From 18568d864f3a9ef48794c6d94b5a06216a68ec7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20MICHEL?= Date: Fri, 21 Jun 2024 15:59:43 +0200 Subject: [PATCH 1/6] Add authentication context and active assignement requirement for Azure resource --- .../functions/Set-PIMAzureResourcePolicy.ps1 | 16 ++++ .../Set-ActiveAssignmentRequirement.ps1 | 76 +++++++++++++++++++ EasyPIM/internal/functions/get-config.ps1 | 9 +++ 3 files changed, 101 insertions(+) create mode 100644 EasyPIM/internal/functions/Set-ActiveAssignmentRequirement.ps1 diff --git a/EasyPIM/functions/Set-PIMAzureResourcePolicy.ps1 b/EasyPIM/functions/Set-PIMAzureResourcePolicy.ps1 index 12cab9e..f847422 100644 --- a/EasyPIM/functions/Set-PIMAzureResourcePolicy.ps1 +++ b/EasyPIM/functions/Set-PIMAzureResourcePolicy.ps1 @@ -59,6 +59,19 @@ function Set-PIMAzureResourcePolicy { [System.String[]] # Activation requirement $ActivationRequirement, + + [Parameter(HelpMessage = "Accepted values: 'None' or any combination of these options (Case SENSITIVE): 'Justification, 'MultiFactorAuthentication'")] + [ValidateScript({ + # accepted values: "None","Justification", "MultiFactorAuthentication" + # WARNING: options are CASE SENSITIVE + $script:valid = $true + $acceptedValues = @("None", "Justification", "MultiFactorAuthentication") + $_ | ForEach-Object { if (!( $acceptedValues -Ccontains $_)) { $script:valid = $false } } + return $script:valid + })] + [System.String[]] + # Active Assignation requirement + $ActiveAssignationRequirement, [Parameter()] [Bool] @@ -175,6 +188,9 @@ function Set-PIMAzureResourcePolicy { if ($PSBoundParameters.Keys.Contains('ActivationRequirement')) { $rules += Set-ActivationRequirement $ActivationRequirement } + if ($PSBoundParameters.Keys.Contains('ActiveAssignationRequirement')) { + $rules += Set-ActiveAssignmentRequirement $ActiveAssignationRequirement + } # Approval and approvers if ( ($PSBoundParameters.Keys.Contains('ApprovalRequired')) -or ($PSBoundParameters.Keys.Contains('Approvers'))) { diff --git a/EasyPIM/internal/functions/Set-ActiveAssignmentRequirement.ps1 b/EasyPIM/internal/functions/Set-ActiveAssignmentRequirement.ps1 new file mode 100644 index 0000000..3252bc1 --- /dev/null +++ b/EasyPIM/internal/functions/Set-ActiveAssignmentRequirement.ps1 @@ -0,0 +1,76 @@ +<# + .Synopsis + Rule for active assignment requirement + .Description + rule 2 in https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#activation-rules + .Parameter ActiveAssignmentRequirement + value can be "None", or one or more value from "Justification","MultiFactoAuthentication" + WARNING options are case sensitive! + .EXAMPLE + PS> Set-ActiveAssignmentRequirement "Justification" + + A justification will be required to activate the role + + .Link + + .Notes + +#> +function Set-ActiveAssignmentRequirement($ActiveAssignmentRequirement, [switch]$entraRole) { + write-verbose "Set-ActiveAssignmentRequirementt : $($ActiveAssignmentRequirement.length)" + if (($ActiveAssignmentRequirement -eq "None") -or ($ActiveAssignmentRequirement[0].length -eq 0 )) { + #if none or a null array + write-verbose "requirement is null" + $enabledRules = "[]," + } + else { + write-verbose "requirement is NOT null" + $formatedRules = '[' + + $ActiveAssignmentRequirement | ForEach-Object { + $formatedRules += '"' + $formatedRules += "$_" + $formatedRules += '",' + } + #remove last comma + $formatedRules = $formatedRules -replace “.