: Tue, 20 Apr 2021 09:04:34 -0700 Subject: [PATCH 1/6] introduce select on assignment policy --- ...anagementAccessPackageAssignmentPolicy.ps1 | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackageAssignmentPolicy.ps1 diff --git a/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackageAssignmentPolicy.ps1 b/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackageAssignmentPolicy.ps1 new file mode 100644 index 00000000000..407336274f8 --- /dev/null +++ b/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackageAssignmentPolicy.ps1 @@ -0,0 +1,76 @@ +# ---------------------------------------------------------------------------------- +# +# Copyright Microsoft Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------------- + +<# +.Synopsis +Select matching entitlement management accessPackageAssignmentPolicy +.Description +Select matching entitlement management accessPackageAssignmentPolicy +.Inputs +Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAccessPackageAssignmentPolicy +.Outputs +Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAccessPackageAssignmentPolicy +.Notes + +.Link +https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.identity.governance/new-mgentitlementmanagementaccesspackageassignmentrequest +#> +function Select-MgEntitlementManagementAccessPackageAssignmentPolicy { +[OutputType([Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAccessPackageAssignmentPolicy])] +[CmdletBinding(DefaultParameterSetName='ExplicitScope', PositionalBinding=$false, ConfirmImpact='Medium')] +[Microsoft.Graph.PowerShell.Profile('v1.0-beta')] +param( + [Parameter (ValueFromPipeline=$true)] + [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessPackageAssignmentPolicy[]]$Policy, + + [Parameter (Mandatory = $False,ParameterSetName = "ExplicitScope")] + [string[]] + $ScopeType +) + +begin { + +} + +process { + $policyId = $Policy.Id + $acceptRequests = $false + $thisScopeType = "" + + if ($Policy.RequestorSettings) { + $acceptRequests = $Policy.RequestorSettings.AcceptRequests + $thisScopeType = $Policy.RequestorSettings.ScopeType + } + $matchedScopeType = $true + if ($null -ne $ScopeType -and $ScopeType.Length -gt 0) { + $matchedScopeType = $false + foreach ($s in $ScopeType) { + if ($thisScopeType -eq $s) { + $matchedScopeType = $true + break + } + } + } + if ($acceptRequests -and $matchedScopeType -eq $false) { + write-verbose "policy $policyId did not match scope type with $thisScopeType" + return + } + + write-output $Policy +} + +end { + +} +} From 273011e81023edb1f8ca5d4a675d5c1ad95da8d1 Mon Sep 17 00:00:00 2001 From: Mark Wahl Date: Thu, 22 Apr 2021 08:33:25 -0700 Subject: [PATCH 2/6] add -NoApprovalRequiredForRequest --- ...anagementAccessPackageAssignmentPolicy.ps1 | 46 ++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackageAssignmentPolicy.ps1 b/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackageAssignmentPolicy.ps1 index 407336274f8..4c54733f96c 100644 --- a/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackageAssignmentPolicy.ps1 +++ b/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackageAssignmentPolicy.ps1 @@ -24,7 +24,7 @@ Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAccessPackageAssignmentPolicy .Notes .Link -https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.identity.governance/new-mgentitlementmanagementaccesspackageassignmentrequest +https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.identity.governance/select-mgentitlementmanagementaccesspackageassignmentpolicy #> function Select-MgEntitlementManagementAccessPackageAssignmentPolicy { [OutputType([Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAccessPackageAssignmentPolicy])] @@ -34,6 +34,10 @@ param( [Parameter (ValueFromPipeline=$true)] [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessPackageAssignmentPolicy[]]$Policy, + [Parameter (Mandatory = $False)] + [switch] + $NoApprovalRequiredForRequest, + [Parameter (Mandatory = $False,ParameterSetName = "ExplicitScope")] [string[]] $ScopeType @@ -67,6 +71,46 @@ process { return } + if ($NoApprovalRequiredForRequest -and $acceptRequests -eq $true) { + $approvalIsRequiredForRequest = $false + + if ($Policy.RequestApprovalSettings) { + $isApprovalRequired = $Policy.RequestApprovalSettings.isApprovalRequired + $isApprovalRequiredForExtension = $Policy.RequestApprovalSettings.isApprovalRequiredForExtension + + $isApprovalOverride = $true + + if ($Policy.RequestApprovalSettings.ApprovalMode -eq "NoApproval") { + $isApprovalOverride = $false + } + if ($Policy.RequestApprovalSettings.ApprovalStages -eq $null -or $Policy.RequestApprovalSettings.ApprovalStages.Length -eq 0) { + $isApprovalOverride = $false + } + + if ($isApprovalRequired -eq $true -and $isApprovalOverride -eq $true) { + $approvalIsRequiredForRequest = $true + } else { + write-verbose "policy $policyId did not require approval $isApprovalRequired $isApprovalRequiredForExtension $isApprovalOverride" + } + + } + + if ($approvalIsRequiredForRequest) { + write-verbose "policy $policyId requires approval" + return + } + } + + if ($NoApprovalRequiredForRequest -and $acceptRequests -eq $false) { + # does not accept requests + write-verbose "policy $policyId does not accept requests" + return + } + if ($NoApprovalRequiredForRequest -and ($null -eq $ScopeType -or $ScopeType.Length -eq 0) -and $thisScopeType -eq "NoSubjects") { + write-verbose "policy $policyId has no subjects in scope" + return + } + write-output $Policy } From d27ac40d454c01ae5013510fe06d22f3d509a672 Mon Sep 17 00:00:00 2001 From: Mark Wahl Date: Thu, 22 Apr 2021 08:33:47 -0700 Subject: [PATCH 3/6] introduce select- for AP and assignment --- ...t-MgEntitlementManagementAccessPackage.ps1 | 64 +++++++++++++++++ ...ementManagementAccessPackageAssignment.ps1 | 71 +++++++++++++++++++ 2 files changed, 135 insertions(+) create mode 100644 src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackage.ps1 create mode 100644 src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackageAssignment.ps1 diff --git a/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackage.ps1 b/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackage.ps1 new file mode 100644 index 00000000000..6b11487e190 --- /dev/null +++ b/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackage.ps1 @@ -0,0 +1,64 @@ +# ---------------------------------------------------------------------------------- +# +# Copyright Microsoft Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------------- + +<# +.Synopsis +Select matching entitlement management accessPackage +.Description +Select matching entitlement management accessPackage +.Inputs +Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAccessPackage +.Outputs +Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAccessPackage +.Notes + +.Link +https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.identity.governance/select-mgentitlementmanagementaccesspackag +#> +function Select-MgEntitlementManagementAccessPackage { +[OutputType([Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAccessPackage])] +[CmdletBinding(PositionalBinding=$false, ConfirmImpact='Medium')] +[Microsoft.Graph.PowerShell.Profile('v1.0-beta')] +param( + [Parameter (ValueFromPipeline=$true)] + [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessPackage[]]$AccessPackage + +) + +begin { + $APWithZeroPolicies = 0 + $APWithNonZeroPolicies = 0 + $policyEvaluation = $false +} + +process { + + $NewObj = $AccessPackage + $accessPackageId = "" + try { + $accessPackageId = $AccessPackage.Id + } catch { + write-verbose "no access package id" + return + } + + write-output $NewObj +} + +end { + if ($APWithNonZeroPolicies -eq 0 -and $ApWithZeroPolicies -gt 1 -and $policyEvaluation -eq $true) { + write-warning "no access packages had any policies to evaluate" + } +} +} diff --git a/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackageAssignment.ps1 b/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackageAssignment.ps1 new file mode 100644 index 00000000000..801890db0ca --- /dev/null +++ b/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackageAssignment.ps1 @@ -0,0 +1,71 @@ +# ---------------------------------------------------------------------------------- +# +# Copyright Microsoft Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------------- + +<# +.Synopsis +Select matching entitlement management accessPackageAssignment +.Description +Select matching entitlement management accessPackageAssignment +.Inputs +Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAccessPackageAssignment +.Outputs +Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAccessPackageAssignment +.Notes + +.Link +https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.identity.governance/select-mgentitlementmanagementaccesspackageassignment +#> +function Select-MgEntitlementManagementAccessPackageAssignment { +[OutputType([Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAccessPackageAssignment])] +[CmdletBinding(DefaultParameterSetName='ExplicitAssignmentState', PositionalBinding=$false, ConfirmImpact='Medium')] +[Microsoft.Graph.PowerShell.Profile('v1.0-beta')] +param( + [Parameter (ValueFromPipeline=$true)] + [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessPackageAssignment[]]$Assignment, + + [Parameter (Mandatory = $False,ParameterSetName = "ExplicitAssignmentState")] + [string[]] + $AssignmentState +) + +begin { + +} + +process { + $assignmentId = $Assignment.Id + $thisAssignmentState = $Assignment.AssignmentState + + $matchedAssignmentState = $true + if ($null -ne $AssignmentState -and $AssignmentState.Length -gt 0) { + $matchedAssignmentState = $false + foreach ($s in $AssignmentState) { + if ($thisAssignmentState -eq $s) { + $matchedAssignmentState = $true + break + } + } + } + if ($matchedAssignmentState -eq $false) { + write-verbose "assignment $assignmentId did not match assignment state with $thisAssignmentState" + return + } + + write-output $Assignment +} + +end { + +} +} From b82de7c7c75a9e3145adf0db39a6e71ed8a53631 Mon Sep 17 00:00:00 2001 From: Mark Wahl Date: Thu, 22 Apr 2021 08:56:59 -0700 Subject: [PATCH 4/6] remove select- assignment for now --- ...ementManagementAccessPackageAssignment.ps1 | 71 ------------------- 1 file changed, 71 deletions(-) delete mode 100644 src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackageAssignment.ps1 diff --git a/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackageAssignment.ps1 b/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackageAssignment.ps1 deleted file mode 100644 index 801890db0ca..00000000000 --- a/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackageAssignment.ps1 +++ /dev/null @@ -1,71 +0,0 @@ -# ---------------------------------------------------------------------------------- -# -# Copyright Microsoft Corporation -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# http://www.apache.org/licenses/LICENSE-2.0 -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ---------------------------------------------------------------------------------- - -<# -.Synopsis -Select matching entitlement management accessPackageAssignment -.Description -Select matching entitlement management accessPackageAssignment -.Inputs -Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAccessPackageAssignment -.Outputs -Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAccessPackageAssignment -.Notes - -.Link -https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.identity.governance/select-mgentitlementmanagementaccesspackageassignment -#> -function Select-MgEntitlementManagementAccessPackageAssignment { -[OutputType([Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAccessPackageAssignment])] -[CmdletBinding(DefaultParameterSetName='ExplicitAssignmentState', PositionalBinding=$false, ConfirmImpact='Medium')] -[Microsoft.Graph.PowerShell.Profile('v1.0-beta')] -param( - [Parameter (ValueFromPipeline=$true)] - [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessPackageAssignment[]]$Assignment, - - [Parameter (Mandatory = $False,ParameterSetName = "ExplicitAssignmentState")] - [string[]] - $AssignmentState -) - -begin { - -} - -process { - $assignmentId = $Assignment.Id - $thisAssignmentState = $Assignment.AssignmentState - - $matchedAssignmentState = $true - if ($null -ne $AssignmentState -and $AssignmentState.Length -gt 0) { - $matchedAssignmentState = $false - foreach ($s in $AssignmentState) { - if ($thisAssignmentState -eq $s) { - $matchedAssignmentState = $true - break - } - } - } - if ($matchedAssignmentState -eq $false) { - write-verbose "assignment $assignmentId did not match assignment state with $thisAssignmentState" - return - } - - write-output $Assignment -} - -end { - -} -} From b8fba5984048d718b694d24a091931fcaa191c8c Mon Sep 17 00:00:00 2001 From: Mark Wahl Date: Thu, 22 Apr 2021 09:34:23 -0700 Subject: [PATCH 5/6] add filter on policy scope and