From 1d6e955467202fc2947a96e7e7e48c230e5de2e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20MICHEL?= Date: Thu, 7 Mar 2024 14:08:07 +0100 Subject: [PATCH] V1.4.0 --- EasyPIM/EasyPIM.psd1 | 6 ++-- .../Get-PIMEntraRoleActiveAssignment.ps1 | 33 +++++++++++++---- .../Get-PIMEntraRoleEligibleAssignment.ps1 | 35 +++++++++++++++---- .../New-PIMAzureResourceActiveAssignment.ps1 | 2 +- ...New-PIMAzureResourceEligibleAssignment.ps1 | 2 +- .../New-PIMEntraRoleActiveAssignment.ps1 | 4 +-- .../New-PIMEntraRoleEligibleAssignment.ps1 | 4 +-- ...emove-PIMAzureResourceActiveAssignment.ps1 | 2 +- ...ove-PIMAzureResourceEligibleAssignment.ps1 | 2 +- .../Remove-PIMEntraRoleActiveAssignment.ps1 | 4 +-- 10 files changed, 69 insertions(+), 25 deletions(-) diff --git a/EasyPIM/EasyPIM.psd1 b/EasyPIM/EasyPIM.psd1 index a3fb49c..de3613a 100644 --- a/EasyPIM/EasyPIM.psd1 +++ b/EasyPIM/EasyPIM.psd1 @@ -4,7 +4,7 @@ RootModule = 'EasyPIM.psm1' # Version number of this module. -ModuleVersion = '1.3.0' +ModuleVersion = '1.4.0' # Supported PSEditions # CompatiblePSEditions = @() @@ -83,7 +83,9 @@ FunctionsToExport = @( "Get-PIMEntraRoleActiveAssignment", "Get-PIMEntraRoleEligibleAssignment", "New-PIMEntraRoleActiveAssignment", - "New-PIMEntraRoleEligibleAssignment" + "New-PIMEntraRoleEligibleAssignment", + 'Remove-PIMEntraRoleActiveAssignment', + 'Remove-PIMEntraRoleEligibleAssignment' ) # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. diff --git a/EasyPIM/functions/Get-PIMEntraRoleActiveAssignment.ps1 b/EasyPIM/functions/Get-PIMEntraRoleActiveAssignment.ps1 index de8d0aa..00cac2c 100644 --- a/EasyPIM/functions/Get-PIMEntraRoleActiveAssignment.ps1 +++ b/EasyPIM/functions/Get-PIMEntraRoleActiveAssignment.ps1 @@ -1,17 +1,23 @@ <# .Synopsis - List of PIM Entra Role active assignement + List of PIM Entra Role active assignement .Description Active assignment does not require to activate their role. https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roleeligibilityscheduleinstances?view=graph-rest-1.0&tabs=http .Parameter tenantID EntraID tenant ID .Parameter summary When enabled will return the most useful information only - + .PARAMETER rolename + Filter by rolename + .PARAMETER principalid + Filter by principalid + .PARAMETER principalName + Filter by principalName + .Example - PS> Get-PIMEntraRoleActiveAssignment -tenantID $tid + PS> Get-PIMEntraRoleActiveAssignment -tenantID $tid - List active assignement + List active assignement .Link @@ -27,7 +33,10 @@ function Get-PIMEntraRoleActiveAssignment { [String] $tenantID, # select the most usefull info only - [switch]$summary + [switch]$summary, + [string]$principalid, + [string]$rolename, + [string]$principalName ) try { @@ -36,7 +45,7 @@ function Get-PIMEntraRoleActiveAssignment { $endpoint = "roleManagement/directory/roleAssignmentScheduleInstances?`$expand=roleDefinition,principal" $response = invoke-graph -Endpoint $endpoint $resu = @() - $response.value | % { + $response.value | ForEach-Object { $r = @{ "rolename" = $_.roledefinition.displayName @@ -61,6 +70,18 @@ function Get-PIMEntraRoleActiveAssignment { if ($PSBoundParameters.Keys.Contains('summary')) { $resu = $resu | Select-Object rolename, roleid, principalid, principalName, principalEmail, PrincipalType, startDateTime, endDateTime, directoryScopeId } + + if ($PSBoundParameters.Keys.Contains('principalid')) { + $resu = $resu | Where-Object { $_.principalid -eq $principalid } + } + + if ($PSBoundParameters.Keys.Contains('rolename')) { + $resu = $resu | Where-Object { $_.rolename -eq $rolename } + } + if($PSBoundParameters.Keys.Contains('principalName')){ + $resu = $resu | Where-Object { $_.principalName -match $principalName } + } + return $resu } catch { diff --git a/EasyPIM/functions/Get-PIMEntraRoleEligibleAssignment.ps1 b/EasyPIM/functions/Get-PIMEntraRoleEligibleAssignment.ps1 index 263b05e..23627b4 100644 --- a/EasyPIM/functions/Get-PIMEntraRoleEligibleAssignment.ps1 +++ b/EasyPIM/functions/Get-PIMEntraRoleEligibleAssignment.ps1 @@ -1,17 +1,22 @@ <# .Synopsis - List of PIM Entra Role active assignement + List of PIM Entra Role active assignement .Description Active assignment does not require to activate their role. https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roleeligibilityscheduleinstances?view=graph-rest-1.0&tabs=http .Parameter tenantID EntraID tenant ID .Parameter summary When enabled will return the most useful information only - + .PARAMETER rolename + Filter by rolename + .PARAMETER principalid + Filter by principalid + .PARAMETER principalName + Filter by principalName .Example - PS> Get-PIMEntraRoleEligibleAssignment -tenantID $tid + PS> Get-PIMEntraRoleEligibleAssignment -tenantID $tid - List active assignement + List active assignement .Link @@ -27,7 +32,10 @@ function Get-PIMEntraRoleEligibleAssignment { [String] $tenantID, # select the most usefull info only - [switch]$summary + [switch]$summary, + [string]$principalid, + [string]$rolename, + [string]$principalName ) try { $script:tenantID = $tenantID @@ -35,8 +43,8 @@ function Get-PIMEntraRoleEligibleAssignment { $endpoint = "/roleManagement/directory/roleEligibilityScheduleInstances?`$expand=roleDefinition,principal" $response = invoke-graph -Endpoint $endpoint $resu = @() - $response.value | % { - $_ + $response.value | ForEach-Object { + $r = @{ "rolename" = $_.roledefinition.displayName "roleid" = $_.roledefinition.id @@ -60,6 +68,19 @@ function Get-PIMEntraRoleEligibleAssignment { if ($PSBoundParameters.Keys.Contains('summary')) { $resu = $resu | Select-Object rolename, roleid, principalid, principalName, principalEmail, PrincipalType, startDateTime, endDateTime, directoryScopeId } + + if ($PSBoundParameters.Keys.Contains('principalid')) { + $resu = $resu | Where-Object { $_.principalid -eq $principalid } + } + + if ($PSBoundParameters.Keys.Contains('rolename')) { + $resu = $resu | Where-Object { $_.rolename -eq $rolename } + } + if($PSBoundParameters.Keys.Contains('principalName')){ + $resu = $resu | Where-Object { $_.principalName -match $principalName } + } + + return $resu } catch { Mycatch $_ } diff --git a/EasyPIM/functions/New-PIMAzureResourceActiveAssignment.ps1 b/EasyPIM/functions/New-PIMAzureResourceActiveAssignment.ps1 index c720d90..35a80b8 100644 --- a/EasyPIM/functions/New-PIMAzureResourceActiveAssignment.ps1 +++ b/EasyPIM/functions/New-PIMAzureResourceActiveAssignment.ps1 @@ -163,5 +163,5 @@ function New-PIMAzureResourceActiveAssignment { Write-Host "SUCCESS : Assignment created!" return $response } - catch{Mycatch $_} + catch{Mycatch $_} } diff --git a/EasyPIM/functions/New-PIMAzureResourceEligibleAssignment.ps1 b/EasyPIM/functions/New-PIMAzureResourceEligibleAssignment.ps1 index 7a86d48..1e55744 100644 --- a/EasyPIM/functions/New-PIMAzureResourceEligibleAssignment.ps1 +++ b/EasyPIM/functions/New-PIMAzureResourceEligibleAssignment.ps1 @@ -166,5 +166,5 @@ function New-PIMAzureResourceEligibleAssignment { } catch { Mycatch $_ - } + } } diff --git a/EasyPIM/functions/New-PIMEntraRoleActiveAssignment.ps1 b/EasyPIM/functions/New-PIMEntraRoleActiveAssignment.ps1 index 36dbebb..b823574 100644 --- a/EasyPIM/functions/New-PIMEntraRoleActiveAssignment.ps1 +++ b/EasyPIM/functions/New-PIMEntraRoleActiveAssignment.ps1 @@ -75,10 +75,10 @@ function New-PIMEntraRoleActiveAssignment { ) - try { + try { $script:tenantID = $tenantID - #1 check if the principal ID is a group, if yes confirm it is role-assignable + #1 check if the principal ID is a group, if yes confirm it is role-assignable $endpoint = "directoryObjects/$principalID" $response = invoke-graph -Endpoint $endpoint #$response diff --git a/EasyPIM/functions/New-PIMEntraRoleEligibleAssignment.ps1 b/EasyPIM/functions/New-PIMEntraRoleEligibleAssignment.ps1 index 9ab90fe..138b329 100644 --- a/EasyPIM/functions/New-PIMEntraRoleEligibleAssignment.ps1 +++ b/EasyPIM/functions/New-PIMEntraRoleEligibleAssignment.ps1 @@ -78,7 +78,7 @@ function New-PIMEntraRoleEligibleAssignment { try { $script:tenantID = $tenantID - #1 check if the principal ID is a group, if yes confirm it is role-assignable + #1 check if the principal ID is a group, if yes confirm it is role-assignable $endpoint = "directoryObjects/$principalID" $response = invoke-graph -Endpoint $endpoint #$response @@ -134,7 +134,7 @@ function New-PIMEntraRoleEligibleAssignment { "startDateTime": "'+ $startDateTime + '", "expiration": { "type": "'+ $type + '", - "endDateTime": + "endDateTime": null, "duration": "'+ $duration + '" } } diff --git a/EasyPIM/functions/Remove-PIMAzureResourceActiveAssignment.ps1 b/EasyPIM/functions/Remove-PIMAzureResourceActiveAssignment.ps1 index 673a193..0ac59c3 100644 --- a/EasyPIM/functions/Remove-PIMAzureResourceActiveAssignment.ps1 +++ b/EasyPIM/functions/Remove-PIMAzureResourceActiveAssignment.ps1 @@ -129,5 +129,5 @@ function Remove-PIMAzureResourceActiveAssignment { } catch { Mycatch $_ - } + } } diff --git a/EasyPIM/functions/Remove-PIMAzureResourceEligibleAssignment.ps1 b/EasyPIM/functions/Remove-PIMAzureResourceEligibleAssignment.ps1 index 47a8679..dffb126 100644 --- a/EasyPIM/functions/Remove-PIMAzureResourceEligibleAssignment.ps1 +++ b/EasyPIM/functions/Remove-PIMAzureResourceEligibleAssignment.ps1 @@ -125,5 +125,5 @@ function Remove-PIMAzureResourceEligibleAssignment { Write-Host "SUCCESS : Assignment removed!" return $response } - catch { MyCatch $_ } + catch { MyCatch $_ } } diff --git a/EasyPIM/functions/Remove-PIMEntraRoleActiveAssignment.ps1 b/EasyPIM/functions/Remove-PIMEntraRoleActiveAssignment.ps1 index f80fdc6..2844fe2 100644 --- a/EasyPIM/functions/Remove-PIMEntraRoleActiveAssignment.ps1 +++ b/EasyPIM/functions/Remove-PIMEntraRoleActiveAssignment.ps1 @@ -38,7 +38,7 @@ Author: Loïc MICHEL Homepage: https://github.com/kayasax/EasyPIM #> -function Remove-PIMEntraRoleActiveeAssignment { +function Remove-PIMEntraRoleActiveAssignment { [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")] [CmdletBinding()] param ( @@ -132,7 +132,7 @@ function Remove-PIMEntraRoleActiveeAssignment { } ' - $endpoint = "/roleManagement/directory/roleEligibilityScheduleRequests" + $endpoint = "/roleManagement/directory/roleAssignmentScheduleRequests" write-verbose "patch body : $body" $null = invoke-graph -Endpoint $endpoint -Method "POST" -body $body Write-Host "SUCCESS : Assignment removed!"