$” + + $formatedRules += "]," + $enabledRules = $formatedRules + #Write-Verbose "************* $enabledRules " + } + + $properties = '{ + "enabledRules": '+ $enabledRules + ' + "id": "Enablement_Admin_Assignment", + "ruleType": "RoleManagementPolicyEnablementRule", + "target": { + "caller": "Admin", + "operations": [ + "All" + ], + "level": "Assignment", + "targetObjects": [], + "inheritableSettings": [], + "enforcedSettings": [] + } + }' + if ($entraRole) { + $properties = ' + { + "@odata.type" : "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule", + "enabledRules": '+ $enabledRules + ' + "id": "Enablement_Admin_Assignment", + "target": { + "caller": "EndUser", + "operations": [ + "All" + ], + "level": "Assignment", + "inheritableSettings": [], + "enforcedSettings": [] + } + }' + } + return $properties +} diff --git a/EasyPIM/internal/functions/get-config.ps1 b/EasyPIM/internal/functions/get-config.ps1 index 240770d..34f787b 100644 --- a/EasyPIM/internal/functions/get-config.ps1 +++ b/EasyPIM/internal/functions/get-config.ps1 @@ -83,6 +83,12 @@ function get-config ($scope, $rolename, $copyFrom = $null) { $_activationDuration = $response.properties.rules | Where-Object { $_.id -eq "Expiration_EndUser_Assignment" } | Select-Object -ExpandProperty maximumduration # End user enablement rule (MultiFactorAuthentication, Justification, Ticketing) $_enablementRules = $response.properties.rules | Where-Object { $_.id -eq "Enablement_EndUser_Assignment" } | Select-Object -expand enabledRules + # active assignment rules + $_activeAssignmentRules = $response.properties.rules | Where-Object { $_.id -eq "Enablement_Admin_Assignment" } | Select-Object -expand enabledRules + #Authentication Context + $_authenticationcontext_enabled = $response.properties.rules | Where-Object { $_.id -eq "AuthenticationContext_EndUser_Assignment" } | Select-Object -expand isEnabled + $_authenticationcontext_value = $response.properties.rules | Where-Object { $_.id -eq "AuthenticationContext_EndUser_Assignment" } |Select-Object -expand claimValue + # approval required $_approvalrequired = $($response.properties.rules | Where-Object { $_.id -eq "Approval_EndUser_Assignment" }).setting.isapprovalrequired # approvers @@ -144,6 +150,9 @@ function get-config ($scope, $rolename, $copyFrom = $null) { PolicyID = $policyId ActivationDuration = $_activationDuration EnablementRules = $_enablementRules -join ',' + ActiveAssignmentRules = $_activeAssignmentRules -join ',' + AuthenticationContext_Enabled = $_authenticationcontext_enabled + AuthenticationContext_Value = $_authenticationcontext_value ApprovalRequired = $_approvalrequired Approvers = $_approvers -join ',' AllowPermanentEligibleAssignment = $_permanantEligibility From 19fd4f865014ff278adc4ceb891642907608460a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20MICHEL?= Date: Fri, 21 Jun 2024 19:50:20 +0200 Subject: [PATCH 2/6] Add authentication context --- .../functions/Set-PIMAzureResourcePolicy.ps1 | 18 ++++++ EasyPIM/functions/Set-PIMEntraRolePolicy.ps1 | 23 +++++++ .../functions/Set-AuthenticationContext.ps1 | 62 +++++++++++++++++++ .../functions/get-EntraRoleConfig.ps1 | 9 +++ .../internal/functions/get-GroupConfig.ps1 | 2 +- 5 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 EasyPIM/internal/functions/Set-AuthenticationContext.ps1 diff --git a/EasyPIM/functions/Set-PIMAzureResourcePolicy.ps1 b/EasyPIM/functions/Set-PIMAzureResourcePolicy.ps1 index f847422..a17fb3b 100644 --- a/EasyPIM/functions/Set-PIMAzureResourcePolicy.ps1 +++ b/EasyPIM/functions/Set-PIMAzureResourcePolicy.ps1 @@ -73,6 +73,16 @@ function