Merge pull request #10 from kayasax/scope

Adding Scope parameter

EasyPIM/functions/Backup-PIMAzureResourcePolicy.ps1

@@ -18,17 +18,22 @@
     
 #>
 function Backup-PIMAzureResourcePolicy {
-    [CmdletBinding()]
+    [CmdletBinding(DefaultParameterSetName='Default')]
     param (
         [Parameter(Position = 0, Mandatory = $true)]
         [System.String]
         # Tenant ID
         $tenantID,
 
-        [Parameter(Position = 1, Mandatory = $true)]
+        [Parameter(ParameterSetName = 'Default',Position = 1, Mandatory = $true)]
         [System.String]
         # subscription id
         $subscriptionID,
+
+        [Parameter(ParameterSetName = 'Scope',Position = 1, Mandatory = $true)]
+        [System.String]
+        # scope
+        $scope,
 
         [Parameter(Position = 2)]
         [System.String]
@@ -39,7 +44,9 @@ function Backup-PIMAzureResourcePolicy {
     try {
         $script:tenantID = $tenantID
         $exports = @()
-        $scope = "subscriptions/$subscriptionID"
+        if (!($PSBoundParameters.Keys.Contains('scope'))) {
+            $scope = "subscriptions/$subscriptionID"
+        }
 
         $policies = Get-AllPolicies $scope
 

EasyPIM/functions/Copy-PIMAzureResourcePolicy.ps1

@@ -22,18 +22,22 @@
         Homepage: https://github.com/kayasax/EasyPIM
 #>
 function Copy-PIMAzureResourcePolicy {
-    [CmdletBinding()]
+    [CmdletBinding(DefaultParameterSetName='Default')]
     param (
         [Parameter(Position = 0, Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
         [System.String]
         # Tenant ID
         $tenantID,
 
-        [Parameter(Position = 1, Mandatory = $true)]
+        [Parameter(ParameterSetName = 'Default',Position = 1, Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
         [System.String]
         $subscriptionID,
+
+        [Parameter(ParameterSetName = 'Scope',Position = 1, Mandatory = $true)]
+        [System.String]
+        $scope,
 
         [Parameter(Position = 2, Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
@@ -47,7 +51,10 @@ function Copy-PIMAzureResourcePolicy {
     try {
         $script:tenantID = $tenantID
         Write-Verbose "Copy-PIMAzureResourcePolicy start with parameters: tenantID => $tenantID subscription => $subscriptionID, rolename=> $rolename, copyfrom => $copyFrom"
-        $scope = "subscriptions/$subscriptionID"
+        if (!($PSBoundParameters.Keys.Contains('scope'))) {
+          $scope = "subscriptions/$subscriptionID"
+        }
+
         $config2 = get-config $scope $copyFrom $true
 
         $rolename | ForEach-Object {

EasyPIM/functions/Export-PIMAzureResourcePolicy.ps1

@@ -22,17 +22,24 @@
         Homepage: https://github.com/kayasax/EasyPIM
      #>
      function Export-PIMAzureResourcePolicy {
-    [CmdletBinding()]
+    [CmdletBinding(DefaultParameterSetName='Default')]
     param (
         [Parameter(Position = 0, Mandatory = $true)]
         [System.String]
         $tenantID,
-        [Parameter(Position = 1, Mandatory = $true)]
+
+        [Parameter(ParameterSetName = 'Default',Position = 1, Mandatory = $true)]
         [System.String]
         $subscriptionID,
+
+        [Parameter(ParameterSetName = 'Scope',Position = 1, Mandatory = $true)]
+        [System.String[]]
+        $scope,
+
         [Parameter(Position = 2, Mandatory = $true)]
         [System.String[]]
         $rolename,
+
         [Parameter(Position = 3)]
         [System.String]
         $exportFilename
@@ -42,7 +49,10 @@
         $script:tenantID = $tenantID
 
