Merge pull request #53 from kayasax/reporting

V1.6.3
kayasax · Jun 24, 2024 · 7b12ce4 · 7b12ce4
2 parents bd59776 + fb0d86e
commit 7b12ce4
Show file tree

Hide file tree

Showing 9 changed files with 284 additions and 10 deletions.
diff --git a/EasyPIM/EasyPIM.psd1 b/EasyPIM/EasyPIM.psd1
@@ -4,7 +4,7 @@
 RootModule = 'EasyPIM.psm1'
 
 # Version number of this module.
-ModuleVersion = '1.6.2'
+ModuleVersion = '1.6.3'
 
 # Supported PSEditions
 # CompatiblePSEditions = @()

diff --git a/EasyPIM/functions/Set-PIMAzureResourcePolicy.ps1 b/EasyPIM/functions/Set-PIMAzureResourcePolicy.ps1
@@ -59,7 +59,30 @@ function Set-PIMAzureResourcePolicy {
         [System.String[]]
         # Activation requirement
         $ActivationRequirement,
+
+        [Parameter(HelpMessage = "Accepted values: 'None' or any combination of these options (Case SENSITIVE):  'Justification, 'MultiFactorAuthentication'")]
+        [ValidateScript({
+                # accepted values: "None","Justification", "MultiFactorAuthentication"
+                # WARNING: options are CASE SENSITIVE
+                $script:valid = $true
+                $acceptedValues = @("None", "Justification", "MultiFactorAuthentication")
+                $_ | ForEach-Object { if (!( $acceptedValues -Ccontains $_)) { $script:valid = $false } }
+                return $script:valid
+            })]
+        [System.String[]]
+        # Active Assignation requirement
+        $ActiveAssignationRequirement,
 
+        [Parameter()]
+        [Bool]
+        # Is authentication context required? ($true|$false)
+        $AuthenticationContext_Enabled,
+
+        [Parameter()]
+        [String]
+        # Authentication context value? (ex c1)
+        $AuthenticationContext_Value,
+
         [Parameter()]
         [Bool]
         # Is approval required to activate a role? ($true|$false)
@@ -175,6 +198,17 @@ function Set-PIMAzureResourcePolicy {
             if ($PSBoundParameters.Keys.Contains('ActivationRequirement')) {
                 $rules += Set-ActivationRequirement $ActivationRequirement
             }
+            if ($PSBoundParameters.Keys.Contains('ActiveAssignationRequirement')) {
+                $rules += Set-ActiveAssignmentRequirement $ActiveAssignationRequirement
+            }
+
+            if ($PSBoundParameters.Keys.Contains('AuthenticationContext_Enabled')) {
+                if (!($PSBoundParameters.Keys.Contains('AuthenticationContext_Value'))) {
+                    $AuthenticationContext_Value = $null
+                }
+                $rules += Set-AuthenticationContext $AuthenticationContext_Enabled $AuthenticationContext_Value
+            }
+
 
             # Approval and approvers
             if ( ($PSBoundParameters.Keys.Contains('ApprovalRequired')) -or ($PSBoundParameters.Keys.Contains('Approvers'))) {

diff --git a/EasyPIM/functions/Set-PIMEntraRolePolicy.ps1 b/EasyPIM/functions/Set-PIMEntraRolePolicy.ps1
@@ -49,6 +49,29 @@ function Set-PIMEntraRolePolicy {
         # Activation requirement
         $ActivationRequirement,
 