Set-PIMAzureResourcePolicy { # Active Assignation requirement $ActiveAssignationRequirement, + [Parameter()] + [Bool] + # Is authentication context required? ($true|$false) + $AuthenticationContext_Enabled, + + [Parameter()] + [String] + # Authentication context value? (ex c1) + $AuthenticationContext_Value, + [Parameter()] [Bool] # Is approval required to activate a role? ($true|$false) @@ -192,6 +202,14 @@ function Set-PIMAzureResourcePolicy { $rules += Set-ActiveAssignmentRequirement $ActiveAssignationRequirement } + if ($PSBoundParameters.Keys.Contains('AuthenticationContext_Enabled')) { + if (!($PSBoundParameters.Keys.Contains('AuthenticationContext_Value'))) { + $AuthenticationContext_Value = $null + } + $rules += Set-AuthenticationContext $AuthenticationContext_Enabled $AuthenticationContext_Value + } + + # Approval and approvers if ( ($PSBoundParameters.Keys.Contains('ApprovalRequired')) -or ($PSBoundParameters.Keys.Contains('Approvers'))) { $rules += Set-Approval $ApprovalRequired $Approvers diff --git a/EasyPIM/functions/Set-PIMEntraRolePolicy.ps1 b/EasyPIM/functions/Set-PIMEntraRolePolicy.ps1 index 632cccd..78e0999 100644 --- a/EasyPIM/functions/Set-PIMEntraRolePolicy.ps1 +++ b/EasyPIM/functions/Set-PIMEntraRolePolicy.ps1 @@ -49,6 +49,29 @@ function Set-PIMEntraRolePolicy { # Activation requirement $ActivationRequirement, + [Parameter(HelpMessage = "Accepted values: 'None' or any combination of these options (Case SENSITIVE): 'Justification, 'MultiFactorAuthentication'")] + [ValidateScript({ + # accepted values: "None","Justification", "MultiFactorAuthentication" + # WARNING: options are CASE SENSITIVE + $script:valid = $true + $acceptedValues = @("None", "Justification", "MultiFactorAuthentication") + $_ | ForEach-Object { if (!( $acceptedValues -Ccontains $_)) { $script:valid = $false } } + return $script:valid + })] + [System.String[]] + # Active assignment requirement + $ActiveAssignmentRequirement, + + [Parameter()] + [Bool] + # Is authentication context required? ($true|$false) + $AuthenticationContext_Enabled, + + [Parameter()] + [String] + # Authentication context value? (ex c1) + $AuthenticationContext_Value, + [Parameter()] [Bool] # Is approval required to activate a role? ($true|$false) diff --git a/EasyPIM/internal/functions/Set-AuthenticationContext.ps1 b/EasyPIM/internal/functions/Set-AuthenticationContext.ps1 new file mode 100644 index 0000000..ad25ab0 --- /dev/null +++ b/EasyPIM/internal/functions/Set-AuthenticationContext.ps1 @@ -0,0 +1,62 @@ +<# + .Synopsis + Rule for authentication context + .Description + rule 3 in https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#activation-rules + .Parameter AuthenticationContext_Enabled + $true or $false + .PARAMETER AuthenticationContext_Value + authentication context name ex "c1" + .EXAMPLE + PS> Set-AuthenticationContext -authenticationContext_Enabled $true -authenticationContext_Value "c1" + + Authentication context c1 will be required to activate the role + + .Link + + .Notes + +#> +function Set-AuthenticationContext($authenticationContext_Enabled, $authenticationContext_Value) { + write-verbose "Set-AuthenticationContext : $($authenticationContext_Enabled), $($authenticationContext_Value)" + if($authenticationContext_Enabled){ + $enabled="true" + if($authenticationContext_Value -eq "None" -or $authenticationContext_Value.length -eq 0) { + Throw "AuthenticationContext_Value cannot be null or empty if AuthenticationContext_Enabled is true" + } + } + else{$enabled="false"} + + $properties = '{ + "id": "AuthenticationContext_EndUser_Assignment", + "ruleType": "RoleManagementPolicyAuthenticationContextRule", + "isEnabled": '+$enabled+', + "claimValue": "'+$authenticationContext_Value+'", + "target": { + "caller": "EndUser", + "operations": [ + "All" + ], + "level": "Assignment" + } +}' + + if ($entraRole) { + $properties = ' + { + "@odata.type" : "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule", + "enabledRules": '+ $enabledRules + ' + "id": "Enablement_Admin_Assignment", + "target": { + "caller": "EndUser", + "operations": [ + "All" + ], + "level": "Assignment", + "inheritableSettings": [], + "enforcedSettings": [] + } + }' + } + return $properties +} diff --git a/EasyPIM/internal/functions/get-EntraRoleConfig.ps1 b/EasyPIM/internal/functions/get-EntraRoleConfig.ps1 index 80f645d..f121a0c 100644 --- a/EasyPIM/internal/functions/get-EntraRoleConfig.ps1 +++ b/EasyPIM/internal/functions/get-EntraRoleConfig.ps1 @@ -46,6 +46,12 @@ function Get-EntraRoleConfig ($rolename) { $_activationDuration = $response.value | Where-Object { $_.id -eq "Expiration_EndUser_Assignment" } | Select-Object -ExpandProperty maximumduration # End user enablement rule (MultiFactorAuthentication, Justification, Ticketing) $_enablementRules = $response.value | Where-Object { $_.id -eq "Enablement_EndUser_Assignment" } | Select-Object -expand enabledRules + # Active assignment requirement + $_activeAssignmentRequirement = $response.value | Where-Object { $_.id -eq "Enablement_Admin_Assignment" } | Select-Object -expand enabledRules + # Authentication context + $_authenticationContext_Enabled = $response.value | Where-Object { $_.id -eq "AuthenticationContext_EndUser_Assignment" } | Select-Object -expand isEnabled + $_authenticationContext_value = $response.value | Where-Object { $_.id -eq "AuthenticationContext_EndUser_Assignment" } | Select-Object -expand claimValue + # approval required $_approvalrequired = $($response.value | Where-Object { $_.id -eq "Approval_EndUser_Assignment" }).setting.isapprovalrequired # approvers @@ -120,6 +126,9 @@ function Get-EntraRoleConfig ($rolename) { PolicyID = $policyId ActivationDuration = $_activationDuration EnablementRules = $_enablementRules -join ',' + ActiveAssignmentRequirement = $_activeAssignmentRequirement -join ',' + AuthenticationContext_Enabled = $_authenticationContext_Enabled + AuthenticationContext_Value = $_authenticationContext_value ApprovalRequired = $_approvalrequired Approvers = $_approvers -join ',' AllowPermanentEligibleAssignment = $_permanantEligibility diff --git a/EasyPIM/internal/functions/get-GroupConfig.ps1 b/EasyPIM/internal/functions/get-GroupConfig.ps1 index c543ac5..61daa2e 100644 --- a/EasyPIM/internal/functions/get-GroupConfig.ps1 +++ b/EasyPIM/internal/functions/get-GroupConfig.ps1 @@ -1,4 +1,4 @@ -<#Get-PIMGroupPolicyGet-PIMGroupPolicy +<# .Synopsis Get rules for the group $groupID .Description From e3681b4f756ee6fd27e6a65086016b69a632137b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20MICHEL?