/
NewGetActivePIMRoles.ps1
135 lines (118 loc) · 5.38 KB
/
NewGetActivePIMRoles.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
################################################################################################
# Author: Sunil Chauhan
# About: This is the new PIM module which will help to activate all assigned PIM Roles easily.
# prerequisites: AzureAdPreview Module must be installed.
# my blog: www.lab365.in
# Script: GetActivePimRolesNew - GetVersion 1.0
################################################################################################
# Verify if the AzureAd module is installed, and the host is connect to AzureAD
try {
Import-Module -Name AzureADPreview
}
catch {
"AzureAdpreview Module is not installed, please install the AzureADPreview module";Break
}
try {
$TenantId=Get-AzureADCurrentSessionInfo -ErrorAction SilentlyContinue
}
catch {
if (!($TenantId))
{
Write-Host "you are not connected to AzureAD"
try {
Connect-AzureAD -Credential $cred -ErrorAction Stop
}
catch {
try {
Connect-AzureAD -ErrorAction Stop
}
catch {
"failed to connect to AzureAD";break
}
}
}
}
try {
$TenantId=Get-AzureADCurrentSessionInfo -ErrorAction Stop
}
catch {
"Failed to connect to AzureAD";break
}
#fetch AzureAD Role Definition
$PIMRoleDefinition=Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $TenantId.TenantId.guid
$AdminUserObjectID=(Get-AzureADUser -SearchString $TenantId.Account).ObjectID
#Fetch Loged in user assigned roles
$RolesAssigntoAdminAccount=Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadRoles" -ResourceId $TenantId.TenantId.guid `
| ? {$_.subjectID -match $AdminUserObjectID}
#Translate the role Name and pop up user for roles selection.
$SelectedRoles=$RolesAssigntoAdminAccount | select RoleDefinitionId,SubjectId,
@{n="RoleDefinitionName";E={$RD=$_.RoleDefinitionId;$($PIMRoleDefinition | ? {$_.Id -match $RD}).DisplayName}},
StartDateTime,EndDateTime,AssignmentState | Out-GridView -PassThru -Title "Select the roles to activated"
#function to get number of hours for the role to be activated.
Function GetHours {
Add-Type -AssemblyName System.Windows.Forms
Add-Type -AssemblyName System.Drawing
$form = New-Object System.Windows.Forms.Form
$form.Text = 'Select a Computer'
$form.Size = New-Object System.Drawing.Size(300,200)
$form.StartPosition = 'CenterScreen'
$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Point(75,120)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = 'OK'
$OKButton.DialogResult = [System.Windows.Forms.DialogResult]::OK
$form.AcceptButton = $OKButton
$form.Controls.Add($OKButton)
$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Point(150,120)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)
$CancelButton.Text = 'Cancel'
$CancelButton.DialogResult = [System.Windows.Forms.DialogResult]::Cancel
$form.CancelButton = $CancelButton
$form.Controls.Add($CancelButton)
$label = New-Object System.Windows.Forms.Label
$label.Location = New-Object System.Drawing.Point(10,20)
$label.Size = New-Object System.Drawing.Size(280,20)
$label.Text = 'Select Numbers Of hours:'
$form.Controls.Add($label)
$DropDownBox = New-Object System.Windows.Forms.ComboBox
$DropDownBox.Location = New-Object System.Drawing.Size(20,50)
$DropDownBox.Size = New-Object System.Drawing.Size(180,20)
$DropDownBox.DropDownHeight = 200
$Form.Controls.Add($DropDownBox)
$wksList=@(1..10)
foreach ($wks in $wksList) {
[void]$DropDownBox.Items.Add($wks)
}
$form.Controls.Add($DropDownBox)
$form.Topmost = $true
$result = $form.ShowDialog()
if ($result -eq [System.Windows.Forms.DialogResult]::OK)
{
$x = $DropDownBox.SelectedItem
$x
}
}
#If roles are selected, process each role for activation.
if ($SelectedRoles){
$hours=GetHours
$reason="Activation for the shift"
$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
$schedule.Type = "Once"
$schedule.StartDateTime=(Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
$schedule.endDateTime=((Get-Date).AddHours($hours)).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
foreach ($role in $SelectedRoles)
{
Write-Host "Activating Role:" $role.RoleDefinitionName -NoNewline
try {
$roleactivation=(Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'aadRoles' -ResourceId $TenantId.TenantId.guid -RoleDefinitionId $role.RoleDefinitionId `
-SubjectId $Role.SubjectId -Type 'UserAdd' -AssignmentState 'Active' -schedule $schedule -reason $reason -ErrorAction SilentlyContinue)
if ($roleactivation) {Write-Host " :Done - Activation Successfull!!!" -ForegroundColor Green}
}
catch { Write-Host " :Failed" -ForegroundColor Red }
}
}
else
{
Write-Host "No roles were selected for activation" -ForegroundColor Yellow
}