Now using invoke-azrestmethod for ARM calls

Correcting Powershell V5 issue with Get-PIMEntraRoleConfig

EasyPIM/functions/Get-PIMAzureResourceEligibleAssignment.ps1

@@ -67,6 +67,7 @@ function Get-PIMAzureResourceEligibleAssignment {
 
 
         $script:tenantID = $tenantID
+
 
         $response = Invoke-ARM -restURI $restURI -method get
         #$response|select -first 1

EasyPIM/internal/functions/Invoke-ARM.ps1

@@ -44,20 +44,25 @@ function Invoke-ARM {
         write-verbose "`n>> request body: $body"
         write-verbose "requested URI : $restURI ; method : $method"
 
+        $script:subscriptionID=[regex]::Matches($restURI,".*\/subscriptions\/(.*)\/providers.*$").groups[1].Value
+
 
         if ( $null -eq (get-azcontext) -or ( (get-azcontext).Tenant.Id -ne $script:tenantID ) ) {
             Write-Verbose ">> Connecting to Azure with tenantID $script:tenantID"
-            Connect-AzAccount -Tenant $script:tenantID
+            Connect-AzAccount -Tenantid $script:tenantID -Subscription $script:subscriptionID
         }
 
+        #todo replace with invoke-azrestmethod
+        <#
         # Get access Token
         Write-Verbose ">> Getting access token"
-        $token = Get-AzAccessToken
+        # now this will return a securestring https://learn.microsoft.com/en-us/powershell/azure/upcoming-breaking-changes?view=azps-12.2.0#get-azaccesstoken
+        $token = Get-AzAccessToken -AsSecureString
                 
         # setting the authentication headers for MSGraph calls
         $authHeader = @{
             'Content-Type'  = 'application/json'
-            'Authorization' = 'Bearer ' + $token.Token
+            'Authorization' = 'Bearer ' + $($token.Token | ConvertFrom-SecureString -AsPlainText)
         }
 
         if($body -ne ""){
@@ -66,7 +71,15 @@ function Invoke-ARM {
         else{
             $response = Invoke-RestMethod -Uri $restUri -Method $method -Headers $authHeader -verbose:$false
         }
-        return $response
+            #>
+        if ($body -ne ""){
+            $response=Invoke-AZRestMethod -Method $method -Uri $restURI -payload $body 
+        }
+        else {
+            $response=Invoke-AZRestMethod -Method $method -Uri $restURI
+        } 
+
+        return $response.content | convertfrom-json
 
     }
     catch{

EasyPIM/internal/functions/Invoke-graph.ps1

@@ -37,7 +37,8 @@ function invoke-graph {
     try {
         $graph = "https://graph.microsoft.com/$version/"
 
-        $uri = $graph + $endpoint
+        [string]$uri = $graph + $endpoint
+        Write-Verbose "uri = $uri"
 
         if ( $null -eq (get-mgcontext) -or ( (get-mgcontext).TenantId -ne $script:tenantID ) ) {
             Write-Verbose ">> Connecting to Azure with tenantID $script:tenantID"
@@ -55,10 +56,10 @@ function invoke-graph {
         }
 
         if ( $body -ne "") {
-            Invoke-MgGraphRequest -Uri $uri -Method $Method -Body $body
+            Invoke-MgGraphRequest -Uri "$uri" -Method $Method -Body $body
         }
         else {
-            Invoke-MgGraphRequest -Uri $uri -Method $Method
+            Invoke-MgGraphRequest -Uri "$uri" -Method $Method
         }
     }
 

EasyPIM/internal/functions/get-EntraRoleConfig.ps1

@@ -28,7 +28,8 @@ function Get-EntraRoleConfig ($rolename) {
         }
 
         # 2 Get PIM policyID for that role
-        $endpoint = "policies/roleManagementPolicyAssignments?`$filter=scopeId eq '/' and scopeType eq 'DirectoryRole' and roleDefinitionId eq '$roleID'"
+        $endpoint = "policies/roleManagementPolicyAssignments?`$filter=scopeType eq 'DirectoryRole' and roleDefinitionId eq '$roleID' and scopeId eq '/' "
+        Write-Verbose "endpoint = $endpoint"
         $response = invoke-graph -Endpoint $endpoint
         $policyID = $response.value.policyID
         Write-Verbose "policyID = $policyID"
@@ -43,14 +44,14 @@ function Get-EntraRoleConfig ($rolename) {
         # Get config values in a new object:
 
