V1.5

kayasax · Mar 8, 2024 · 6909e30 · 6909e30
1 parent b752f2b
commit 6909e30
Show file tree

Hide file tree

Showing 10 changed files with 1,047 additions and 5 deletions.
diff --git a/EasyPIM/EasyPIM.psd1 b/EasyPIM/EasyPIM.psd1
@@ -4,7 +4,7 @@
 RootModule = 'EasyPIM.psm1'
 
 # Version number of this module.
-ModuleVersion = '1.4.0'
+ModuleVersion = '1.5.0'
 
 # Supported PSEditions
 # CompatiblePSEditions = @()
@@ -85,7 +85,15 @@ FunctionsToExport = @(
     "New-PIMEntraRoleActiveAssignment",
     "New-PIMEntraRoleEligibleAssignment",
     'Remove-PIMEntraRoleActiveAssignment',
-    'Remove-PIMEntraRoleEligibleAssignment'
+    'Remove-PIMEntraRoleEligibleAssignment',
+    "Get-PIMGroupPolicy",
+    "Set-PIMGroupPolicy",
+    "Get-PIMGroupActiveAssignment",
+    "Get-PIMGroupEligibleAssignment",
+    'New-PIMGroupActiveAssignment',
+    'New-PIMGroupEligibleAssignment',
+    'Remove-PIMGroupActiveAssignment', 
+    'Remove-PIMGroupEligibleAssignment'
 )
 
 # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.

