Skip to content

Commit

Permalink
Merge pull request #68 from kayasax/Approval
Browse files Browse the repository at this point in the history 
V1.7.1 add approval management for groups
  • Loading branch information
@kayasax
kayasax authored Oct 7, 2024
2 parents b5169fd + 1f619b5 commit 07c6630
Show file tree
Hide file tree
Showing 4 changed files with 234 additions and 1 deletion.
5 changes: 4 additions & 1 deletion EasyPIM/EasyPIM.psd1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,10 @@ FunctionsToExport = @(
'Deny-PIMAzureResourcePendingApproval',
'Get-PIMEntraRolePendingApproval',
'Approve-PIMEntraRolePendingApproval',
'Deny-PIMEntraRolePendingApproval'
'Deny-PIMEntraRolePendingApproval',
'Get-PIMGroupPendingApproval',
'Approve-PIMGroupPendingApproval',
'Deny-PIMGroupPendingApproval'
)

# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
Expand Down
71 changes: 71 additions & 0 deletions EasyPIM/functions/Approve-PIMGroupPendingApproval.ps1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
<#
.Synopsis
EASYPIM
Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMGroupPolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
.Description
Approve-PIMGroupPendingApprovall will use the Microsoft Graph APIs to retrieve the requests pending your approval
.PARAMETER approvalID
approval ID from get-PIMAzureResourcePendingApproval
.PARAMETER justification
justification for the approval
.Example
PS> approve-PIMAzureResourcePendingApproval -approvalID $approvalID -justification "I approve this request"
Approve a pending request
.Link
.Notes
Homepage: https://github.com/kayasax/easyPIM
Author: MICHEL, Loic
Changelog:
Todo:
* allow other scopes
#>
function Approve-PIMGroupPendingApproval {
[CmdletBinding()]
[OutputType([String])]
param (

[Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true)]
[System.String]
# Approval ID
$approvalID,

[Parameter(Position = 1, Mandatory = $true)]
[System.String]
# justification
$justification

)
process {
try {
#$script:tenantID = $tenantID

Write-Verbose "approve-PIMGroupPendingApproval start with parameters: approvalid => $approvalID, justification => $justification"

#Get the stages:
#in groups stageID is the same as the approvalID


#approve the request
#https://learn.microsoft.com/en-us/graph/api/approvalstage-update?view=graph-rest-1.0&tabs=http

$body = '{"justification":"' + $justification + '","reviewResult":"Approve"}'
Invoke-graph -endpoint "identityGovernance/privilegedAccess/group/assignmentApprovals/$approvalID/steps/$approvalID" -body $body -version "beta" -Method PATCH
return "Success, request approved"

}
catch {
MyCatch $_
}
}
}
71 changes: 71 additions & 0 deletions EasyPIM/functions/Deny-PIMGroupPendingApproval.ps1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
<#
.Synopsis
EASYPIM
Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMGroupPolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
.Description
Deny-PIMGroupPendingApprovall will use the Microsoft Graph APIs to retrieve the requests pending your approval
.PARAMETER approvalID
approval ID from get-PIMAzureResourcePendingApproval
.PARAMETER justification
justification for the approval
.Example
PS> Deny-PIMAzureResourcePendingApproval -approvalID $approvalID -justification "I Deny this request"
Deny a pending request
.Link
.Notes
Homepage: https://github.com/kayasax/easyPIM
Author: MICHEL, Loic
Changelog:
Todo:
* allow other scopes
#>
function Deny-PIMGroupPendingApproval {
[CmdletBinding()]
[OutputType([String])]
param (

[Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true)]
[System.String]
# Approval ID
$approvalID,

[Parameter(Position = 1, Mandatory = $true)]
[System.String]
# justification
$justification

)
process {
try {
#$script:tenantID = $tenantID

Write-Verbose "Deny-PIMGroupPendingApproval start with parameters: approvalid => $approvalID, justification => $justification"

#Get the stages:
#in groups stageID is the same as the approvalID


#Deny the request
#https://learn.microsoft.com/en-us/graph/api/approvalstage-update?view=graph-rest-1.0&tabs=http

$body = '{"justification":"' + $justification + '","reviewResult":"Deny"}'
Invoke-graph -endpoint "identityGovernance/privilegedAccess/group/assignmentApprovals/$approvalID/steps/$approvalID" -body $body -version "beta" -Method PATCH
return "Success, request Denied"

}
catch {
MyCatch $_
}
}
}
88 changes: 88 additions & 0 deletions EasyPIM/functions/Get-PIMGroupPendingApproval.ps1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
<#
.Synopsis
EASYPIM
Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMGroupPolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
.Description
Get-PIMGroupPendingApproval will use the Microsoft Graph APIs to retrieve the requests pending your approval
.PARAMETER tenantID
Tenant ID
.Example
PS> Get-PIMGroupPendingApproval -tenantID $tenantID
show pending request you can approve
.Link
.Notes
Homepage: https://github.com/kayasax/easyPIM
Author: MICHEL, Loic
Changelog:
Todo:
* allow other scopes
#>
function Get-PIMGroupPendingApproval{
[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseOutputTypeCorrectly", "")]
[CmdletBinding()]
param (

[Parameter(Position = 0, Mandatory = $true)]
[System.String]
# Tenant ID
$tenantID

)
try {
$script:tenantID = $tenantID

Write-Verbose "Get-PIMAzureResourcePendingApproval start with parameters: tenantID => $tenantID"

$endpoint="identityGovernance/privilegedAccess/group/assignmentScheduleRequests/filterByCurrentUser(on='approver')?`$filter=status eq 'PendingApproval'"
$response = Invoke-Graph -Endpoint $endpoint -Method "GET"

$out = @()

$pendingApproval = $response.value

if ($null -ne $pendingApproval) {
$pendingApproval | ForEach-Object {
$details=invoke-mgGraphRequest $("https://graph.microsoft.com/v1.0/identityGovernance/privilegedAccess/group/assignmentScheduleRequests/"+$_.id) -Method get
#$details
$principalDisplayName = invoke-mgGraphRequest $("https://graph.microsoft.com/v1.0/directoryobjects/"+$details.Principalid+"/") -Method get
$groupDisplayName = invoke-mgGraphRequest $("https://graph.microsoft.com/v1.0/directoryobjects/"+$details.Groupid+"/") -Method get


$request = @{
"principalId" = $details.Principalid;
"principalDisplayname" = $principalDisplayName.displayName;
"groupId" = $details.groupId;
"groupDisplayname" = $groupDisplayName.displayName;
"role" = $details.AccessID;
"status" = $details.status;
"startDateTime" = $details.CreatedDateTime;
"ticketInfo" = $details.ticketInfo;
"justification" = $details.justification;
"approvalId" = $details.approvalId;
"createdOn" = $details.createdDateTime;
}
$o = New-Object -TypeName PSObject -Property $request
$out += $o
}
}
if ($out.length -eq 0) {
#write-host "No pending approval"
return $null
}
return $out

}
catch {
MyCatch $_
}

}

0 comments on commit 07c6630

Please sign in to comment.