+        [Parameter(HelpMessage = "Accepted values: 'None' or any combination of these options (Case SENSITIVE):  'Justification, 'MultiFactorAuthentication'")]
+        [ValidateScript({
+                # accepted values: "None","Justification", "MultiFactorAuthentication"
+                # WARNING: options are CASE SENSITIVE
+                $script:valid = $true
+                $acceptedValues = @("None", "Justification", "MultiFactorAuthentication")
+                $_ | ForEach-Object { if (!( $acceptedValues -Ccontains $_)) { $script:valid = $false } }
+                return $script:valid
+            })]
+        [System.String[]]
+        # Active assignment requirement
+        $ActiveAssignmentRequirement,
+
+        [Parameter()]
+        [Bool]
+        # Is authentication context required? ($true|$false)
+        $AuthenticationContext_Enabled,
+
+        [Parameter()]
+        [String]
+        # Authentication context value? (ex c1)
+        $AuthenticationContext_Value,
+
         [Parameter()]
         [Bool]
         # Is approval required to activate a role? ($true|$false)
@@ -160,6 +183,16 @@ function Set-PIMEntraRolePolicy {
                 $rules += Set-ActivationRequirement $ActivationRequirement -EntraRole
             }
 
+            if ($PSBoundParameters.Keys.Contains('ActiveAssignmentRequirement')) {
+                $rules += Set-ActiveAssignmentRequirement $ActiveAssignmentRequirement -EntraRole
+            }
+            if ($PSBoundParameters.Keys.Contains('AuthenticationContext_Enabled')) {
+                if (!($PSBoundParameters.Keys.Contains('AuthenticationContext_Value'))) {
+                    $AuthenticationContext_Value = $null
+                }
+                $rules += Set-AuthenticationContext $AuthenticationContext_Enabled $AuthenticationContext_Value -entraRole
+            }
+
             # Approval and approvers
             if ( ($PSBoundParameters.Keys.Contains('ApprovalRequired')) -or ($PSBoundParameters.Keys.Contains('Approvers'))) {
                 $rules += Set-Approval $ApprovalRequired $Approvers -EntraRole

diff --git a/EasyPIM/functions/Set-PIMGroupPolicy.ps1 b/EasyPIM/functions/Set-PIMGroupPolicy.ps1
@@ -19,7 +19,7 @@
         Homepage: https://github.com/kayasax/EasyPIM
      #>
 function Set-PIMGroupPolicy {
-    [CmdletBinding(DefaultParameterSetName='Default',SupportsShouldProcess = $true)]
+    [CmdletBinding(DefaultParameterSetName = 'Default', SupportsShouldProcess = $true)]
     [OutputType([bool])]
     param (
         [Parameter(Position = 0, Mandatory = $true)]
@@ -53,7 +53,29 @@ function Set-PIMGroupPolicy {
         [System.String[]]
         # Activation requirement
         $ActivationRequirement,
-
+        [Parameter(HelpMessage = "Accepted values: 'None' or any combination of these options (Case SENSITIVE):  'Justification, 'MultiFactorAuthentication'")]
+        [ValidateScript({
+                # accepted values: "None","Justification", "MultiFactorAuthentication"
+                # WARNING: options are CASE SENSITIVE
+                $script:valid = $true
+                $acceptedValues = @("None", "Justification", "MultiFactorAuthentication")
+                $_ | ForEach-Object { if (!( $acceptedValues -Ccontains $_)) { $script:valid = $false } }
+                return $script:valid
+            })]
+        [System.String[]]
+        # Active assignment requirement
+        $ActiveAssignmentRequirement,
+
+        [Parameter()]
+        [Bool]
+        # Is authentication context required? ($true|$false)
+        $AuthenticationContext_Enabled,
+
+        [Parameter()]
+        [String]
+        # Authentication context value? (ex c1)
+        $AuthenticationContext_Value,
+
         [Parameter()]
         [Bool]
         # Is approval required to activate a role? ($true|$false)
@@ -147,7 +169,7 @@ function Set-PIMGroupPolicy {
 
