kayasax · kayasax · Dec 17, 2024 · Dec 17, 2024 · Dec 17, 2024 · Dec 17, 2024
diff --git a/EasyPIM/EasyPIM.psd1 b/EasyPIM/EasyPIM.psd1
@@ -4,7 +4,7 @@
 RootModule = 'EasyPIM.psm1'
 
 # Version number of this module.
-ModuleVersion = '1.7.3'
+ModuleVersion = '1.7.4'
 
 # Supported PSEditions
 # CompatiblePSEditions = @()
@@ -103,7 +103,8 @@ FunctionsToExport = @(
     'Deny-PIMEntraRolePendingApproval',
     'Get-PIMGroupPendingApproval',
     'Approve-PIMGroupPendingApproval',
-    'Deny-PIMGroupPendingApproval'
+    'Deny-PIMGroupPendingApproval',
+    'Copy-PIMAzureResourceEligibleAssignment'
 )
 
 # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.

diff --git a/EasyPIM/functions/Copy-PIMAzureResourceEligibleAssignment.ps1 b/EasyPIM/functions/Copy-PIMAzureResourceEligibleAssignment.ps1
@@ -0,0 +1,93 @@
+<#
+    .Synopsis
+    Copy eligible assignement from one user to another
+    .Description
+     https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
+    .Parameter tenantID
+    EntraID tenant ID
+    .Parameter subscriptionID
+    subscription ID
+    .Parameter scope
+    use scope parameter if you want to work at other scope than a subscription
+    .PARAMETER from
+    userprincipalname or objectID of the source object
+    .Parameter to
+    userprincipalname or objectID of the destination object
+
+    .Example
+    PS> Copy-PIMAzureResourceEligibleAssignment -tenantID $tid -subscriptionID -subscription $subscription -from [email protected] -to [email protected]
+
+    Copy eligible assignement from user1 to user2
+
+    .Link
+    .Notes
+    Author: Loïc MICHEL
+    Homepage: https://github.com/kayasax/EasyPIM
+#>
+
+function Copy-PIMAzureResourceEligibleAssignment {
+    [CmdletBinding()]
+    param (
+        [Parameter(Position = 0, Mandatory = $true)]
+        [String]
+        $tenantID,
+        [Parameter(Position = 1)]
+        [String]
+        $subscriptionID,
+        [Parameter()]
+        [String]
+        $scope,
+        [Parameter(Mandatory = $true)]
+        [String]
+        $from,
+        [Parameter(Mandatory = $true)]
+        [String]
+        $to
+    )
+
+    try {
+
+        $script:tenantID = $tenantID
+
+        if (!($PSBoundParameters.Keys.Contains('scope'))) {
+            $scope = "/subscriptions/$subscriptionID"
+        }
+
+        #convert UPN to objectID
+        if ($from -match ".+@.*\..+") {
+            #if this is a upn we will use graph to get the objectID
+            try {
+                $resu = invoke-graph -endpoint "users/$from" -Method GET -version "beta"
+                $from = $resu.id
+            }
+            catch {
+                Write-Warning "User $from not found in the tenant"
+                return
+            }
+
+        }
+
+        if ($to -match ".+@.*\..+") {
+            #if this is a upn we will use graph to get the objectID
+            try {
+                $resu = invoke-graph -endpoint "users/$to" -Method GET -version "beta"
+                $to = $resu.id
+            }
+            catch {
+                Write-Warning "User $to not found in the tenant"
+                return
+            }
+
+        }
+
+        $assignments=get-PIMAzureResourceEligibleAssignment -tenantID $tenantID -scope $scope -assignee $from
+        $assignments | ForEach-Object {
+            Write-Verbose "Copying assignment from $from to $to at scope $($_.scopeId) with role $($_.rolename)"
+            New-PIMAzureResourceEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionID -scope $_.scopeId -rolename $_.rolename -principalID $to
+        }
+
+    }
+    catch {
+        MyCatch $_
+    }
+}
diff --git a/EasyPIM/functions/Get-PIMAzureResourceEligibleAssignment.ps1 b/EasyPIM/functions/Get-PIMAzureResourceEligibleAssignment.ps1
@@ -9,6 +9,8 @@
     subscription ID
     .Parameter scope
     use scope parameter if you want to work at other scope than a subscription
+    .PARAMETER assignee
+    Filter assignment using userprincipalname or objectID
     .Parameter summary
     When enabled will return the most useful information only
     .Parameter atBellowScope
@@ -39,6 +41,8 @@ function Get-PIMAzureResourceEligibleAssignment {
         [Parameter()]
         [String]
         $scope,
+        [String]
+        $assignee,
         [switch]
         # when enable we will use the roleEligibilitySchedules API which also list the future assignments
         $includeFutureAssignments,
@@ -51,6 +55,9 @@ function Get-PIMAzureResourceEligibleAssignment {
     )
 
     try {
+
+        $script:tenantID = $tenantID
+
         if (!($PSBoundParameters.Keys.Contains('scope'))) {
             $scope = "/subscriptions/$subscriptionID"
         }
@@ -63,10 +70,24 @@ function Get-PIMAzureResourceEligibleAssignment {
             $restURI = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01"
         }
 
-
+        #issue #70 filter assignment of a specific user
+        if ($PSBoundParameters.Keys.Contains('assignee')) {
+            if($assignee -match ".+@.*\..+") { #if this is a upn we will use graph to get the objectID
+                try{
+                    $resu=invoke-graph -endpoint "users/$assignee" -Method GET -version "beta"
+                    $assignee = $resu.id
+                }
+                catch {
+                    Write-Warning "User $assignee not found in the tenant"
+                    return
+                }
+
+            }
+
+            $restURI += "&`$filter=assignedto('"+$assignee+"')"
+        }
 
 
-        $script:tenantID = $tenantID
 
 
         $response = Invoke-ARM -restURI $restURI -method get