Skip to content

Commit 66e34f4

Browse files
JohnDupreyJohnDuprey
committed
new function for managing access assignments
1 parent b03cb9a commit 66e34f4

File tree

1 file changed

+143
-0
lines changed

1 file changed

+143
-0
lines changed

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/GDAP/Invoke-ExecGDAPAccessAssignment.ps1

Lines changed: 143 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,143 @@
1+
function Invoke-ExecGDAPAccessAssignment {
2+
<#
3+
.FUNCTIONALITY
4+
Entrypoint,AnyTenant
5+
.ROLE
6+
Tenant.Relationship.ReadWrite
7+
#>
8+
[CmdletBinding()]
9+
param($Request, $TriggerMetadata)
10+
11+
$APIName = $Request.Params.CIPPEndpoint
12+
Write-LogMessage -headers $Request.Headers -API $APINAME -message 'Accessed this API' -Sev 'Debug'
13+
14+
$Action = $Request.Body.Action ?? $Request.Query.Action
15+
$Id = $Request.Body.Id ?? $Request.Query.Id
16+
17+
switch ($Action) {
18+
'ResetMappings' {
19+
$RoleTemplateId = $Request.Body.RoleTemplateId
20+
21+
if (-not $RoleTemplateId) {
22+
$Body = @{
23+
Results = @{
24+
state = 'error'
25+
resultText = 'RoleTemplateId is required'
26+
}
27+
}
28+
} else {
29+
$GDAPRoleTemplatesTable = Get-CIPPTable -TableName 'GDAPRoleTemplates'
30+
$Mappings = Get-CIPPAzDataTableEntity @GDAPRoleTemplatesTable -Filter "PartitionKey eq 'RoleTemplate' and RowKey eq '$($RoleTemplateId)'" | Select-Object -ExpandProperty RoleMappings | ConvertFrom-Json
31+
32+
$RelationshipRequests = @(
33+
@{
34+
'id' = 'getRelationship'
35+
'url' = "tenantRelationships/delegatedAdminRelationships/$Id"
36+
'method' = 'GET'
37+
}
38+
@{
39+
'id' = 'getAccessAssignments'
40+
'url' = "tenantRelationships/delegatedAdminRelationships/$Id/accessAssignments"
41+
'method' = 'GET'
42+
}
43+
)
44+
45+
$RelationshipResults = New-GraphBulkRequest -Requests $RelationshipRequests -NoAuthCheck $true
46+
$Relationship = ($RelationshipResults | Where-Object id -EQ 'getRelationship').body
47+
$AccessAssignments = ($RelationshipResults | Where-Object id -EQ 'getAccessAssignments').body.value
48+
49+
$Groups = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/groups?`$top=999&`$select=id,displayName&`$filter=securityEnabled eq true" -asApp $true -NoAuthCheck $true
50+
51+
$Requests = [System.Collections.Generic.List[object]]::new()
52+
$Messages = [System.Collections.Generic.List[object]]::new()
53+
54+
foreach ($AccessAssignment in $AccessAssignments) {
55+
if ($Mappings.GroupId -notcontains $AccessAssignment.accessContainer.accessContainerId -and $AccessAssignment.status -notin @('deleting', 'deleted', 'error')) {
56+
Write-Warning "Deleting access assignment for $($AccessAssignment.accessContainer.accessContainerId)"
57+
$Group = $Groups | Where-Object id -EQ $AccessAssignment.accessContainer.accessContainerId
58+
$Requests.Add(@{
59+
'id' = "delete-$($AccessAssignment.id)"
60+
'url' = "tenantRelationships/delegatedAdminRelationships/$Id/accessAssignments/$($AccessAssignment.id)"
61+
'method' = 'DELETE'
62+
'headers' = @{
63+
'If-Match' = $AccessAssignment.'@odata.etag'
64+
}
65+
})
66+
67+
$Messages.Add(@{
68+
'id' = $AccessAssignment.id
69+
'message' = "Deleting access assignment for $($Group.displayName)"
70+
})
71+
72+
}
73+
}
74+
75+
foreach ($Mapping in $Mappings) {
76+
if ($AccessAssignments.accessContainer.accessContainerId -notcontains $Mapping.GroupId -and $Relationship.accessDetails.unifiedRoles.roleDefinitionId -contains $Mapping.roleDefinitionId) {
77+
Write-Information "Creating access assignment for $($Mapping.GroupId)"
78+
$Requests.Add(@{
79+
'id' = "create-$($Mapping.GroupId)"
80+
'url' = "tenantRelationships/delegatedAdminRelationships/$Id/accessAssignments"
81+
'method' = 'POST'
82+
'body' = @{
83+
'accessDetails' = @{
84+
'unifiedRoles' = @($Mapping.roleDefinitionId)
85+
}
86+
'accessContainer' = @{
87+
'accessContainerId' = $Mapping.GroupId
88+
}
89+
}
90+
})
91+
$Messages.Add(@{
92+
'id' = $Mapping.GroupId
93+
'message' = "Creating access assignment for $($Mapping.GroupName)"
94+
})
95+
}
96+
}
97+
98+
if ($Requests) {
99+
Write-Warning "Executing $($Requests.Count) access assignment changes"
100+
#Write-Information ($Requests | ConvertTo-Json -Depth 10)
101+
102+
$BulkResults = New-GraphBulkRequest -Requests $Requests -NoAuthCheck $true
103+
$Results = foreach ($Result in $BulkResults) {
104+
$Message = $Messages | Where-Object id -EQ $Result.id
105+
if ($Result.status -eq 204) {
106+
@{
107+
resultText = $Message.message
108+
state = 'success'
109+
}
110+
} else {
111+
@{
112+
resultText = "Error: $($Message.message): $($Result.body.error.message)"
113+
state = 'error'
114+
}
115+
}
116+
}
117+
118+
} else {
119+
$Results = @{
120+
resultText = 'GDAP access assignments are up to date'
121+
state = 'success'
122+
}
123+
}
124+
125+
$Body = @{
126+
Results = @($Results)
127+
}
128+
}
129+
}
130+
default {
131+
$Body = @{
132+
Results = @(@{
133+
state = 'error'
134+
resultText = 'Invalid action'
135+
})
136+
}
137+
}
138+
}
139+
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
140+
StatusCode = [HttpStatusCode]::OK
141+
Body = $Body
142+
})
143+
}

0 commit comments

Comments
 (0)