no approval required --- ...t-MgEntitlementManagementAccessPackage.ps1 | 67 ++++++++++++++++++- 1 file changed, 64 insertions(+), 3 deletions(-) diff --git a/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackage.ps1 b/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackage.ps1 index 6b11487e190..556efdc44ac 100644 --- a/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackage.ps1 +++ b/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackage.ps1 @@ -24,7 +24,7 @@ Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAccessPackage .Notes .Link -https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.identity.governance/select-mgentitlementmanagementaccesspackag +https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.identity.governance/select-mgentitlementmanagementaccesspackage #> function Select-MgEntitlementManagementAccessPackage { [OutputType([Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAccessPackage])] @@ -32,7 +32,15 @@ function Select-MgEntitlementManagementAccessPackage { [Microsoft.Graph.PowerShell.Profile('v1.0-beta')] param( [Parameter (ValueFromPipeline=$true)] - [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessPackage[]]$AccessPackage + [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessPackage[]]$AccessPackage, + + [Parameter (Mandatory = $False)] + [switch] + $PolicyWithNoApprovalRequiredForRequest, + + [Parameter (Mandatory = $False)] + [string[]] + $PolicyWithScopeType ) @@ -40,6 +48,12 @@ begin { $APWithZeroPolicies = 0 $APWithNonZeroPolicies = 0 $policyEvaluation = $false + + if ($PolicyWithNoApprovalRequiredForRequest) { + $policyEvaluation = $true + } elseif ($null -ne $PolicyWithScopeType -and $PolicyWithScopeType.Length -gt 0) { + $policyEvaluation = $true + } } process { @@ -52,7 +66,54 @@ process { write-verbose "no access package id" return } - + + if ($policyEvaluation) { + $inputPolicyCount = 0 + try { + if ($AccessPackage.AccessPackageAssignmentPolicies) { + $inputPolicyCount = $AccessPackage.AccessPackageAssignmentPolicies.Length + + } + } catch { + write-verbose "no policies in $accessPackageId" + $APWithZeroPolicies++ + return + } + if ($inputPolicyCount -eq 0) { + $APWithZeroPolicies++ + return + } + + $APWithNonZeroPolicies++ + + $matchingPolicyCount = 0 + $matchingPolicies = @() + foreach ($p in $AccessPackage.AccessPackageAssignmentPolicies) { + $thisMatch = $null + + $thisMatch = @(Select-MgEntitlementManagementAccessPackageAssignmentPolicy -ScopeType $PolicyWithScopeType -NoApprovalRequiredForRequest:$PolicyWithNoApprovalRequiredForRequest -Policy $p) + + if ($null -eq $thisMatch -or $thisMatch.Length -eq 0) { + # not a match + } else { + $matchingPolicies += $thisMatch[0] + } + } + $matchingPolicyCount = $matchingPolicies.Length + if ($matchingPolicyCount -eq 0) { + write-verbose "skipping $accessPackageId as $inputPolicyCount policies has 0 matching" + return + } elseif ($inputPolicyCount -ne $matchingPolicyCount) { + write-verbose "changing $accessPackageId from $inputPolicyCount to $MatchingPolicyCount" + + $NewObj = $AccessPackage.PSObject.Copy() + $NewObj | Add-Member -MemberType NoteProperty -Name AccessPackageAssignmentPolicies -Value $matchingPolicies -Force + } else { + write-verbose "all $inputPolicyCount policies of $accessPackageId are relevant" + } + + } + write-output $NewObj } From dafe03b28eb095fc67f55e911aed873cd11b8ed4 Mon Sep 17 00:00:00 2001 From: Mark Wahl Date: Mon, 10 May 2021 15:40:20 -0700 Subject: [PATCH 6/6] simplify expression --- .../custom/Select-MgEntitlementManagementAccessPackage.ps1 | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackage.ps1 b/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackage.ps1 index 556efdc44ac..2723d27c545 100644 --- a/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackage.ps1 +++ b/src/Identity.Governance/Identity.Governance/custom/Select-MgEntitlementManagementAccessPackage.ps1 @@ -49,9 +49,7 @@ begin { $APWithNonZeroPolicies = 0 $policyEvaluation = $false - if ($PolicyWithNoApprovalRequiredForRequest) { - $policyEvaluation = $true - } elseif ($null -ne $PolicyWithScopeType -and $PolicyWithScopeType.Length -gt 0) { + if ($PolicyWithNoApprovalRequiredForRequest -or ($null -ne $PolicyWithScopeType -and $PolicyWithScopeType.Length -gt 0)) { $policyEvaluation = $true } }