From a6adc5d109cd2d15524bb970dda548d0a2815882 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20MICHEL?= Date: Sat, 14 Sep 2024 18:16:23 +0200 Subject: [PATCH 1/4] adding approval management for Azure and Entra roles --- EasyPIM/EasyPIM.psd1 | 8 +- ...pprove-PIMAzureResourcePendingApproval.ps1 | 73 ++++++++++++++++ .../Approve-PIMEntraRolePendingApproval.ps1 | 73 ++++++++++++++++ .../Deny-PIMAzureResourcePendingApproval.ps1 | 72 ++++++++++++++++ .../Deny-PIMEntraRolePendingApproval.ps1 | 73 ++++++++++++++++ .../Get-PIMAzureResourcePendingApproval.ps1 | 80 +++++++++++++++++ .../Get-PIMEntraRolePendingApproval.ps1 | 85 +++++++++++++++++++ EasyPIM/internal/functions/Invoke-graph.ps1 | 6 +- 8 files changed, 467 insertions(+), 3 deletions(-) create mode 100644 EasyPIM/functions/Approve-PIMAzureResourcePendingApproval.ps1 create mode 100644 EasyPIM/functions/Approve-PIMEntraRolePendingApproval.ps1 create mode 100644 EasyPIM/functions/Deny-PIMAzureResourcePendingApproval.ps1 create mode 100644 EasyPIM/functions/Deny-PIMEntraRolePendingApproval.ps1 create mode 100644 EasyPIM/functions/Get-PIMAzureResourcePendingApproval.ps1 create mode 100644 EasyPIM/functions/Get-PIMEntraRolePendingApproval.ps1 diff --git a/EasyPIM/EasyPIM.psd1 b/EasyPIM/EasyPIM.psd1 index edf4792..5411dc5 100644 --- a/EasyPIM/EasyPIM.psd1 +++ b/EasyPIM/EasyPIM.psd1 @@ -94,7 +94,13 @@ FunctionsToExport = @( 'New-PIMGroupEligibleAssignment', 'Remove-PIMGroupActiveAssignment', 'Remove-PIMGroupEligibleAssignment', - 'Show-PIMReport' + 'Show-PIMReport', + 'Get-PIMAzureResourcePendingApproval', + 'Approve-PIMAzureResourcePendingApproval', + 'Deny-PIMAzureResourcePendingApproval', + 'Get-PIMEntraRolePendingApproval', + 'Approve-PIMEntraRolePendingApproval', + 'Deny-PIMEntraRolePendingApproval' ) # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. diff --git a/EasyPIM/functions/Approve-PIMAzureResourcePendingApproval.ps1 b/EasyPIM/functions/Approve-PIMAzureResourcePendingApproval.ps1 new file mode 100644 index 0000000..072e0ab --- /dev/null +++ b/EasyPIM/functions/Approve-PIMAzureResourcePendingApproval.ps1 @@ -0,0 +1,73 @@ +<# +.Synopsis +EASYPIM +Powershell module to manage PIM Azure Resource Role settings with simplicity in mind +Get-PIMEntraRolePolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level +Support querrying multi roles at once + +.Description + +Get-PIMAzureResourcePendingApproval will use the Microsoft Graph APIs to retrieve the requests pending your approval + +.PARAMETER approvalID +approval ID from get-PIMAzureResourcePendingApproval + +.PARAMETER justification +justification for the approval + +.Example + PS> approve-PIMAzureResourcePendingApproval -approvalID $approvalID -justification "I approve this request" + + Approve a pending request + +.Link + +.Notes + Homepage: https://github.com/kayasax/easyPIM + Author: MICHEL, Loic + Changelog: + Todo: + * allow other scopes +#> +function Approve-PIMAzureResourcePendingApproval { + [CmdletBinding()] + [OutputType([PSCustomObject])] + param ( + + [Parameter(Position = 0, Mandatory = $true,ValueFromPipeline = $true, + ValueFromPipelineByPropertyName = $true)] + [System.String] + # Tenant ID + $approvalID, + + [Parameter(Position = 1, Mandatory = $true)] + [System.String] + # justification + $justification + + ) + try { + $script:tenantID = $tenantID + + Write-Verbose "approve-PIMAzureResourcePendingApproval start with parameters: approvalid => $approvalID, justification => $justification" + + #Get the stages: + #Role Assignment Approval Steps - List - REST API (Azure Authorization) | Microsoft Learn + $stages=Invoke-AzRestMethod -Uri "https://management.azure.com/$approvalID/stages?api-version=2021-01-01-preview" -Method GET + + $stageid=($stages.Content | convertfrom-json).value.id + + #approve the request + #Role Assignment Approval Step - Patch - REST API (Azure Authorization) | Microsoft Learn + + $body='{"properties":{"justification":"'+$justification+'","reviewResult":"Approve"}}' + + Invoke-AzRestMethod -Uri "https://management.azure.com/$stageid/?api-version=2021-01-01-preview" -Payload $body -Method PUT + return "Success, request approved" + + } + catch { + MyCatch $_ + } + +} \ No newline at end of file diff --git a/EasyPIM/functions/Approve-PIMEntraRolePendingApproval.ps1 b/EasyPIM/functions/Approve-PIMEntraRolePendingApproval.ps1 new file mode 100644 index 0000000..2f1d7a4 --- /dev/null +++ b/EasyPIM/functions/Approve-PIMEntraRolePendingApproval.ps1 @@ -0,0 +1,73 @@ +<# +.Synopsis +EASYPIM +Powershell module to manage PIM Azure Resource Role settings with simplicity in mind +Get-PIMEntraRolePolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level +Support querrying multi roles at once + +.Description + +Approve-PIMEntraRolePendingApprovall will use the Microsoft Graph APIs to retrieve the requests pending your approval + +.PARAMETER approvalID +approval ID from get-PIMAzureResourcePendingApproval + +.PARAMETER justification +justification for the approval + +.Example + PS> approve-PIMAzureResourcePendingApproval -approvalID $approvalID -justification "I approve this request" + + Approve a pending request + +.Link + +.Notes + Homepage: https://github.com/kayasax/easyPIM + Author: MICHEL, Loic + Changelog: + Todo: + * allow other scopes +#> +function Approve-PIMEntraRolePendingApproval { + [CmdletBinding()] + [OutputType([PSCustomObject])] + param ( + + [Parameter(Position = 0, Mandatory = $true,ValueFromPipeline = $true, + ValueFromPipelineByPropertyName = $true)] + [System.String] + # Approval ID + $approvalID, + + [Parameter(Position = 1, Mandatory = $true)] + [System.String] + # justification + $justification + + ) + try { + #$script:tenantID = $tenantID + + Write-Verbose "approve-PIMEntraRolePendingApproval start with parameters: approvalid => $approvalID, justification => $justification" + + #Get the stages: + #Role Assignment Approval Steps - List - REST API (Azure Authorization) | Microsoft Learn + $stages=Invoke-graph -endpoint "roleManagement/directory/roleAssignmentApprovals/$approvalID/" -Method GET -version "beta" + + $stageid=$stages.id + + #approve the request + #Role Assignment Approval Step - Patch - REST API (Azure Authorization) | Microsoft Learn + + $body='{"justification":"'+$justification+'","reviewResult":"Approve"}' + + Invoke-graph -endpoint "roleManagement/directory/roleAssignmentApprovals/$approvalID/steps/$stageID" -body $body -version "beta" -Method PATCH + return "Success, request approved" + + } + catch { + MyCatch $_ + } + +} \ No newline at end of file diff --git a/EasyPIM/functions/Deny-PIMAzureResourcePendingApproval.ps1 b/EasyPIM/functions/Deny-PIMAzureResourcePendingApproval.ps1 new file mode 100644 index 0000000..4157c6f --- /dev/null +++ b/EasyPIM/functions/Deny-PIMAzureResourcePendingApproval.ps1 @@ -0,0 +1,72 @@ +<# +.Synopsis +EASYPIM +Powershell module to manage PIM Azure Resource Role settings with simplicity in mind +Get-PIMEntraRolePolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level +Support querrying multi roles at once + +.Description + +Deny-PIMAzureResourcePendingApproval will deny request + +.PARAMETER approvalID +approval ID from get-PIMAzureResourcePendingApproval + +.PARAMETER justification +justification for the deny + +.Example + PS> Deny-PIMAzureResourcePendingApproval -approvalID $approvalID -justification "You don't need this role" + + Deny a pending request + +.Link + +.Notes + Homepage: https://github.com/kayasax/easyPIM + Author: MICHEL, Loic + Changelog: + Todo: + * allow other scopes +#> +function Deny-PIMAzureResourcePendingApproval { + [CmdletBinding()] + [OutputType([PSCustomObject])] + param ( + [Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true, + ValueFromPipelineByPropertyName = $true)] + [System.String] + # Tenant ID + $approvalID, + + [Parameter(Position = 1, Mandatory = $true)] + [System.String] + # justification + $justification + + ) + try { + $script:tenantID = $tenantID + + Write-Verbose "approve-PIMAzureResourcePendingApproval start with parameters: approvalid => $approvalID, justification => $justification" + + #Get the stages: + #Role Assignment Approval Steps - List - REST API (Azure Authorization) | Microsoft Learn + $stages = Invoke-AzRestMethod -Uri "https://management.azure.com/$approvalID/stages?api-version=2021-01-01-preview" -Method GET + + $stageid = ($stages.Content | convertfrom-json).value.id + + #approve the request + #Role Assignment Approval Step - Patch - REST API (Azure Authorization) | Microsoft Learn + + $body = '{"properties":{"justification":"' + $justification + '","reviewResult":"Deny"}}' + + Invoke-AzRestMethod -Uri "https://management.azure.com/$stageid/?api-version=2021-01-01-preview" -Payload $body -Method PUT + return "Success, request denied" + + } + catch { + MyCatch $_ + } + +} \ No newline at end of file diff --git a/EasyPIM/functions/Deny-PIMEntraRolePendingApproval.ps1 b/EasyPIM/functions/Deny-PIMEntraRolePendingApproval.ps1 new file mode 100644 index 0000000..9406c8a --- /dev/null +++ b/EasyPIM/functions/Deny-PIMEntraRolePendingApproval.ps1 @@ -0,0 +1,73 @@ +<# +.Synopsis +EASYPIM +Powershell module to manage PIM Azure Resource Role settings with simplicity in mind +Get-PIMEntraRolePolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level +Support querrying multi roles at once + +.Description + +Deny-PIMEntraRolePendingApprovall will use the Microsoft Graph APIs to retrieve the requests pending your approval + +.PARAMETER approvalID +approval ID from get-PIMAzureResourcePendingApproval + +.PARAMETER justification +justification for the approval + +.Example + PS> Deny-PIMAzureResourcePendingApproval -approvalID $approvalID -justification "I Deny this request" + + Deny a pending request + +.Link + +.Notes + Homepage: https://github.com/kayasax/easyPIM + Author: MICHEL, Loic + Changelog: + Todo: + * allow other scopes +#> +function Deny-PIMEntraRolePendingApproval { + [CmdletBinding()] + [OutputType([PSCustomObject])] + param ( + + [Parameter(Position = 0, Mandatory = $true,ValueFromPipeline = $true, + ValueFromPipelineByPropertyName = $true)] + [System.String] + # Approval ID + $approvalID, + + [Parameter(Position = 1, Mandatory = $true)] + [System.String] + # justification + $justification + + ) + try { + #$script:tenantID = $tenantID + + Write-Verbose "Deny-PIMEntraRolePendingApproval start with parameters: approvalid => $approvalID, justification => $justification" + + #Get the stages: + #Role Assignment Approval Steps - List - REST API (Azure Authorization) | Microsoft Learn + $stages=Invoke-graph -endpoint "roleManagement/directory/roleAssignmentApprovals/$approvalID/" -Method GET -version "beta" + + $stageid=$stages.id + + #Deny the request + #Role Assignment Approval Step - Patch - REST API (Azure Authorization) | Microsoft Learn + + $body='{"justification":"'+$justification+'","reviewResult":"Deny"}' + + Invoke-graph -endpoint "roleManagement/directory/roleAssignmentApprovals/$approvalID/steps/$stageID" -body $body -version "beta" -Method PATCH + return "Success, request Denyd" + + } + catch { + MyCatch $_ + } + +} \ No newline at end of file diff --git a/EasyPIM/functions/Get-PIMAzureResourcePendingApproval.ps1 b/EasyPIM/functions/Get-PIMAzureResourcePendingApproval.ps1 new file mode 100644 index 0000000..f42837f --- /dev/null +++ b/EasyPIM/functions/Get-PIMAzureResourcePendingApproval.ps1 @@ -0,0 +1,80 @@ +<# +.Synopsis +EASYPIM +Powershell module to manage PIM Azure Resource Role settings with simplicity in mind +Get-PIMEntraRolePolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level +Support querrying multi roles at once + +.Description + +Get-PIMAzureResourcePendingApproval will use the Microsoft Graph APIs to retrieve the requests pending your approval + +.PARAMETER tenantID +Tenant ID + +.Example + PS> Get-PIMAzureResourcePendingApproval -tenantID $tenantID + + show pending request you can approve + +.Link + +.Notes + Homepage: https://github.com/kayasax/easyPIM + Author: MICHEL, Loic + Changelog: + Todo: + * allow other scopes +#> +function Get-PIMAzureResourcePendingApproval { + [CmdletBinding()] + [OutputType([PSCustomObject])] + param ( + + [Parameter(Position = 0, Mandatory = $true)] + [System.String] + # Tenant ID + $tenantID + + ) + try { + $script:tenantID = $tenantID + + Write-Verbose "Get-PIMAzureResourcePendingApproval start with parameters: tenantID => $tenantID" + + $out = @() + $response = invoke-AzRestMethod -Uri "https://management.azure.com/providers/Microsoft.Authorization/roleAssignmentScheduleRequests?api-version=2020-10-01&`$filter=asApprover()" + $pendingApproval = $response.Content | convertfrom-json + if ($null -ne $pendingApproval.value.properties) { + $pendingApproval.value.properties | % { + $request = @{ + "principalType" = $_.principalType; + "principalId" = $_.expandedProperties.Principal.id; + "principalDisplayname" = $_.expandedProperties.Principal.displayName; + "roleId" = $_.expandedProperties.RoleDefinition.id; + "roleDisplayname" = $_.expandedProperties.RoleDefinition.displayName; + "status" = $_.status; + "startDateTime" = $_.scheduleInfo.startDateTime; + "ticketInfo" = $_.ticketInfo; + "justification" = $_.justification; + "scope" = $_.Scope; + "approvalId" = $_.approvalId; + "requestType" = $_.requestType; + "createdOn" = $_.createdOn; + } + $o = New-Object -TypeName PSObject -Property $request + $out += $o + } + } + if ($out.length -eq 0) { + write-host "No pending approval" + return $null + } + return $out + + } + catch { + MyCatch $_ + } + +} \ No newline at end of file diff --git a/EasyPIM/functions/Get-PIMEntraRolePendingApproval.ps1 b/EasyPIM/functions/Get-PIMEntraRolePendingApproval.ps1 new file mode 100644 index 0000000..39cd8bb --- /dev/null +++ b/EasyPIM/functions/Get-PIMEntraRolePendingApproval.ps1 @@ -0,0 +1,85 @@ +<# +.Synopsis +EASYPIM +Powershell module to manage PIM Azure Resource Role settings with simplicity in mind +Get-PIMEntraRolePolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level +Support