         log "Function Set-PIMGroupPolicy is starting with parameters: $p" -noEcho
 
-        $script:tenantID=$tenantID
+        $script:tenantID = $tenantID
 
         #at least one approver required if approval is enable
         # todo chech if a parameterset would be better
@@ -164,6 +186,15 @@ function Set-PIMGroupPolicy {
             if ($PSBoundParameters.Keys.Contains('ActivationRequirement')) {
                 $rules += Set-ActivationRequirement $ActivationRequirement -EntraRole
             }
+            if ($PSBoundParameters.Keys.Contains('ActiveAssignmentRequirement')) {
+                $rules += Set-ActiveAssignmentRequirement $ActiveAssignmentRequirement -EntraRole
+            }
+            if ($PSBoundParameters.Keys.Contains('AuthenticationContext_Enabled')) {
+                if (!($PSBoundParameters.Keys.Contains('AuthenticationContext_Value'))) {
+                    $AuthenticationContext_Value = $null
+                }
+                $rules += Set-AuthenticationContext $AuthenticationContext_Enabled $AuthenticationContext_Value -entraRole
+            }
 
             # Approval and approvers
             if ( ($PSBoundParameters.Keys.Contains('ApprovalRequired')) -or ($PSBoundParameters.Keys.Contains('Approvers'))) {
@@ -176,7 +207,7 @@ function Set-PIMGroupPolicy {
                 write-verbose "Maximum Eligibiliy duration from curent config: $($script:config.MaximumEligibleAssignmentDuration)"
                 if (!( $PSBoundParameters.ContainsKey('MaximumEligibilityDuration'))) { $MaximumEligibilityDuration = $script:config.MaximumEligibleAssignmentDuration }
                 if (!( $PSBoundParameters.ContainsKey('AllowPermanentEligibility'))) { $AllowPermanentEligibility = $script:config.AllowPermanentEligibleAssignment }
-                if ( ($false -eq $AllowPermanentEligibility) -and ( ($MaximumEligibilityDuration -eq "") -or ($null -eq $MaximumEligibilityDuration) )){
+                if ( ($false -eq $AllowPermanentEligibility) -and ( ($MaximumEligibilityDuration -eq "") -or ($null -eq $MaximumEligibilityDuration) )) {
                     throw "ERROR: you requested the assignement to expire but the maximum duration is not defined, please use the MaximumEligibilityDuration parameter"
                 }
                 $rules += Set-EligibilityAssignment $MaximumEligibilityDuration $AllowPermanentEligibility -entraRole
@@ -188,7 +219,7 @@ function Set-PIMGroupPolicy {
                 write-verbose "Maximum Active duration from curent config: $($script:config.MaximumActiveAssignmentDuration)"
                 if (!( $PSBoundParameters.ContainsKey('MaximumActiveAssignmentDuration'))) { $MaximumActiveAssignmentDuration = $script:config.MaximumActiveAssignmentDuration }
                 if (!( $PSBoundParameters.ContainsKey('AllowPermanentActiveAssignment'))) { $AllowPermanentActiveAssignment = $script:config.AllowPermanentActiveAssignment }
-                if ( ($false -eq $AllowPermanentActiveAssignment) -and ( ($MaximumActiveAssignmentDuration -eq "") -or ($null -eq $MaximumActiveAssignmentDuration) )){
+                if ( ($false -eq $AllowPermanentActiveAssignment) -and ( ($MaximumActiveAssignmentDuration -eq "") -or ($null -eq $MaximumActiveAssignmentDuration) )) {
                     throw "ERROR: you requested the assignement to expire but the maximum duration is not defined, please use the MaximumActiveAssignmentDuration parameter"
                 }
                 $rules += Set-ActiveAssignment $MaximumActiveAssignmentDuration $AllowPermanentActiveAssignment -entraRole
@@ -226,7 +257,7 @@ function Set-PIMGroupPolicy {
             # Notif Active Assignment Approvers
             if ($PSBoundParameters.Keys.Contains('Notification_ActiveAssignment_Approver')) {
                 $rules += Set-Notification_ActiveAssignment_Approver $Notification_ActiveAssignment_Approver -entraRole
-             }
+            }
 
