diff --git a/EasyPIM/functions/Backup-PIMAzureResourcePolicy.ps1 b/EasyPIM/functions/Backup-PIMAzureResourcePolicy.ps1 index 05d8b84..fad3a0f 100644 --- a/EasyPIM/functions/Backup-PIMAzureResourcePolicy.ps1 +++ b/EasyPIM/functions/Backup-PIMAzureResourcePolicy.ps1 @@ -18,17 +18,22 @@ #> function Backup-PIMAzureResourcePolicy { - [CmdletBinding()] + [CmdletBinding(DefaultParameterSetName='Default')] param ( [Parameter(Position = 0, Mandatory = $true)] [System.String] # Tenant ID $tenantID, - [Parameter(Position = 1, Mandatory = $true)] + [Parameter(ParameterSetName = 'Default',Position = 1, Mandatory = $true)] [System.String] # subscription id $subscriptionID, + + [Parameter(ParameterSetName = 'Scope',Position = 1, Mandatory = $true)] + [System.String] + # scope + $scope, [Parameter(Position = 2)] [System.String] @@ -39,7 +44,9 @@ function Backup-PIMAzureResourcePolicy { try { $script:tenantID = $tenantID $exports = @() - $scope = "subscriptions/$subscriptionID" + if (!($PSBoundParameters.Keys.Contains('scope'))) { + $scope = "subscriptions/$subscriptionID" + } $policies = Get-AllPolicies $scope diff --git a/EasyPIM/functions/Copy-PIMAzureResourcePolicy.ps1 b/EasyPIM/functions/Copy-PIMAzureResourcePolicy.ps1 index ab6589c..b2367e3 100644 --- a/EasyPIM/functions/Copy-PIMAzureResourcePolicy.ps1 +++ b/EasyPIM/functions/Copy-PIMAzureResourcePolicy.ps1 @@ -22,7 +22,7 @@ Homepage: https://github.com/kayasax/EasyPIM #> function Copy-PIMAzureResourcePolicy { - [CmdletBinding()] + [CmdletBinding(DefaultParameterSetName='Default')] param ( [Parameter(Position = 0, Mandatory = $true)] [ValidateNotNullOrEmpty()] @@ -30,10 +30,14 @@ function Copy-PIMAzureResourcePolicy { # Tenant ID $tenantID, - [Parameter(Position = 1, Mandatory = $true)] + [Parameter(ParameterSetName = 'Default',Position = 1, Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.String] $subscriptionID, + + [Parameter(ParameterSetName = 'Scope',Position = 1, Mandatory = $true)] + [System.String] + $scope, [Parameter(Position = 2, Mandatory = $true)] [ValidateNotNullOrEmpty()] @@ -47,7 +51,10 @@ function Copy-PIMAzureResourcePolicy { try { $script:tenantID = $tenantID Write-Verbose "Copy-PIMAzureResourcePolicy start with parameters: tenantID => $tenantID subscription => $subscriptionID, rolename=> $rolename, copyfrom => $copyFrom" - $scope = "subscriptions/$subscriptionID" + if (!($PSBoundParameters.Keys.Contains('scope'))) { + $scope = "subscriptions/$subscriptionID" + } + $config2 = get-config $scope $copyFrom $true $rolename | ForEach-Object { diff --git a/EasyPIM/functions/Export-PIMAzureResourcePolicy.ps1 b/EasyPIM/functions/Export-PIMAzureResourcePolicy.ps1 index 3c7640a..dde5eb9 100644 --- a/EasyPIM/functions/Export-PIMAzureResourcePolicy.ps1 +++ b/EasyPIM/functions/Export-PIMAzureResourcePolicy.ps1 @@ -22,17 +22,24 @@ Homepage: https://github.com/kayasax/EasyPIM #> function Export-PIMAzureResourcePolicy { - [CmdletBinding()] + [CmdletBinding(DefaultParameterSetName='Default')] param ( [Parameter(Position = 0, Mandatory = $true)] [System.String] $tenantID, - [Parameter(Position = 1, Mandatory = $true)] + + [Parameter(ParameterSetName = 'Default',Position = 1, Mandatory = $true)] [System.String] $subscriptionID, + + [Parameter(ParameterSetName = 'Scope',Position = 1, Mandatory = $true)] + [System.String[]] + $scope, + [Parameter(Position = 2, Mandatory = $true)] [System.String[]] $rolename, + [Parameter(Position = 3)] [System.String] $exportFilename @@ -42,7 +49,10 @@ $script:tenantID = $tenantID Write-Verbose "Export-PIMAzureResourcePolicy start with parameters: subscription => $subscriptionID, rolename=> $rolename, exportFilname => $exportFilename" - $scope = "subscriptions/$subscriptionID" + if (!