/
New-EntraBGA.ps1
95 lines (84 loc) · 3.61 KB
/
New-EntraBGA.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
<#
.Example
$password = Read-Host -AsSecureString
.\New-EntraBGA.ps1 -AccountGivenName Casey -AccountGivenSurname Worste -AccountPassword $password
.Notes
Author: Robert Przybylski
azureblog.pl 2023
#>
[CmdletBinding()]
param (
[Parameter(MAndatory)]
[string] $AccountGivenName,
[Parameter(MAndatory)]
[string] $AccountGivenSurname,
[Parameter(MAndatory)]
[securestring] $AccountPassword
)
#region module test
$moduleTest = Get-InstalledModule Microsoft.Graph -ErrorAction SilentlyContinue
if ($null -eq $moduleTest) {
Write-Host "Microsoft.Graph module is missing"
Write-Host "Installing..."
Install-module Microsoft.Graph -Scope CurrentUser | Out-Null
}
#endregion
Connect-MgGraph -Scopes User.ReadWrite.all, EntitlementManagement.ReadWrite.All, RoleManagement.ReadWrite.Directory, Policy.ReadWrite.ConditionalAccess
#region Creating BGA user
$passwordProfile = @{
password = $AccountPassword
}
$domain = Get-MgDomain | Where-Object { $_.IsInitial -eq $true } | Select-Object -ExpandProperty ID
$mail = "$($AccountGivenName.ToLower())" + "." + "$($AccountGivenSurname.ToLower())"
$upn = $mail + "@" + $domain
$userTest = Get-MGUSer -all | where-object { $_.UserPrincipalName -eq $upn } -ErrorAction SilentlyContinue
if ($null -eq $userTest) {
Write-Host "User with UPN '$upn' does not exist." -ForegroundColor Yellow
Write-Host "Creating..."
$bga = New-MGUSer -GivenName $AccountGivenName -Surname $AccountGivenSurname -DisplayName "$AccountGivenName $AccountGivenSurname" -AccountEnabled -UserPrincipalName $upn -PasswordProfile $passwordProfile -MailNickName $mail
Write-Host "USer with UPN '$upn' has been created" -ForegroundColor Green
$bgaID = $bga.id
}
else {
Write-Host "User with UPN '$upn' already exists." -ForegroundColor Red
}
#endregion
#region Rolle assignement
$gaRoleDefinitionID = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { $_.DisplayName -eq "Global Administrator" } | Select-Object -ExpandProperty ID
#based on "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference"
$params = @{
"@odata.type" = "#microsoft.graph.unifiedRoleAssignment"
roleDefinitionId = $gaRoleDefinitionID
principalId = $bgaID
directoryScopeId = "/"
}
Write-Host "Assigning GA role with ID '$gaRoleDefinitionID' to upn '$upn' with id '$bgaID'" -ForegroundColor Green
New-MgRoleManagementDirectoryRoleAssignment -BodyParameter $params
#endregion
#region CA Policy exclude
$caPolicies = Get-MgIdentityConditionalAccessPolicy
Write-Host "Found '$($caPolicies.Count)' CA policies..." -ForegroundColor Yellow
foreach ($policy in $caPolicies) {
Write-Host "Updating policy '$($policy.DisplayName)' to exclude BGA user with id '$bgaID'" -ForegroundColor Green
$existingExcludeUsersID = (Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.ID).Conditions.users.ExcludeUsers
$excludedUsers = @()
$excludedUsers += $existingExcludeUsersID
$excludedUsers += $bgaID
$excludedUsers = $excludedUsers | Select-Object -Unique
$existingExcludeGroupsID = (Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.ID).Conditions.users.ExcludeGroups
$params = @{
conditions = @{
users = @{
excludeUsers = @(
$excludedUsers
)
excludeGroups = @(
$existingExcludeGroupsID
)
}
}
}
Update-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.ID -BodyParameter $params
}
#endregion
Write-Host "Script end."