diff --git a/EasyPIM/functions/Get-PIMGroupActiveAssignment.ps1 b/EasyPIM/functions/Get-PIMGroupActiveAssignment.ps1
@@ -0,0 +1,91 @@
+<#
+    .Synopsis
+    List of PIM Entra Role active assignement
+    .Description
+    Active assignment does not require to activate their role. https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roleeligibilityscheduleinstances?view=graph-rest-1.0&tabs=http
+    .Parameter tenantID
+    EntraID tenant ID
+    .Parameter summary
+    When enabled will return the most useful information only
+    .PARAMETER rolename
+    Filter by rolename
+    .PARAMETER principalid
+    Filter by principalid
+    .PARAMETER principalName
+    Filter by principalName
+
+    .Example
+    PS> Get-PIMEntraRoleActiveAssignment -tenantID $tid
+
+    List active assignement
+
+
+    .Link
+    .Notes
+    Author: Loïc MICHEL
+    Homepage: https://github.com/kayasax/EasyPIM
+#>
+
+function Get-PIMGroupActiveAssignment {
+    [CmdletBinding()]
+    param (
+        [Parameter(Position = 0, Mandatory = $true)]
+        [String]
+        $tenantID,
+        # select the most usefull info only
+        [switch]$summary,
+        [string]$groupID,
+        [string]$rolename,
+        [string]$principalName
+    )
+
+    try {
+        $script:tenantID = $tenantID
+
+        $endpoint = "identityGovernance/privilegedAccess/group/assignmentSchedules?`$filter=groupId eq '$groupID'&`$expand=principal
+        "
+        $response = invoke-graph -Endpoint $endpoint
+        $resu = @()
+        $response.value | ForEach-Object {
+
+            $r = @{
+                #"rolename"         = $_.roledefinition.displayName
+                #"roleid"           = $_.roledefinition.id
+                "principalname"    = $_.principal.displayName
+                "principalid"      = $_.principal.id
+                "principalEmail"   = $_.principal.mail
+                "startDateTime"    = $_.scheduleInfo.startDateTime
+                "endDateTime"      = $_.scheduleInfo.expiration.endDateTime
+                #"directoryScopeId" = $_.directoryScopeId
+                "memberType"       = $_.accessId
+                "assignmentType"   = $_.memberType
+                #"activatedUsing"=$_.activatedUsing
+                "principaltype"    = $_.principal."@odata.type"
+                "id"               = $_.id
+            }
+            $resu += New-Object PSObject -Property $r
+
+
+        }
+
+        if ($PSBoundParameters.Keys.Contains('summary')) {
+            $resu = $resu | Select-Object rolename, roleid, principalid, principalName, principalEmail, PrincipalType, startDateTime, endDateTime, directoryScopeId
+        }
+
+        if ($PSBoundParameters.Keys.Contains('principalid')) {
+            $resu = $resu | Where-Object { $_.principalid -eq $principalid }
+        }
+
+        if ($PSBoundParameters.Keys.Contains('rolename')) {
+            $resu = $resu | Where-Object { $_.rolename -eq $rolename }
+        }
+        if($PSBoundParameters.Keys.Contains('principalName')){
+            $resu = $resu | Where-Object { $_.principalName -match $principalName }
+        }
+
+        return $resu
+    }
+    catch {
+        MyCatch $_
+    }
+}
diff --git a/EasyPIM/functions/Get-PIMGroupEligibleAssignment.ps1 b/EasyPIM/functions/Get-PIMGroupEligibleAssignment.ps1
@@ -0,0 +1,91 @@
+<#
+    .Synopsis
+    List of PIM Entra Role active assignement
+    .Description
+    Active assignment does not require to activate their role. https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roleeligibilityscheduleinstances?view=graph-rest-1.0&tabs=http
+    .Parameter tenantID
+    EntraID tenant ID
+    .Parameter summary
+    When enabled will return the most useful information only
+    .PARAMETER rolename
+    Filter by rolename
+    .PARAMETER principalid
+    Filter by principalid
+    .PARAMETER principalName
+    Filter by principalName
+
+    .Example
+    PS> Get-PIMEntraRoleActiveAssignment -tenantID $tid
+
+    List active assignement
+
+
+    .Link
+    .Notes
+    Author: Loïc MICHEL
+    Homepage: https://github.com/kayasax/EasyPIM
+#>
+
+function Get-PIMGroupEligibleAssignment {
+    [CmdletBinding()]
+    param (
+        [Parameter(Position = 0, Mandatory = $true)]
+        [String]
+        $tenantID,
+        # select the most usefull info only
+        [switch]$summary,
+        [string]$groupID,
+        [string]$rolename,
+        [string]$principalName
+    )
+
+    try {
+        $script:tenantID = $tenantID
+
+        $endpoint = "identityGovernance/privilegedAccess/group/eligibilitySchedules?`$filter=groupId eq '$groupID'&`$expand=principal
+        "
+        $response = invoke-graph -Endpoint $endpoint
+        $resu = @()
+        $response.value | ForEach-Object {
+
+            $r = @{
+                #"rolename"         = $_.roledefinition.displayName
+                ##"roleid"           = $_.roledefinition.id
+                "principalname"    = $_.principal.displayName
+                "principalid"      = $_.principal.id
+                "principalEmail"   = $_.principal.mail
+                "startDateTime"    = $_.scheduleInfo.startDateTime
+                "endDateTime"      = $_.scheduleInfo.expiration.endDateTime
+               #"directoryScopeId" = $_.directoryScopeId
+                "memberType"       = $_.accessId
+                "assignmentType"   = $_.memberType
+                #"activatedUsing"=$_.activatedUsing
+                "principaltype"    = $_.principal."@odata.type"
+                "id"               = $_.id
+            }
+            $resu += New-Object PSObject -Property $r
+
+
+        }
+
+        if ($PSBoundParameters.Keys.Contains('summary')) {
+            $resu = $resu | Select-Object rolename, roleid, principalid, principalName, principalEmail, PrincipalType, startDateTime, endDateTime, directoryScopeId
+        }
+
+        if ($PSBoundParameters.Keys.Contains('principalid')) {
+            $resu = $resu | Where-Object { $_.principalid -eq $principalid }
+        }
+
+        if ($PSBoundParameters.Keys.Contains('rolename')) {
+            $resu = $resu | Where-Object { $_.rolename -eq $rolename }
+        }
+        if($PSBoundParameters.Keys.Contains('principalName')){
+            $resu = $resu | Where-Object { $_.principalName -match $principalName }
+        }
+
+        return $resu
+    }
+    catch {
+        MyCatch $_
+    }
+}
diff --git a/EasyPIM/functions/New-PIMEntraRoleActiveAssignment.ps1 b/EasyPIM/functions/New-PIMEntraRoleActiveAssignment.ps1
@@ -136,8 +136,8 @@ function New-PIMEntraRoleActiveAssignment {
         }
     },
     "ticketInfo": {
-        "ticketNumber": "CONTOSO:Normal-67890",
-        "ticketSystem": "MS Project"
+        "ticketNumber": "EasyPIM",
+        "ticketSystem": "EasyPIM"
     }
 }
 