             # Notification Activation alert
             if ($PSBoundParameters.Keys.Contains('Notification_Activation_Alert')) {
@@ -250,7 +281,7 @@ function Set-PIMGroupPolicy {
 
             #Patching the policy
             if ($PSCmdlet.ShouldProcess($_, "Udpdating policy")) {
-               $null = Update-EntraRolePolicy $script:config.policyID $allrules
+                $null = Update-EntraRolePolicy $script:config.policyID $allrules
             }
 
         }

diff --git a/EasyPIM/internal/functions/Set-ActiveAssignmentRequirement.ps1 b/EasyPIM/internal/functions/Set-ActiveAssignmentRequirement.ps1
@@ -0,0 +1,76 @@
+<#
+      .Synopsis
+       Rule for active assignment requirement
+      .Description
+       rule 2 in https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#activation-rules
+      .Parameter ActiveAssignmentRequirement
+       value can be "None", or one or more value from "Justification","MultiFactoAuthentication"
+       WARNING options are case sensitive!
+      .EXAMPLE
+        PS> Set-ActiveAssignmentRequirement "Justification"
+
+        A justification will be required to activate the role
+      
+      .Link
+     
+      .Notes
+      	
+#>
+function Set-ActiveAssignmentRequirement($ActiveAssignmentRequirement, [switch]$entraRole) {
+    write-verbose "Set-ActiveAssignmentRequirementt : $($ActiveAssignmentRequirement.length)"
+    if (($ActiveAssignmentRequirement -eq "None") -or ($ActiveAssignmentRequirement[0].length -eq 0 )) {
+        #if none or a null array
+        write-verbose "requirement is null"
+        $enabledRules = "[],"
+    }
+    else {
+        write-verbose "requirement is NOT null"
+        $formatedRules = '['
+
+        $ActiveAssignmentRequirement | ForEach-Object {
+            $formatedRules += '"'
+            $formatedRules += "$_"
+            $formatedRules += '",'
+        }
+        #remove last comma
+        $formatedRules = $formatedRules -replace “.$”
+
+        $formatedRules += "],"
+        $enabledRules = $formatedRules
+        #Write-Verbose "************* $enabledRules "
+    }
+
+    $properties = '{
+                "enabledRules": '+ $enabledRules + '
+                "id": "Enablement_Admin_Assignment",
+                "ruleType": "RoleManagementPolicyEnablementRule",
+                "target": {
+                    "caller": "Admin",
+                    "operations": [
+                        "All"
+                    ],
+                    "level": "Assignment",
+                    "targetObjects": [],
+                    "inheritableSettings": [],
+                    "enforcedSettings": []
+                }
+            }'
+    if ($entraRole) {
+                $properties = '
+               {
+                "@odata.type" : "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
+                "enabledRules": '+ $enabledRules + '
+                "id": "Enablement_Admin_Assignment",
+                "target": {
+                    "caller": "EndUser",
+                    "operations": [
+                        "All"
+                    ],
+                    "level": "Assignment",
+                    "inheritableSettings": [],
+                    "enforcedSettings": []
+                }
+            }'
+            }
+    return $properties
+}
diff --git a/EasyPIM/internal/functions/Set-AuthenticationContext.ps1 b/EasyPIM/internal/functions/Set-AuthenticationContext.ps1
@@ -0,0 +1,74 @@
+<#
+      .Synopsis
+       Rule for authentication context
+      .Description
+       rule 3 in https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#activation-rules
+      .Parameter AuthenticationContext_Enabled
+       $true or $false
+       .PARAMETER AuthenticationContext_Value
+       authentication context name ex "c1"
+.PARAMETER entraRole
+       $true or $false
+
+      .EXAMPLE
+        PS> Set-AuthenticationContext -authenticationContext_Enabled $true -authenticationContext_Value "c1"
+
+        Authentication context c1 will be required to activate the role
+      
+      .Link