         Write-Verbose "Export-PIMAzureResourcePolicy start with parameters: subscription => $subscriptionID, rolename=> $rolename, exportFilname => $exportFilename"
-        $scope = "subscriptions/$subscriptionID"
+        if (!($PSBoundParameters.Keys.Contains('scope'))) {
+          $scope = "subscriptions/$subscriptionID"
+        }
+
         # Array to contain the settings of each selected roles
         $exports = @()
 

EasyPIM/functions/Get-PIMAzureResourcePolicy.ps1

@@ -35,18 +35,24 @@ Name of the role to check
     * allow other scopes
 #>
 function Get-PIMAzureResourcePolicy {
-    [CmdletBinding()]
+    [CmdletBinding(DefaultParameterSetName='Default')]
     [OutputType([PSCustomObject])]
     param (
 
         [Parameter(Position = 0, Mandatory = $true)]
         [System.String]
         # Tenant ID
         $tenantID,
-        [Parameter(Position = 1, Mandatory = $true)]
+
+        [Parameter(ParameterSetName = 'Default',Position = 1, Mandatory = $true)]
         [System.String]
         # Subscription ID
         $subscriptionID,
+
+        [Parameter(ParameterSetName = 'Scope',Position = 1, Mandatory = $true)]
+        [System.String]
+        $scope,
+
         [Parameter(Position = 2, Mandatory = $true)]
         [System.String[]]
         # Array of role name
@@ -57,7 +63,11 @@ function Get-PIMAzureResourcePolicy {
         $script:tenantID = $tenantID
 
         Write-Verbose "Get-PIMAzureResourcePolicy start with parameters: subscription => $subscriptionID, rolename=> $rolename"
-        $scope = "subscriptions/$subscriptionID"
+        #defaut scope = subscription
+        if (!($PSBoundParameters.Keys.Contains('scope'))) {
+            $scope = "subscriptions/$subscriptionID"
+        }
+
         $out = @()
         $rolename | ForEach-Object {
 

EasyPIM/functions/Import-PIMAzureResourcePolicy.ps1

@@ -26,19 +26,13 @@ function Import-PIMAzureResourcePolicy {
         [System.String]
         $TenantID,
 
-        [Parameter(Mandatory = $true)]
-        [ValidateNotNullOrEmpty()]
-        [System.String]
-        $SubscriptionId,
-
         [Parameter(Mandatory = $true)]
         [String]
         $Path
     )
 
     $script:tenantID = $TenantID
-    $script:scope="Subscriptions/$subscriptionID"
-
+
     #load settings
     Write-Verbose "Importing settings from $path"
     if ($PSCmdlet.ShouldProcess($path, "Importing policy from")) {

EasyPIM/functions/Set-PIMAzureResourcePolicy.ps1

@@ -20,17 +20,23 @@
         Homepage: https://github.com/kayasax/EasyPIM
      #>
 function Set-PIMAzureResourcePolicy {
-    [CmdletBinding(SupportsShouldProcess = $true)]
+    [CmdletBinding(DefaultParameterSetName='Default',SupportsShouldProcess = $true)]
     [OutputType([bool])]
     param (
         [Parameter(Position = 0, Mandatory = $true)]
         [System.String]
         # Tenant ID
         $tenantID,
-        [Parameter(Position = 1, Mandatory = $true)]
+
+        [Parameter(ParameterSetName = 'Default',Position = 1, Mandatory = $true)]
         [System.String]
         #subscriptionID
         $subscriptionID,
+
+        [Parameter(ParameterSetName = 'Scope',Position = 1, Mandatory = $true)]
+        [System.String]
+        #scope
+        $scope,
 
         [Parameter(Position = 2, Mandatory = $true)]
         [System.String[]]
@@ -148,7 +154,10 @@ function Set-PIMAzureResourcePolicy {
         log "Function Set-PIMAzureResourcePolicy is starting with parameters: $p" -noEcho
 
         $script:subscriptionID = $subscriptionID
-        $scope = "subscriptions/$script:subscriptionID"
+        if (!($PSBoundParameters.Keys.Contains('scope'))) {
+            $scope = "subscriptions/$script:subscriptionID"
+        }
+
         $script:tenantID=$tenantID
 