($PSBoundParameters.Keys.Contains('scope'))) { + $scope = "subscriptions/$subscriptionID" + } + # Array to contain the settings of each selected roles $exports = @() diff --git a/EasyPIM/functions/Get-PIMAzureResourcePolicy.ps1 b/EasyPIM/functions/Get-PIMAzureResourcePolicy.ps1 index 0dbdb02..018fe89 100644 --- a/EasyPIM/functions/Get-PIMAzureResourcePolicy.ps1 +++ b/EasyPIM/functions/Get-PIMAzureResourcePolicy.ps1 @@ -35,7 +35,7 @@ Name of the role to check * allow other scopes #> function Get-PIMAzureResourcePolicy { - [CmdletBinding()] + [CmdletBinding(DefaultParameterSetName='Default')] [OutputType([PSCustomObject])] param ( @@ -43,10 +43,16 @@ function Get-PIMAzureResourcePolicy { [System.String] # Tenant ID $tenantID, - [Parameter(Position = 1, Mandatory = $true)] + + [Parameter(ParameterSetName = 'Default',Position = 1, Mandatory = $true)] [System.String] # Subscription ID $subscriptionID, + + [Parameter(ParameterSetName = 'Scope',Position = 1, Mandatory = $true)] + [System.String] + $scope, + [Parameter(Position = 2, Mandatory = $true)] [System.String[]] # Array of role name @@ -57,7 +63,11 @@ function Get-PIMAzureResourcePolicy { $script:tenantID = $tenantID Write-Verbose "Get-PIMAzureResourcePolicy start with parameters: subscription => $subscriptionID, rolename=> $rolename" - $scope = "subscriptions/$subscriptionID" + #defaut scope = subscription + if (!($PSBoundParameters.Keys.Contains('scope'))) { + $scope = "subscriptions/$subscriptionID" + } + $out = @() $rolename | ForEach-Object { diff --git a/EasyPIM/functions/Import-PIMAzureResourcePolicy.ps1 b/EasyPIM/functions/Import-PIMAzureResourcePolicy.ps1 index f54518a..e6b6d34 100644 --- a/EasyPIM/functions/Import-PIMAzureResourcePolicy.ps1 +++ b/EasyPIM/functions/Import-PIMAzureResourcePolicy.ps1 @@ -26,19 +26,13 @@ function Import-PIMAzureResourcePolicy { [System.String] $TenantID, - [Parameter(Mandatory = $true)] - [ValidateNotNullOrEmpty()] - [System.String] - $SubscriptionId, - [Parameter(Mandatory = $true)] [String] $Path ) $script:tenantID = $TenantID - $script:scope="Subscriptions/$subscriptionID" - + #load settings Write-Verbose "Importing settings from $path" if ($PSCmdlet.ShouldProcess($path, "Importing policy from")) { diff --git a/EasyPIM/functions/Set-PIMAzureResourcePolicy.ps1 b/EasyPIM/functions/Set-PIMAzureResourcePolicy.ps1 index 760faeb..b0d65ad 100644 --- a/EasyPIM/functions/Set-PIMAzureResourcePolicy.ps1 +++ b/EasyPIM/functions/Set-PIMAzureResourcePolicy.ps1 @@ -20,17 +20,23 @@ Homepage: https://github.com/kayasax/EasyPIM #> function Set-PIMAzureResourcePolicy { - [CmdletBinding(SupportsShouldProcess = $true)] + [CmdletBinding(DefaultParameterSetName='Default',SupportsShouldProcess = $true)] [OutputType([bool])] param ( [Parameter(Position = 0, Mandatory = $true)] [System.String] # Tenant ID $tenantID, - [Parameter(Position = 1, Mandatory = $true)] + + [Parameter(ParameterSetName = 'Default',Position = 1, Mandatory = $true)] [System.String] #subscriptionID $subscriptionID, + + [Parameter(ParameterSetName = 'Scope',Position = 1, Mandatory = $true)] + [System.String] + #scope + $scope, [Parameter(Position = 2, Mandatory = $true)] [System.String[]] @@ -148,7 +154,10 @@ function Set-PIMAzureResourcePolicy { log "Function Set-PIMAzureResourcePolicy is starting with parameters: $p" -noEcho $script:subscriptionID = $subscriptionID - $scope = "subscriptions/$script:subscriptionID" + if (!