= Date: Fri, 21 Jun 2024 20:04:56 +0200 Subject: [PATCH 3/6] add control for authentication context format --- EasyPIM/internal/functions/Set-AuthenticationContext.ps1 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/EasyPIM/internal/functions/Set-AuthenticationContext.ps1 b/EasyPIM/internal/functions/Set-AuthenticationContext.ps1 index ad25ab0..28f0457 100644 --- a/EasyPIM/internal/functions/Set-AuthenticationContext.ps1 +++ b/EasyPIM/internal/functions/Set-AuthenticationContext.ps1 @@ -19,6 +19,11 @@ #> function Set-AuthenticationContext($authenticationContext_Enabled, $authenticationContext_Value) { write-verbose "Set-AuthenticationContext : $($authenticationContext_Enabled), $($authenticationContext_Value)" + + if( ([regex]::match($authenticationContext_Value,"c[0-9]{1,2}$").success -eq $false)) { + Throw "AuthenticationContext_Value must be in the format c1 - c99" + } + if($authenticationContext_Enabled){ $enabled="true" if($authenticationContext_Value -eq "None" -or $authenticationContext_Value.length -eq 0) { From 68d7ef10164a74bd6fab2022f21de681928ea83d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20MICHEL?= Date: Sun, 23 Jun 2024 12:21:52 +0200 Subject: [PATCH 4/6] add authentication context in Set-PIMEntraRole --- EasyPIM/functions/Set-PIMEntraRolePolicy.ps1 | 10 ++++ .../functions/Set-AuthenticationContext.ps1 | 59 +++++++++++-------- 2 files changed, 43 insertions(+), 26 deletions(-) diff --git a/EasyPIM/functions/Set-PIMEntraRolePolicy.ps1 b/EasyPIM/functions/Set-PIMEntraRolePolicy.ps1 index 78e0999..0d231c9 100644 --- a/EasyPIM/functions/Set-PIMEntraRolePolicy.ps1 +++ b/EasyPIM/functions/Set-PIMEntraRolePolicy.ps1 @@ -183,6 +183,16 @@ function Set-PIMEntraRolePolicy { $rules += Set-ActivationRequirement $ActivationRequirement -EntraRole } + if ($PSBoundParameters.Keys.Contains('ActiveAssignmentRequirement')) { + $rules += Set-ActiveAssignmentRequirement $ActiveAssignmentRequirement -EntraRole + } + if ($PSBoundParameters.Keys.Contains('AuthenticationContext_Enabled')) { + if (!($PSBoundParameters.Keys.Contains('AuthenticationContext_Value'))) { + $AuthenticationContext_Value = $null + } + $rules += Set-AuthenticationContext $AuthenticationContext_Enabled $AuthenticationContext_Value -entraRole + } + # Approval and approvers if ( ($PSBoundParameters.Keys.Contains('ApprovalRequired')) -or ($PSBoundParameters.Keys.Contains('Approvers'))) { $rules += Set-Approval $ApprovalRequired $Approvers -EntraRole diff --git a/EasyPIM/internal/functions/Set-AuthenticationContext.ps1 b/EasyPIM/internal/functions/Set-AuthenticationContext.ps1 index 28f0457..e21b442 100644 --- a/EasyPIM/internal/functions/Set-AuthenticationContext.ps1 +++ b/EasyPIM/internal/functions/Set-AuthenticationContext.ps1 @@ -7,6 +7,9 @@ $true or $false .PARAMETER AuthenticationContext_Value authentication context name ex "c1" +.PARAMETER entraRole + $true or $false + .EXAMPLE PS> Set-AuthenticationContext -authenticationContext_Enabled $true -authenticationContext_Value "c1" @@ -17,26 +20,27 @@ .Notes #> -function Set-AuthenticationContext($authenticationContext_Enabled, $authenticationContext_Value) { +function Set-AuthenticationContext($authenticationContext_Enabled, $authenticationContext_Value, [switch]$entraRole) { write-verbose "Set-AuthenticationContext : $($authenticationContext_Enabled), $($authenticationContext_Value)" - if( ([regex]::match($authenticationContext_Value,"c[0-9]{1,2}$").success -eq $false)) { - Throw "AuthenticationContext_Value must be in the format c1 - c99" - } + - if($authenticationContext_Enabled){ - $enabled="true" - if($authenticationContext_Value -eq "None" -or $authenticationContext_Value.length -eq 0) { - Throw "AuthenticationContext_Value cannot be null or empty if AuthenticationContext_Enabled is true" + if ($true -eq $authenticationContext_Enabled) { + $enabled = "true" + if ($authenticationContext_Value -eq "None" -or $authenticationContext_Value.length -eq 0) { + Throw "AuthenticationContext_Value