diff --git a/EasyPIM/functions/New-PIMGroupActiveAssignment.ps1 b/EasyPIM/functions/New-PIMGroupActiveAssignment.ps1
@@ -0,0 +1,146 @@
+<#
+    .Synopsis
+    Create an active assignement at the provided scope
+    .Description
+    Active assignment does not require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
+    .Parameter tenantID
+    EntraID tenant ID
+    .Parameter subscriptionID
+    subscription ID
+    .Parameter scope
+    use scope parameter if you want to work at other scope than a subscription
+    .Parameter principalID
+    objectID of the principal (user, group or service principal)
+    .Parameter rolename
+    name of the role to assign
+    .Parameter duration
+    duration of the assignment, if not set we will use the maximum allowed value from the role policy
+    .Parameter startDateTime
+    When the assignment wil begin, if not set we will use current time
+    .Parameter permanent
+    Use this parameter if you want a permanent assignement (no expiration)
+    .Parameter justification
+    justification
+
+
+    .Example
+    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092  -startDateTime "2/2/2024 18:20"
+
+    Create an active assignment fot the role Arcpush, starting at a specific date and using default duration
+
+    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "webmaster" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -justification 'TEST' -permanent
+    
+    Create a permanent active assignement for the role webmaster
+
+    .Link
+    https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
+    .Notes
+    Author: Loïc MICHEL
+    Homepage: https://github.com/kayasax/EasyPIM
+#>
+function New-PIMGroupActiveAssignment {
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
+    [CmdletBinding()]
+    param (
+        [Parameter(Position = 0, Mandatory = $true)]
+        [String]
+        # Entra ID tenantID
+        $tenantID,
+
+        [Parameter(Position = 1, Mandatory = $true)]
+        [String]
+        # Entra ID tenantID
+        $groupID,
+
+        [Parameter(Mandatory = $true)]
+        [String]
+        # Principal ID
+        $principalID,
+
+        [Parameter(Mandatory = $true)]
+        [string]
+        # the rolename for which we want to create an assigment
+        $type,
+
+        [string]
+        # duration of the assignment, if not set we will use the maximum allowed value from the role policy
+        $duration,
+
+        [string]
+        # stat date of assignment if not provided we will use curent time
+        $startDateTime,
+
+        [string]
+        # justification (will be auto generated if not provided)
+        $justification,
+
+        [switch]
+        # the assignment will not expire
+        $permanent
+
+    )
+
+    try {
+        $script:tenantID = $tenantID
+
+        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
+            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ"
+        }
+        else {
+            $startDateTime = get-date (get-date).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
+        }
+
+        write-verbose "Calculated date time start is $startDateTime"
+        # 2 get role settings:
+        $config = Get-PIMgroupPolicy -tenantID $tenantID -groupID $groupID -type $type
+
+        #if permanent assignement is requested check this is allowed in the rule
+        if ($permanent) {
+        if ( $config.AllowPermanentActiveAssignment -eq "false") {
+                throw "ERROR : The role $rolename does not allow permanent eligible assignement, exiting"
+            }
+        }
+
+        # if Duration is not provided we will take the maxium value from the role setting
+        if (!($PSBoundParameters.Keys.Contains('duration'))) {
+    $duration = $config.MaximumActiveAssignmentDuration
+        }
+        write-verbose "assignement duration will be : $duration"
+
+        if (!($PSBoundParameters.Keys.Contains('justification'))) {
+            $justification = "Approved from EasyPIM module by  $($(get-azcontext).account)"
+        }
+
+
+        $exptype = "AfterDuration"
+        #$type="afterDateTime"
+        if ($permanent) {
+            $exptype = "NoExpiration"
+        }
+
+        $body = '
+{
+    "action": "adminAssign",
+    "accessID":"'+$type+'",
+    "groupID":"'+$groupID+'",
+    "justification": "'+ $justification + '",
+    "principalId": "'+ $principalID + '",
+    "scheduleInfo": {
+        "startDateTime": "'+ $startDateTime + '",
+        "expiration": {
+            "type": "'+ $exptype + '",
+            "duration": "'+ $duration + '"
+        }
+    }
+}
+
+'
+        $endpoint = "/identityGovernance/privilegedAccess/group/assignmentScheduleRequests"
+        write-verbose "patch body : $body"
+        $null = invoke-graph -Endpoint $endpoint -Method "POST" -body $body
+    }
+    catch {
+        MyCatch $_
+    }
+
+}