($PSBoundParameters.Keys.Contains('scope'))) { + $scope = "subscriptions/$script:subscriptionID" + } + $script:tenantID=$tenantID #at least one approver required if approval is enable diff --git a/EasyPIM/internal/functions/Update-Policy.ps1 b/EasyPIM/internal/functions/Update-Policy.ps1 index 1e127e0..9dae135 100644 --- a/EasyPIM/internal/functions/Update-Policy.ps1 +++ b/EasyPIM/internal/functions/Update-Policy.ps1 @@ -23,7 +23,7 @@ function Update-Policy { ) Log "Updating Policy $policyID" -noEcho #write-verbose "rules: $rules" - $scope = "subscriptions/$script:subscriptionID" + #$scope = "subscriptions/$script:subscriptionID" $ARMhost = "https://management.azure.com" #$ARMendpoint = "$ARMhost/$scope/providers/Microsoft.Authorization" diff --git a/EasyPIM/internal/functions/get-config.ps1 b/EasyPIM/internal/functions/get-config.ps1 index 65bfa83..240770d 100644 --- a/EasyPIM/internal/functions/get-config.ps1 +++ b/EasyPIM/internal/functions/get-config.ps1 @@ -35,10 +35,10 @@ function get-config ($scope, $rolename, $copyFrom = $null) { #if ($null -eq $roleID) { throw "An exception occured : can't find a roleID for $rolename at scope $scope" } Write-Verbose ">> RodeId = $roleID" - if( ($roleID -eq "") -or ($null -eq $roleID)){ + if ( ($roleID -eq "") -or ($null -eq $roleID)) { Log "Error getting config of $rolename" #continue with other roles - return + return } # 2 get the role assignment for the roleID found at #1 @@ -57,7 +57,18 @@ function get-config ($scope, $rolename, $copyFrom = $null) { #Write-Verbose "copy from = $copyFrom" if ($null -ne $copyFrom) { + # Get access Token + Write-Verbose ">> Getting access token" + $token = Get-AzAccessToken + + # setting the authentication headers for MSGraph calls + $authHeader = @{ + 'Content-Type' = 'application/json' + 'Authorization' = 'Bearer ' + $token.Token + } + Invoke-RestMethod -Uri $restUri -Method Get -Headers $authHeader -verbose:$false -OutFile "$_scriptPath\temp.json" + $response = Get-Content "$_scriptPath\temp.json" $response = $response -replace '^.*"rules":\[' $response = $response -replace '\],"effectiveRules":.*$' @@ -163,9 +174,9 @@ function get-config ($scope, $rolename, $copyFrom = $null) { Notification_Activation_Assignee_isDefaultRecipientEnabled = $($_Notification_Activation_Assignee.isDefaultRecipientsEnabled) Notification_Activation_Assignee_NotificationLevel = $($_Notification_Activation_Assignee.NotificationLevel) Notification_Activation_Assignee_Recipients = $($_Notification_Activation_Assignee.NotificationRecipients -join ',') - Notification_Activation_Approver_isDefaultRecipientEnabled = $($_Notification_Activation_Approver.isDefaultRecipientsEnabled) - Notification_Activation_Approver_NotificationLevel = $($_Notification_Activation_Approver.NotificationLevel) - Notification_Activation_Approver_Recipients = $($_Notification_Activation_Approver.NotificationRecipients -join ',') + Notification_Activation_Approver_isDefaultRecipientEnabled = $($_Notification_Activation_Approver.isDefaultRecipientsEnabled) + Notification_Activation_Approver_NotificationLevel = $($_Notification_Activation_Approver.NotificationLevel) + Notification_Activation_Approver_Recipients = $($_Notification_Activation_Approver.NotificationRecipients -join ',') } return $config } diff --git a/README.md b/README.md index 2afff9f..a82d263 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ -# EasyPIM V1.0.2 +# EasyPIM V1.1.0 + Powershell module to manage PIM Azure Resource Role settings with simplicity in mind. Easily manage PIM Azure Resource settings **at the subscription level by default** : enter a tenant ID, a subscription ID, a role name @@ -19,8 +20,10 @@ This module is available in the PowerShell gallery: [https://www.powershellgalle ```pwsh Install-Module -Name EasyPIM -Scope CurrentUser ``` + ![image](https://github.com/kayasax/EasyPIM/assets/1241767/79086c31-19fa-4321-a5ac-6767b8d7ace3) + ## Sample usage :large_blue_diamond: Get configuration of the role "Webmaster"