querrying multi roles at once + +.Description + +Get-PIMEntraRolePendingApproval will use the Microsoft Graph APIs to retrieve the requests pending your approval + +.PARAMETER tenantID +Tenant ID + +.Example + PS> Get-PIMEntraRolePendingApproval -tenantID $tenantID + + show pending request you can approve + +.Link + +.Notes + Homepage: https://github.com/kayasax/easyPIM + Author: MICHEL, Loic + Changelog: + Todo: + * allow other scopes +#> +function Get-PIMEntraRolePendingApproval{ + #[CmdletBinding()] + #[OutputType([PSCustomObject])] + <#param ( + + [Parameter(Position = 0, Mandatory = $true)] + [System.String] + # Tenant ID + $tenantID + + )#> + try { + #$script:tenantID = $tenantID + + Write-Verbose "Get-PIMAzureResourcePendingApproval start with parameters: tenantID => $tenantID" + + $endpoint="/roleManagement/directory/roleAssignmentScheduleRequests/filterByCurrentUser(on='approver')?$filter=status eq 'PendingApproval'" + $response = Invoke-Graph -Endpoint $endpoint -Method "GET" + + $out = @() + + $pendingApproval = $response.value + + if ($null -ne $pendingApproval) { + $pendingApproval | % { + $role=invoke-mgGraphRequest $("https://graph.microsoft.com/v1.0/directoryRoles(roletemplateid ='"+$_.roledefinitionid+"')") -Method get + $principalDisplayName = invoke-mgGraphRequest $("https://graph.microsoft.com/v1.0/directoryobjects/"+$_.Principalid+"/") -Method get + $request = @{ + "principalId" = $_.Principalid; + "principalDisplayname" = $principalDisplayName.displayName; + "roleId" = $_.RoleDefinitionid; + + "roleDisplayname" = $role.displayname; + "status" = $_.status; + "startDateTime" = $_.CreatedDateTime; + "ticketInfo" = $_.ticketInfo; + "justification" = $_.justification; + "scope" = "/"; + "approvalId" = $_.approvalId; + "createdOn" = $_.createdDateTime; + } + $o = New-Object -TypeName PSObject -Property $request + $out += $o + } + } + if ($out.length -eq 0) { + write-host "No pending approval" + return $null + } + return $out + + } + catch { + MyCatch $_ + } + +} \ No newline at end of file diff --git a/EasyPIM/internal/functions/Invoke-graph.ps1 b/EasyPIM/internal/functions/Invoke-graph.ps1 index 7c1f137..e2567ee 100644 --- a/EasyPIM/internal/functions/Invoke-graph.ps1 +++ b/EasyPIM/internal/functions/Invoke-graph.ps1 @@ -44,15 +44,17 @@ function invoke-graph { Write-Verbose ">> Connecting to Azure with tenantID $script:tenantID" $scopes = @( "RoleManagementPolicy.ReadWrite.Directory", + "PrivilegedAccess.ReadWrite.AzureAD", "RoleManagement.ReadWrite.Directory", "RoleManagementPolicy.ReadWrite.AzureADGroup", "PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup", "PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup", "PrivilegedAccess.ReadWrite.AzureADGroup", "AuditLog.Read.All", - "Directory.Read.All") + "Directory.Read.All", + "EntitlementManagement.ReadWrite.All") - Connect-MgGraph -Tenant $script:tenantID -Scopes $scopes + Connect-MgGraph -Tenant $script:tenantID -Scopes $scopes -NoWelcome } if ( $body -ne "") { From 5907cf91c31a4c5f9ad65782dfe56d601f98ee30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20MICHEL?