Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added Manage and FullControl to Grant-PnPAzureADAppSitePermission #3617

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
- Added support for executing the 'Invoke-PnPSPRestMethod' cmdlet in a batch [#3565](https://github.com/pnp/powershell/pull/3565)
- Added `Get-PnPSiteSetVersionPolicyProgress` cmdlet which allows for getting the progress of setting a version policy for existing document libraries on a site [#3564](https://github.com/pnp/powershell/pull/3564)
- Added `EnableSensitivityLabelForPDF` to `Set-PnPTenant` and `Get-PnPTenant` [#3581](https://github.com/pnp/powershell/pull/3581)
- Added the ability to set Manage and FullControl permissions directly when using Sites.Selected with `Grant-PnPAzureADAppSitePermission` [#3617](https://github.com/pnp/powershell/pull/3617)
- Added `Remove-PnPMicrosoft365GroupPhoto` cmdlet which allows removal of profile picture of M365 Group. [#3607](https://github.com/pnp/powershell/pull/3607)

### Fixed
Expand Down
12 changes: 6 additions & 6 deletions documentation/Grant-PnPAzureADAppSitePermission.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,12 +20,12 @@ Adds permissions for a given Azure Active Directory application registration.
## SYNTAX

```powershell
Grant-PnPAzureADAppSitePermission -AppId <Guid> -DisplayName <String> -Permissions <Read|Write> [-Site <SitePipeBind>] [-Connection <PnPConnection>]
Grant-PnPAzureADAppSitePermission -AppId <Guid> -DisplayName <String> -Permissions <Read|Write|Manage|FullControl> [-Site <SitePipeBind>] [-Connection <PnPConnection>]
```

## DESCRIPTION

This cmdlet adds permissions for a given Azure Active Directory application registration in a site collection. It is used in conjunction with the Azure Active Directory SharePoint application permission Sites.Selected. Notice that this cmdlet allows for fewer permissions compared to updating rights through [Set-PnPAzureADAppSitePermission](Set-PnPAzureADAppSitePermission.md). If you wish to i.e. assign FullControl permissions, you need to add read or write permissions through this cmdlet first and then update it to FullControl.
This cmdlet adds permissions for a given Azure Active Directory application registration in a site collection. It is used in conjunction with the Azure Active Directory SharePoint application permission Sites.Selected.

## EXAMPLES

Expand All @@ -38,10 +38,10 @@ Adds permissions for the Azure Active Directory application registration with th

### EXAMPLE 2
```powershell
Grant-PnPAzureADAppSitePermission -AppId "aa37b89e-75a7-47e3-bdb6-b763851c61b6" -DisplayName "TestApp" -Permissions Write -Site https://contoso.sharepoint.com/sites/projects
Grant-PnPAzureADAppSitePermission -AppId "aa37b89e-75a7-47e3-bdb6-b763851c61b6" -DisplayName "TestApp" -Permissions FullControl -Site https://contoso.sharepoint.com/sites/projects
```

Adds permissions for the Azure Active Directory application registration with the specific application id and sets the rights to 'Write' access for the site collection at the provided URL.
Adds permissions for the Azure Active Directory application registration with the specific application id and sets the rights to 'FullControl' access for the site collection at the provided URL.

## PARAMETERS

Expand Down Expand Up @@ -88,14 +88,14 @@ Accept wildcard characters: False
```

### -Permissions
Specifies the permissions to set for the Azure Active Directory application registration which can either be Read or Write. Use [Set-PnPAzureADAppSitePermission](Set-PnPAzureADAppSitePermission.md) after initially adding these permissions to update it to Manage or FullControl permissions.
Specifies the permissions to set for the Azure Active Directory application registration which can either be Read, Write, Manage or FullControl.