+     
+      .Notes
+      	
+#>
+function Set-AuthenticationContext($authenticationContext_Enabled, $authenticationContext_Value, [switch]$entraRole) {
+    write-verbose "Set-AuthenticationContext : $($authenticationContext_Enabled), $($authenticationContext_Value)"
+
+
+
+    if ($true -eq $authenticationContext_Enabled) {
+        $enabled = "true"
+        if ($authenticationContext_Value -eq "None" -or $authenticationContext_Value.length -eq 0) {
+            Throw "AuthenticationContext_Value cannot be null or empty if AuthenticationContext_Enabled is true"
+        }
+        if ( ([regex]::match($authenticationContext_Value, "c[0-9]{1,2}$").success -eq $false)) {
+            Throw "AuthenticationContext_Value must be in the format c1 - c99"
+        }
+    }
+    else { $enabled = "false" }
+
+    $properties = '{
+	"id": "AuthenticationContext_EndUser_Assignment",
+	"ruleType": "RoleManagementPolicyAuthenticationContextRule",
+	"isEnabled": '+ $enabled + ',
+	"claimValue": "'+ $authenticationContext_Value + '",
+	"target": {
+		"caller": "EndUser",
+		"operations": [
+			"All"
+		],
+		"level": "Assignment"
+	}
+}'
+
+    if ($entraRole) {
+        $properties = '
+               {
+            "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule",
+            "id": "AuthenticationContext_EndUser_Assignment",
+            "isEnabled": '+ $enabled + ',
+            "claimValue": "'+ $authenticationContext_Value + '",
+            "target": {
+                "caller": "EndUser",
+                "operations": [
+                    "all"
+                ],
+                "level": "Assignment",
+                "inheritableSettings": [],
+                "enforcedSettings": []
+            }
+        
+    
+}'
+    }
+    return $properties
+}
diff --git a/EasyPIM/internal/functions/get-EntraRoleConfig.ps1 b/EasyPIM/internal/functions/get-EntraRoleConfig.ps1
@@ -46,6 +46,12 @@ function Get-EntraRoleConfig ($rolename) {
         $_activationDuration = $response.value | Where-Object { $_.id -eq "Expiration_EndUser_Assignment" } | Select-Object -ExpandProperty maximumduration
         # End user enablement rule (MultiFactorAuthentication, Justification, Ticketing)
         $_enablementRules = $response.value | Where-Object { $_.id -eq "Enablement_EndUser_Assignment" } | Select-Object -expand enabledRules
+        # Active assignment requirement
+        $_activeAssignmentRequirement = $response.value | Where-Object { $_.id -eq "Enablement_Admin_Assignment" } | Select-Object -expand enabledRules
+        # Authentication context
+        $_authenticationContext_Enabled = $response.value | Where-Object { $_.id -eq "AuthenticationContext_EndUser_Assignment" } | Select-Object -expand isEnabled
+        $_authenticationContext_value = $response.value | Where-Object { $_.id -eq "AuthenticationContext_EndUser_Assignment" } | Select-Object -expand claimValue
+
         # approval required
         $_approvalrequired = $($response.value | Where-Object { $_.id -eq "Approval_EndUser_Assignment" }).setting.isapprovalrequired
         # approvers
@@ -120,6 +126,9 @@ function Get-EntraRoleConfig ($rolename) {
             PolicyID                                                     = $policyId
             ActivationDuration                                           = $_activationDuration
             EnablementRules                                              = $_enablementRules -join ','
+            ActiveAssignmentRequirement                                  = $_activeAssignmentRequirement -join ','
+            AuthenticationContext_Enabled                                = $_authenticationContext_Enabled
+            AuthenticationContext_Value                                  = $_authenticationContext_value
             ApprovalRequired                                             = $_approvalrequired
             Approvers                                                    = $_approvers -join ','
             AllowPermanentEligibleAssignment                             = $_permanantEligibility