         # Maximum end user activation duration in Hour (PT24H) // Max 24H in portal but can be greater
-        $_activationDuration = $response.value | Where-Object { $_.id -eq "Expiration_EndUser_Assignment" } | Select-Object -ExpandProperty maximumduration
+        $_activationDuration = $($response.value | Where-Object { $_.id -eq "Expiration_EndUser_Assignment" }).maximumDuration # | Select-Object -ExpandProperty maximumduration
         # End user enablement rule (MultiFactorAuthentication, Justification, Ticketing)
-        $_enablementRules = $response.value | Where-Object { $_.id -eq "Enablement_EndUser_Assignment" } | Select-Object -expand enabledRules
+        $_enablementRules = $($response.value | Where-Object { $_.id -eq "Enablement_EndUser_Assignment" }).enabledRules
         # Active assignment requirement
-        $_activeAssignmentRequirement = $response.value | Where-Object { $_.id -eq "Enablement_Admin_Assignment" } | Select-Object -expand enabledRules
+        $_activeAssignmentRequirement = $($response.value | Where-Object { $_.id -eq "Enablement_Admin_Assignment" }).enabledRules
         # Authentication context
-        $_authenticationContext_Enabled = $response.value | Where-Object { $_.id -eq "AuthenticationContext_EndUser_Assignment" } | Select-Object -expand isEnabled
-        $_authenticationContext_value = $response.value | Where-Object { $_.id -eq "AuthenticationContext_EndUser_Assignment" } | Select-Object -expand claimValue
+        $_authenticationContext_Enabled = $($response.value | Where-Object { $_.id -eq "AuthenticationContext_EndUser_Assignment" }).isEnabled
+        $_authenticationContext_value = $($response.value | Where-Object { $_.id -eq "AuthenticationContext_EndUser_Assignment" }).claimValue
 
         # approval required
         $_approvalrequired = $($response.value | Where-Object { $_.id -eq "Approval_EndUser_Assignment" }).setting.isapprovalrequired
@@ -73,26 +74,26 @@ function Get-EntraRoleConfig ($rolename) {
 
 
         # permanent assignmnent eligibility
-        $_eligibilityExpirationRequired = $response.value | Where-Object { $_.id -eq "Expiration_Admin_Eligibility" } | Select-Object -expand isExpirationRequired
+        $_eligibilityExpirationRequired = $($response.value | Where-Object { $_.id -eq "Expiration_Admin_Eligibility" }).isExpirationRequired
         if ($_eligibilityExpirationRequired -eq "true") {
             $_permanantEligibility = "false"
         }
         else {
             $_permanantEligibility = "true"
         }
         # maximum assignment eligibility duration
-        $_maxAssignmentDuration = $response.value | Where-Object { $_.id -eq "Expiration_Admin_Eligibility" } | Select-Object -expand maximumDuration
+        $_maxAssignmentDuration = $($response.value | Where-Object { $_.id -eq "Expiration_Admin_Eligibility" }).maximumDuration
 
         # pemanent activation
-        $_activeExpirationRequired = $response.value | Where-Object { $_.id -eq "Expiration_Admin_Assignment" } | Select-Object -expand isExpirationRequired
+        $_activeExpirationRequired = $($response.value | Where-Object { $_.id -eq "Expiration_Admin_Assignment" }).isExpirationRequired
         if ($_activeExpirationRequired -eq "true") {
             $_permanantActiveAssignment = "false"
         }
         else {
             $_permanantActiveAssignment = "true"
         }
         # maximum activation duration
-        $_maxActiveAssignmentDuration = $response.value | Where-Object { $_.id -eq "Expiration_Admin_Assignment" } | Select-Object -expand maximumDuration
+        $_maxActiveAssignmentDuration = $($response.value | Where-Object { $_.id -eq "Expiration_Admin_Assignment" }).maximumDuration
 
         #################
         # Notifications #