```yaml
Type: String
Parameter Sets: (All)

Required: True
Accepted values: Read, Write
Accepted values: Read, Write, Manage, FullControl
Position: Named
Default value: None
Accept pipeline input: False
Expand Down
54 changes: 33 additions & 21 deletions src/Commands/Apps/GrantAzureADAppSitePermission.cs
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ namespace PnP.PowerShell.Commands.Apps
[Cmdlet(VerbsSecurity.Grant, "PnPAzureADAppSitePermission")]
[RequiredMinimalApiPermissions("Sites.FullControl.All")]
[Alias("Grant-PnPEntraIDAppSitePermission")]
[OutputType(typeof(AzureADAppPermissionInternal))]
public class GrantPnPAzureADAppSitePermission : PnPGraphCmdlet
{
[Parameter(Mandatory = true)]
Expand All @@ -36,39 +37,50 @@ protected override void ExecuteCmdlet()
Guid siteId = Guid.Empty;
if (ParameterSpecified(nameof(Site)))
{
WriteVerbose($"Using Microsoft Graph to lookup the site Id of the passed in site using -{nameof(Site)}");
siteId = Site.GetSiteIdThroughGraph(Connection, AccessToken);
WriteVerbose($"Site passed in using -{nameof(Site)} resolved to Id {siteId}");
}
else
{
WriteVerbose($"No specific site passed in through -{nameof(Site)}, taking the currently connected to site");
siteId = PnPContext.Site.Id;
WriteVerbose($"Currently connected to site has Id {siteId}");
}

if (siteId != Guid.Empty)
if (siteId == Guid.Empty)
{
var payload = new
{
roles = Permissions.Select(p => p.ToLower()).ToArray(),
grantedToIdentities = new[] {
new {
application = new {
id = AppId.ToString(),
displayName = DisplayName
}
WriteVerbose("Id of the site to provide permissions on could not be defined. Please ensure you're passing in a valid site using -{nameof(Site)}");
return;
}

// Construct the payload of the Graph request
var payload = new
{
roles = Permissions.Select(p => p.ToString().ToLowerInvariant()).ToArray(),
grantedToIdentities = new[] {
new {
application = new {
id = AppId.ToString(),
displayName = DisplayName
}
},
grantedToIdentitiesV2 = new[] {
new {
application = new {
id = AppId.ToString(),
displayName = DisplayName
}
}
},
grantedToIdentitiesV2 = new[] {
new {
application = new {
id = AppId.ToString(),
displayName = DisplayName
}
}
};
}
};

var results = Utilities.REST.RestHelper.PostAsync<AzureADAppPermissionInternal>(Connection.HttpClient, $"https://{Connection.GraphEndPoint}/v1.0/sites/{siteId}/permissions", AccessToken, payload).GetAwaiter().GetResult();
WriteObject(results.Convert());
}
WriteVerbose($"Granting App with Id {AppId} the permission{(payload.roles.Length != 1 ? "s" : "")} {string.Join(',', payload.roles)}");

// Make the Graph Grant request
var result = Utilities.REST.RestHelper.PostAsync<AzureADAppPermissionInternal>(Connection.HttpClient, $"https://{Connection.GraphEndPoint}/v1.0/sites/{siteId}/permissions", AccessToken, payload).GetAwaiter().GetResult();
WriteObject(result.Convert());
}
}
}
14 changes: 12 additions & 2 deletions src/Commands/Enums/AzureADNewSitePermissionRole.cs
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
{
/// <summary>
/// Defines the roles that can be chosen when setting up a new site permission
/// See <a href="https://learn.microsoft.com/en-us/graph/api/resources/permission#roles-property-values">Graph Reference</a>
/// See <a href="https://learn.microsoft.com/graph/api/resources/permission#roles-property-values">Graph Reference</a>
/// </summary>
public enum AzureADNewSitePermissionRole
{
Expand All @@ -14,6 +14,16 @@ public enum AzureADNewSitePermissionRole
/// <summary>
/// Provides the ability to read and modify the metadata and contents of the item
/// </summary>
Write
Write,

/// <summary>
/// Applies the SharePoint manage permissions
/// </summary>
Manage,

/// <summary>
/// Applies Full Control permissions
/// </summary>
FullControl
}
}
2 changes: 1 addition & 1 deletion src/Commands/Enums/AzureADUpdateSitePermissionRole.cs
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
{
/// <summary>
/// Defines the roles that can be chosen when updating an existing site permission
/// See <a href="https://learn.microsoft.com/en-us/graph/api/resources/permission#roles-property-values">Graph Reference</a>
/// See <a href="https://learn.microsoft.com/graph/api/resources/permission#roles-property-values">Graph Reference</a>
/// </summary>
public enum AzureADUpdateSitePermissionRole
{
Expand Down
Loading