cannot be null or empty if AuthenticationContext_Enabled is true" + } + if ( ([regex]::match($authenticationContext_Value, "c[0-9]{1,2}$").success -eq $false)) { + Throw "AuthenticationContext_Value must be in the format c1 - c99" + } } - } - else{$enabled="false"} + else { $enabled = "false" } $properties = '{ "id": "AuthenticationContext_EndUser_Assignment", "ruleType": "RoleManagementPolicyAuthenticationContextRule", - "isEnabled": '+$enabled+', - "claimValue": "'+$authenticationContext_Value+'", + "isEnabled": '+ $enabled + ', + "claimValue": "'+ $authenticationContext_Value + '", "target": { "caller": "EndUser", "operations": [ @@ -47,21 +51,24 @@ function Set-AuthenticationContext($authenticationContext_Enabled, $authenticati }' if ($entraRole) { - $properties = ' + $properties = ' { - "@odata.type" : "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule", - "enabledRules": '+ $enabledRules + ' - "id": "Enablement_Admin_Assignment", - "target": { - "caller": "EndUser", - "operations": [ - "All" - ], - "level": "Assignment", - "inheritableSettings": [], - "enforcedSettings": [] - } - }' + "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule", + "id": "AuthenticationContext_EndUser_Assignment", + "isEnabled": '+ $enabled + ', + "claimValue": "'+ $authenticationContext_Value + '", + "target": { + "caller": "EndUser", + "operations": [ + "all" + ], + "level": "Assignment", + "inheritableSettings": [], + "enforcedSettings": [] } + + +}' + } return $properties } From 036b4465a540ac22f6c047025abdf5c77e90727a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20MICHEL?= Date: Sun, 23 Jun 2024 18:54:38 +0200 Subject: [PATCH 5/6] Add support fot authentication context and assignment requirement in PIM Groups --- EasyPIM/functions/Set-PIMGroupPolicy.ps1 | 45 ++++++++++++++++--- .../functions/Set-AuthenticationContext.ps1 | 2 +- .../internal/functions/get-GroupConfig.ps1 | 10 ++++- 3 files changed, 48 insertions(+), 9 deletions(-) diff --git a/EasyPIM/functions/Set-PIMGroupPolicy.ps1 b/EasyPIM/functions/Set-PIMGroupPolicy.ps1 index d889dc1..c58bdde 100644 --- a/EasyPIM/functions/Set-PIMGroupPolicy.ps1 +++ b/EasyPIM/functions/Set-PIMGroupPolicy.ps1 @@ -19,7 +19,7 @@ Homepage: https://github.com/kayasax/EasyPIM #> function Set-PIMGroupPolicy { - [CmdletBinding(DefaultParameterSetName='Default',SupportsShouldProcess = $true)] + [CmdletBinding(DefaultParameterSetName = 'Default', SupportsShouldProcess = $true)] [OutputType([bool])] param ( [Parameter(Position = 0, Mandatory = $true)] @@ -53,7 +53,29 @@ function Set-PIMGroupPolicy { [System.String[]] # Activation requirement $ActivationRequirement, - + [Parameter(HelpMessage = "Accepted values: 'None' or any combination of these options (Case SENSITIVE): 'Justification, 'MultiFactorAuthentication'")] + [ValidateScript({ + # accepted values: "None","Justification", "MultiFactorAuthentication" + # WARNING: options are CASE SENSITIVE + $script:valid = $true + $acceptedValues = @("None", "Justification", "MultiFactorAuthentication") + $_ | ForEach-Object { if (!