         #at least one approver required if approval is enable

EasyPIM/internal/functions/Update-Policy.ps1

@@ -23,7 +23,7 @@ function Update-Policy  {
     )
     Log "Updating Policy $policyID" -noEcho
     #write-verbose "rules: $rules"
-    $scope = "subscriptions/$script:subscriptionID"
+    #$scope = "subscriptions/$script:subscriptionID"
     $ARMhost = "https://management.azure.com"
     #$ARMendpoint = "$ARMhost/$scope/providers/Microsoft.Authorization"
 

EasyPIM/internal/functions/get-config.ps1

@@ -35,10 +35,10 @@ function get-config ($scope, $rolename, $copyFrom = $null) {
         #if ($null -eq $roleID) { throw "An exception occured : can't find a roleID for $rolename at scope $scope" }
         Write-Verbose ">> RodeId = $roleID"
 
-        if( ($roleID -eq "") -or ($null -eq $roleID)){
+        if ( ($roleID -eq "") -or ($null -eq $roleID)) {
             Log "Error getting config of $rolename"
             #continue with other roles
-             return
+            return
         }
 
         # 2  get the role assignment for the roleID found at #1
@@ -57,7 +57,18 @@ function get-config ($scope, $rolename, $copyFrom = $null) {
 
         #Write-Verbose "copy from = $copyFrom"
         if ($null -ne $copyFrom) {
+            # Get access Token
+            Write-Verbose ">> Getting access token"
+            $token = Get-AzAccessToken
+
+            # setting the authentication headers for MSGraph calls
+            $authHeader = @{
+                'Content-Type'  = 'application/json'
+                'Authorization' = 'Bearer ' + $token.Token
+            }
+
             Invoke-RestMethod -Uri $restUri -Method Get -Headers $authHeader -verbose:$false -OutFile "$_scriptPath\temp.json"
+
             $response = Get-Content "$_scriptPath\temp.json"
             $response = $response -replace '^.*"rules":\['
             $response = $response -replace '\],"effectiveRules":.*$'
@@ -163,9 +174,9 @@ function get-config ($scope, $rolename, $copyFrom = $null) {
             Notification_Activation_Assignee_isDefaultRecipientEnabled   = $($_Notification_Activation_Assignee.isDefaultRecipientsEnabled)
             Notification_Activation_Assignee_NotificationLevel           = $($_Notification_Activation_Assignee.NotificationLevel)
             Notification_Activation_Assignee_Recipients                  = $($_Notification_Activation_Assignee.NotificationRecipients -join ',')
-            Notification_Activation_Approver_isDefaultRecipientEnabled  = $($_Notification_Activation_Approver.isDefaultRecipientsEnabled)
-            Notification_Activation_Approver_NotificationLevel          = $($_Notification_Activation_Approver.NotificationLevel)
-            Notification_Activation_Approver_Recipients                 = $($_Notification_Activation_Approver.NotificationRecipients -join ',')
+            Notification_Activation_Approver_isDefaultRecipientEnabled   = $($_Notification_Activation_Approver.isDefaultRecipientsEnabled)
+            Notification_Activation_Approver_NotificationLevel           = $($_Notification_Activation_Approver.NotificationLevel)
+            Notification_Activation_Approver_Recipients                  = $($_Notification_Activation_Approver.NotificationRecipients -join ',')
         }
         return $config
     }

README.md

@@ -1,4 +1,5 @@
-# EasyPIM V1.0.2
+# EasyPIM V1.1.0 
+
 Powershell module to manage PIM Azure Resource Role settings with simplicity in mind.
 
 Easily manage PIM Azure Resource settings **at the subscription level by default** : enter a tenant ID, a subscription ID, a role name 
@@ -19,8 +20,10 @@ This module is available in the PowerShell gallery: [https://www.powershellgalle
 ```pwsh
 Install-Module -Name EasyPIM -Scope CurrentUser
 ``` 
+
 ![image](https://github.com/kayasax/EasyPIM/assets/1241767/79086c31-19fa-4321-a5ac-6767b8d7ace3)
 
+
 ## Sample usage
 
 :large_blue_diamond: Get configuration of the role "Webmaster"