= Date: Sun, 15 Sep 2024 13:12:31 +0200 Subject: [PATCH 2/4] remove unused graph scope --- EasyPIM/internal/functions/Invoke-graph.ps1 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/EasyPIM/internal/functions/Invoke-graph.ps1 b/EasyPIM/internal/functions/Invoke-graph.ps1 index e2567ee..e45ceb5 100644 --- a/EasyPIM/internal/functions/Invoke-graph.ps1 +++ b/EasyPIM/internal/functions/Invoke-graph.ps1 @@ -51,8 +51,7 @@ function invoke-graph { "PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup", "PrivilegedAccess.ReadWrite.AzureADGroup", "AuditLog.Read.All", - "Directory.Read.All", - "EntitlementManagement.ReadWrite.All") + "Directory.Read.All") Connect-MgGraph -Tenant $script:tenantID -Scopes $scopes -NoWelcome } From 1d9a7ba71797d71e5c188100017e03c1ae0bdd0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20MICHEL?= Date: Mon, 16 Sep 2024 10:30:11 +0200 Subject: [PATCH 3/4] updating approval functions to work with several pipeline objects --- ...pprove-PIMAzureResourcePendingApproval.ps1 | 3 +- .../Approve-PIMEntraRolePendingApproval.ps1 | 37 ++++++++++--------- .../Deny-PIMAzureResourcePendingApproval.ps1 | 3 +- .../Deny-PIMEntraRolePendingApproval.ps1 | 3 +- .../Get-PIMEntraRolePendingApproval.ps1 | 10 ++--- 5 files changed, 30 insertions(+), 26 deletions(-) diff --git a/EasyPIM/functions/Approve-PIMAzureResourcePendingApproval.ps1 b/EasyPIM/functions/Approve-PIMAzureResourcePendingApproval.ps1 index 072e0ab..c14a483 100644 --- a/EasyPIM/functions/Approve-PIMAzureResourcePendingApproval.ps1 +++ b/EasyPIM/functions/Approve-PIMAzureResourcePendingApproval.ps1 @@ -46,6 +46,7 @@ function Approve-PIMAzureResourcePendingApproval { $justification ) + process{ try { $script:tenantID = $tenantID @@ -69,5 +70,5 @@ function Approve-PIMAzureResourcePendingApproval { catch { MyCatch $_ } - +} } \ No newline at end of file diff --git a/EasyPIM/functions/Approve-PIMEntraRolePendingApproval.ps1 b/EasyPIM/functions/Approve-PIMEntraRolePendingApproval.ps1 index 2f1d7a4..0cc503f 100644 --- a/EasyPIM/functions/Approve-PIMEntraRolePendingApproval.ps1 +++ b/EasyPIM/functions/Approve-PIMEntraRolePendingApproval.ps1 @@ -34,8 +34,8 @@ function Approve-PIMEntraRolePendingApproval { [OutputType([PSCustomObject])] param ( - [Parameter(Position = 0, Mandatory = $true,ValueFromPipeline = $true, - ValueFromPipelineByPropertyName = $true)] + [Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true, + ValueFromPipelineByPropertyName = $true)] [System.String] # Approval ID $approvalID, @@ -46,28 +46,29 @@ function Approve-PIMEntraRolePendingApproval { $justification ) - try { - #$script:tenantID = $tenantID + process { + try { + #$script:tenantID = $tenantID - Write-Verbose "approve-PIMEntraRolePendingApproval start with parameters: approvalid => $approvalID, justification => $justification" + Write-Verbose "approve-PIMEntraRolePendingApproval start with parameters: approvalid => $approvalID, justification => $justification" - #Get the stages: - #Role Assignment Approval Steps - List - REST API (Azure Authorization) | Microsoft Learn - $stages=Invoke-graph -endpoint "roleManagement/directory/roleAssignmentApprovals/$approvalID/" -Method GET -version "beta" + #Get the stages: + #Role Assignment Approval Steps - List - REST API (Azure Authorization) | Microsoft Learn + $stages = Invoke-graph -endpoint "roleManagement/directory/roleAssignmentApprovals/$approvalID/" -Method GET -version "beta" - $stageid=$stages.id + $stageid = $stages.id - #approve the request - #Role Assignment Approval Step - Patch - REST API (Azure Authorization) | Microsoft Learn + #approve the request + #Role Assignment Approval Step - Patch - REST API (Azure Authorization) | Microsoft Learn - $body='{"justification":"'+$justification+'","reviewResult":"Approve"}' + $body = '{"justification":"' + $justification + '","reviewResult":"Approve"}' - Invoke-graph -endpoint "roleManagement/directory/roleAssignmentApprovals/$approvalID/steps/$stageID" -body $body -version "beta" -Method PATCH - return "Success, request approved" + Invoke-graph -endpoint "roleManagement/directory/roleAssignmentApprovals/$approvalID/steps/$stageID" -body $body -version "beta" -Method PATCH + return "Success, request approved" + } + catch { + MyCatch $_ + } } - catch { - MyCatch $_ - } - } \ No newline at end of file diff --git a/EasyPIM/functions/Deny-PIMAzureResourcePendingApproval.ps1 b/EasyPIM/functions/Deny-PIMAzureResourcePendingApproval.ps1 index 4157c6f..b981845 100644 --- a/EasyPIM/functions/Deny-PIMAzureResourcePendingApproval.ps1 +++ b/EasyPIM/functions/Deny-PIMAzureResourcePendingApproval.ps1 @@ -45,6 +45,7 @@ function Deny-PIMAzureResourcePendingApproval { $justification ) + process{ try { $script:tenantID = $tenantID @@ -69,4 +70,4 @@ function Deny-PIMAzureResourcePendingApproval { MyCatch $_ } -} \ No newline at end of file +}} \ No newline at end of file diff --git a/EasyPIM/functions/Deny-PIMEntraRolePendingApproval.ps1 b/EasyPIM/functions/Deny-PIMEntraRolePendingApproval.ps1 index 9406c8a..57bb8fa 100644 --- a/EasyPIM/functions/Deny-PIMEntraRolePendingApproval.ps1 +++ b/EasyPIM/functions/Deny-PIMEntraRolePendingApproval.ps1 @@ -46,6 +46,7 @@ function Deny-PIMEntraRolePendingApproval { $justification ) + process{ try { #$script:tenantID = $tenantID @@ -70,4 +71,4 @@ function Deny-PIMEntraRolePendingApproval { MyCatch $_ } -} \ No newline at end of file +}} \ No newline at end of file diff --git a/EasyPIM/functions/Get-PIMEntraRolePendingApproval.ps1 b/EasyPIM/functions/Get-PIMEntraRolePendingApproval.ps1 index 39cd8bb..c6b41b2 100644 --- a/EasyPIM/functions/Get-PIMEntraRolePendingApproval.ps1 +++ b/EasyPIM/functions/Get-PIMEntraRolePendingApproval.ps1 @@ -27,18 +27,18 @@ Tenant ID * allow other scopes #> function Get-PIMEntraRolePendingApproval{ - #[CmdletBinding()] - #[OutputType([PSCustomObject])] - <#param ( + [CmdletBinding()] + [OutputType([PSCustomObject])] + param ( [Parameter(Position = 0, Mandatory = $true)] [System.String] # Tenant ID $tenantID - )#> + ) try { - #$script:tenantID = $tenantID + $script:tenantID = $tenantID Write-Verbose "Get-PIMAzureResourcePendingApproval start with parameters: tenantID => $tenantID" From f54c3e4022e2be0d129d2b0ca8a82b22d6b65be7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20MICHEL?= Date: Mon, 16 Sep 2024 10:41:45 +0200 Subject: [PATCH 4/4] correcting pests --- EasyPIM/functions/Approve-PIMAzureResourcePendingApproval.ps1 | 2 +- EasyPIM/functions/Approve-PIMEntraRolePendingApproval.ps1 | 2 +- EasyPIM/functions/Deny-PIMAzureResourcePendingApproval.ps1 | 2 +- EasyPIM/functions/Deny-PIMEntraRolePendingApproval.ps1 | 2 +- EasyPIM/functions/Get-PIMAzureResourcePendingApproval.ps1 | 4 ++-- EasyPIM/functions/Get-PIMEntraRolePendingApproval.ps1 | 4 ++-- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/EasyPIM/functions/Approve-PIMAzureResourcePendingApproval.ps1 b/EasyPIM/functions/Approve-PIMAzureResourcePendingApproval.ps1 index c14a483..13d137b 100644 --- a/EasyPIM/functions/Approve-PIMAzureResourcePendingApproval.ps1 +++ b/EasyPIM/functions/Approve-PIMAzureResourcePendingApproval.ps1 @@ -31,7 +31,7 @@ justification for the approval #> function Approve-PIMAzureResourcePendingApproval { [CmdletBinding()] - [OutputType([PSCustomObject])] + [OutputType([String])] param ( [Parameter(Position = 0, Mandatory = $true,ValueFromPipeline = $true, diff --git a/EasyPIM/functions/Approve-PIMEntraRolePendingApproval.ps1 