( $acceptedValues -Ccontains $_)) { $script:valid = $false } } + return $script:valid + })] + [System.String[]] + # Active assignment requirement + $ActiveAssignmentRequirement, + + [Parameter()] + [Bool] + # Is authentication context required? ($true|$false) + $AuthenticationContext_Enabled, + + [Parameter()] + [String] + # Authentication context value? (ex c1) + $AuthenticationContext_Value, + [Parameter()] [Bool] # Is approval required to activate a role? ($true|$false) @@ -147,7 +169,7 @@ function Set-PIMGroupPolicy { log "Function Set-PIMGroupPolicy is starting with parameters: $p" -noEcho - $script:tenantID=$tenantID + $script:tenantID = $tenantID #at least one approver required if approval is enable # todo chech if a parameterset would be better @@ -164,6 +186,15 @@ function Set-PIMGroupPolicy { if ($PSBoundParameters.Keys.Contains('ActivationRequirement')) { $rules += Set-ActivationRequirement $ActivationRequirement -EntraRole } + if ($PSBoundParameters.Keys.Contains('ActiveAssignmentRequirement')) { + $rules += Set-ActiveAssignmentRequirement $ActiveAssignmentRequirement -EntraRole + } + if ($PSBoundParameters.Keys.Contains('AuthenticationContext_Enabled')) { + if (!($PSBoundParameters.Keys.Contains('AuthenticationContext_Value'))) { + $AuthenticationContext_Value = $null + } + $rules += Set-AuthenticationContext $AuthenticationContext_Enabled $AuthenticationContext_Value -entraRole + } # Approval and approvers if ( ($PSBoundParameters.Keys.Contains('ApprovalRequired')) -or ($PSBoundParameters.Keys.Contains('Approvers'))) { @@ -176,7 +207,7 @@ function Set-PIMGroupPolicy { write-verbose "Maximum Eligibiliy duration from curent config: $($script:config.MaximumEligibleAssignmentDuration)" if (!( $PSBoundParameters.ContainsKey('MaximumEligibilityDuration'))) { $MaximumEligibilityDuration = $script:config.MaximumEligibleAssignmentDuration } if (!( $PSBoundParameters.ContainsKey('AllowPermanentEligibility'))) { $AllowPermanentEligibility = $script:config.AllowPermanentEligibleAssignment } - if ( ($false -eq $AllowPermanentEligibility) -and ( ($MaximumEligibilityDuration -eq "") -or ($null -eq $MaximumEligibilityDuration) )){ + if ( ($false -eq $AllowPermanentEligibility) -and ( ($MaximumEligibilityDuration -eq "") -or ($null -eq $MaximumEligibilityDuration) )) { throw "ERROR: you requested the assignement to expire but the maximum duration is not defined, please use the MaximumEligibilityDuration parameter" } $rules += Set-EligibilityAssignment $MaximumEligibilityDuration $AllowPermanentEligibility -entraRole @@ -188,7 +219,7 @@ function Set-PIMGroupPolicy { write-verbose "Maximum Active duration from curent config: $($script:config.MaximumActiveAssignmentDuration)" if (!( $PSBoundParameters.ContainsKey('MaximumActiveAssignmentDuration'))) { $MaximumActiveAssignmentDuration = $script:config.MaximumActiveAssignmentDuration } if (!( $PSBoundParameters.ContainsKey('AllowPermanentActiveAssignment'))) { $AllowPermanentActiveAssignment = $script:config.AllowPermanentActiveAssignment } - if ( ($false -eq $AllowPermanentActiveAssignment) -and ( ($MaximumActiveAssignmentDuration -eq "") -or ($null -eq $MaximumActiveAssignmentDuration) )){ + if ( ($false -eq $AllowPermanentActiveAssignment) -and ( ($MaximumActiveAssignmentDuration -eq "") -or ($null -eq $MaximumActiveAssignmentDuration) )) { throw "ERROR: you requested the assignement to expire but the maximum duration is not defined, please use the MaximumActiveAssignmentDuration parameter" } $rules += Set-ActiveAssignment $MaximumActiveAssignmentDuration $AllowPermanentActiveAssignment -entraRole @@ -226,7 +257,7 @@ function Set-PIMGroupPolicy { # Notif Active Assignment Approvers if ($PSBoundParameters.Keys.Contains('Notification_ActiveAssignment_Approver')) { $rules += Set-Notification_ActiveAssignment_Approver $Notification_ActiveAssignment_Approver -entraRole - } + } # Notification Activation alert if ($PSBoundParameters.Keys.Contains('Notification_Activation_Alert')) { @@ -250,7 +281,7 @@ function Set-PIMGroupPolicy { #Patching the policy if ($PSCmdlet.ShouldProcess($_, "Udpdating policy")) { - $null = Update-EntraRolePolicy $script:config.policyID $allrules + $null = Update-EntraRolePolicy $script:config.policyID $allrules } } diff --git a/EasyPIM/internal/functions/Set-AuthenticationContext.ps1 b/EasyPIM/internal/functions/Set-AuthenticationContext.ps1 index e21b442..0fa5419 100644 --- a/EasyPIM/internal/functions/Set-AuthenticationContext.ps1 +++ b/EasyPIM/internal/functions/Set-AuthenticationContext.ps1 @@ -34,7 +34,7 @@ function Set-AuthenticationContext($authenticationContext_Enabled, $authenticati Throw "AuthenticationContext_Value must be in the format c1 - c99" } } - else { $enabled = "false" } + else { $enabled = "false" } $properties = '{ "id": "AuthenticationContext_EndUser_Assignment", diff --git a/EasyPIM/internal/functions/get-GroupConfig.ps1 b/EasyPIM/internal/functions/get-GroupConfig.ps1 index 61daa2e..9868663 100644 --- a/EasyPIM/internal/functions/get-GroupConfig.ps1 +++ b/EasyPIM/internal/functions/get-GroupConfig.ps1 @@ -8,7 +8,7 @@ .Parameter type type of role (owner or member) .Example - PS> get-config -scope $scop -rolename role1 + PS> get-config -scope $scope -rolename role1 Get the policy of the role role1 at the specified scope @@ -32,6 +32,11 @@ function get-Groupconfig ( $id, $type) { $_activationDuration = ($response.value.policy.rules | Where-Object { $_.id -eq "Expiration_EndUser_Assignment" }).maximumDuration # End user enablement rule (MultiFactorAuthentication, Justification, Ticketing) $_enablementRules = ($response.value.policy.rules | Where-Object { $_.id -eq "Enablement_EndUser_Assignment" }).enabledRules + # Active assignment requirement + $_activeAssignmentRequirement = $response.value.policy.rules | Where-Object { $_.id -eq "Enablement_Admin_Assignment" } | Select-Object -expand enabledRules + # Authentication context + $_authenticationContext_Enabled = $response.value.policy.rules | Where-Object { $_.id -eq "AuthenticationContext_EndUser_Assignment" } | Select-Object -expand isEnabled + $_authenticationContext_value = $response.value.policy.rules | Where-Object { $_.id -eq "AuthenticationContext_EndUser_Assignment" } | Select-Object -expand claimValue # approval required $_approvalrequired = $($response.value.policy.rules | Where-Object { $_.id -eq "Approval_EndUser_Assignment" }).setting.isapprovalrequired # approvers @@ -104,6 +109,9 @@ function get-Groupconfig ( $id, $type) { PolicyID = $policyId ActivationDuration = $_activationDuration EnablementRules = $_enablementRules -join ',' + ActiveAssignmentRequirement = $_activeAssignmentRequirement -join ',' + AuthenticationContext_Enabled = $_authenticationContext_Enabled + AuthenticationContext_Value = $_authenticationContext_value ApprovalRequired = $_approvalrequired Approvers = $_approvers -join ',' AllowPermanentEligibleAssignment = $_permanantEligibility From fb0d86e9208afd0972d98a46e19d3edaad128157 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20MICHEL?= Date: Mon, 24 Jun 2024 10:31:21 +0200 Subject: [PATCH 6/6] V1.6.3 --- EasyPIM/EasyPIM.psd1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EasyPIM/EasyPIM.psd1 b/EasyPIM/EasyPIM.psd1 index 44fb9d1..2b8ec54 100644 --- a/EasyPIM/EasyPIM.psd1 +++ b/EasyPIM/EasyPIM.psd1 @@ -4,7 +4,7 @@ RootModule = 'EasyPIM.psm1' # Version number of this module. -ModuleVersion = '1.6.2' +ModuleVersion = '1.6.3' # Supported PSEditions # CompatiblePSEditions = @()