b/EasyPIM/functions/Approve-PIMEntraRolePendingApproval.ps1 index 0cc503f..9e33122 100644 --- a/EasyPIM/functions/Approve-PIMEntraRolePendingApproval.ps1 +++ b/EasyPIM/functions/Approve-PIMEntraRolePendingApproval.ps1 @@ -31,7 +31,7 @@ justification for the approval #> function Approve-PIMEntraRolePendingApproval { [CmdletBinding()] - [OutputType([PSCustomObject])] + [OutputType([String])] param ( [Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true, diff --git a/EasyPIM/functions/Deny-PIMAzureResourcePendingApproval.ps1 b/EasyPIM/functions/Deny-PIMAzureResourcePendingApproval.ps1 index b981845..86ac9f1 100644 --- a/EasyPIM/functions/Deny-PIMAzureResourcePendingApproval.ps1 +++ b/EasyPIM/functions/Deny-PIMAzureResourcePendingApproval.ps1 @@ -31,7 +31,7 @@ justification for the deny #> function Deny-PIMAzureResourcePendingApproval { [CmdletBinding()] - [OutputType([PSCustomObject])] + [OutputType([String])] param ( [Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] diff --git a/EasyPIM/functions/Deny-PIMEntraRolePendingApproval.ps1 b/EasyPIM/functions/Deny-PIMEntraRolePendingApproval.ps1 index 57bb8fa..eec90c5 100644 --- a/EasyPIM/functions/Deny-PIMEntraRolePendingApproval.ps1 +++ b/EasyPIM/functions/Deny-PIMEntraRolePendingApproval.ps1 @@ -31,7 +31,7 @@ justification for the approval #> function Deny-PIMEntraRolePendingApproval { [CmdletBinding()] - [OutputType([PSCustomObject])] + [OutputType([String])] param ( [Parameter(Position = 0, Mandatory = $true,ValueFromPipeline = $true, diff --git a/EasyPIM/functions/Get-PIMAzureResourcePendingApproval.ps1 b/EasyPIM/functions/Get-PIMAzureResourcePendingApproval.ps1 index f42837f..ba2187b 100644 --- a/EasyPIM/functions/Get-PIMAzureResourcePendingApproval.ps1 +++ b/EasyPIM/functions/Get-PIMAzureResourcePendingApproval.ps1 @@ -46,7 +46,7 @@ function Get-PIMAzureResourcePendingApproval { $response = invoke-AzRestMethod -Uri "https://management.azure.com/providers/Microsoft.Authorization/roleAssignmentScheduleRequests?api-version=2020-10-01&`$filter=asApprover()" $pendingApproval = $response.Content | convertfrom-json if ($null -ne $pendingApproval.value.properties) { - $pendingApproval.value.properties | % { + $pendingApproval.value.properties | ForEach-Object { $request = @{ "principalType" = $_.principalType; "principalId" = $_.expandedProperties.Principal.id; @@ -67,7 +67,7 @@ function Get-PIMAzureResourcePendingApproval { } } if ($out.length -eq 0) { - write-host "No pending approval" + #write-host "No pending approval" return $null } return $out diff --git a/EasyPIM/functions/Get-PIMEntraRolePendingApproval.ps1 b/EasyPIM/functions/Get-PIMEntraRolePendingApproval.ps1 index c6b41b2..a32bcd2 100644 --- a/EasyPIM/functions/Get-PIMEntraRolePendingApproval.ps1 +++ b/EasyPIM/functions/Get-PIMEntraRolePendingApproval.ps1 @@ -50,7 +50,7 @@ function Get-PIMEntraRolePendingApproval{ $pendingApproval = $response.value if ($null -ne $pendingApproval) { - $pendingApproval | % { + $pendingApproval | ForEach-Object { $role=invoke-mgGraphRequest $("https://graph.microsoft.com/v1.0/directoryRoles(roletemplateid ='"+$_.roledefinitionid+"')") -Method get $principalDisplayName = invoke-mgGraphRequest $("https://graph.microsoft.com/v1.0/directoryobjects/"+$_.Principalid+"/") -Method get $request = @{ @@ -72,7 +72,7 @@ function Get-PIMEntraRolePendingApproval{ } } if ($out.length -eq 0) { - write-host "No pending approval" + #write-host "No pending approval" return $null } return $out