Merge pull request #26612 from SebastianClaesson/patch-1

VeryEarly · web-flow · commit ee61f8f86b70 · 2024-11-18T14:46:40.000+08:00
Adding examples for constrained role delegation
diff --git a/src/Resources/Resources/help/New-AzRoleAssignment.md b/src/Resources/Resources/help/New-AzRoleAssignment.md
@@ -178,6 +178,82 @@ New-AzRoleAssignment -RoleDefinitionName "Reader" -ApplicationId $servicePrincip
 
 Grant reader access to a service principal
 
+### Example 6
+```powershell
+$Condition = '(
+ (
+  !(ActionMatches{''Microsoft.Authorization/roleAssignments/write''})
+ )
+ OR 
+ (
+  @Request[Microsoft.Authorization/roleAssignments:PrincipalType] StringEqualsIgnoreCase ''ServicePrincipal''
+ )
+)
+AND
+(
+ (
+  !(ActionMatches{''Microsoft.Authorization/roleAssignments/delete''})
+ )
+ OR 
+ (
+  @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] StringEqualsIgnoreCase ''ServicePrincipal''
+ )
+)'
+
+$DelegationParams = @{
+    AllowDelegation = $true
+    Condition = $Condition 
+    Scope = "/subscriptions/11112222-bbbb-3333-cccc-4444dddd5555" 
+    RoleDefinitionName = 'User Access Administrator' 
+    ObjectId = "00001111-aaaa-2222-bbbb-3333cccc4444"
+}
+
+New-AzRoleAssignment @DelegationParams
+```
+
+Grant User Access Administrator over an azure subscription with constrained delegation.<br>
+The constrained delegation will only allow that the delegated user/service principal/group may only create/delete/update new role assignments for a service principal and any roles.
+
+### Example 7
+```powershell
+$Condition = '(
+ (
+  !(ActionMatches{''Microsoft.Authorization/roleAssignments/write''})
+ )
+ OR 
+ (
+  @Request[Microsoft.Authorization/roleAssignments:PrincipalType] StringEqualsIgnoreCase ''ServicePrincipal''
+  AND
+  NOT @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,18d7d88d-d35e-4fb5-a5c3-7773c20a72d9}
+ )
+)
+AND
+(
+ (
+  !(ActionMatches{''Microsoft.Authorization/roleAssignments/delete''})
+ )
+ OR 
+ (
+  @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] StringEqualsIgnoreCase ''ServicePrincipal''
+  AND
+  NOT @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,18d7d88d-d35e-4fb5-a5c3-7773c20a72d9}
+ )
+)'
+
+$DelegationParams = @{
+    AllowDelegation = $true
+    Condition = $Condition 
+    Scope = "/subscriptions/11112222-bbbb-3333-cccc-4444dddd5555" 
+    RoleDefinitionName = 'User Access Administrator' 
+    ObjectId = "00001111-aaaa-2222-bbbb-3333cccc4444"
+}
+
+New-AzRoleAssignment @DelegationParams
+```
+
+Grant User Access Administrator over an azure subscription with constrained delegation.<br>
+The constrained delegation will only allow that the delegated user/service principal/group may only create/delete/update new role assignments for a service principal, excluding the [Owner](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/privileged#owner) and [User Access Administrator](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/privileged#user-access-administrator) role.
+
 ## PARAMETERS
 
 ### -AllowDelegation
@@ -491,7 +567,8 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable
 ### Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleAssignment
 
 ## NOTES
-Keywords: azure, azurerm, arm, resource, management, manager, resource, group, template, deployment
+Learn more about role assignment delegation - https://learn.microsoft.com/en-us/azure/role-based-access-control/delegate-role-assignments-portal?tabs=template 
+<br>Keywords: azure, azurerm, arm, resource, management, manager, resource, group, template, deployment
 
 ## RELATED LINKS
 
diff --git a/tools/StaticAnalysis/Exceptions/Az.Resources/ExampleIssues.csv b/tools/StaticAnalysis/Exceptions/Az.Resources/ExampleIssues.csv
@@ -212,6 +212,13 @@
 "Az.Resources","New-AzPolicySetDefinition","3","3","Invalid_Cmdlet","5000","1",": is not a valid command name.",": '/providers/Microsoft.Authorization/policyDefinitions/2a0e14a6-b0a6-4fab-991a-187a4f81c498',        'groupNames': [ 'group1' ]","Check the spell of :."
 "Az.Resources","New-AzPolicySetDefinition","3","7","Invalid_Cmdlet","5000","1",": is not a valid command name.",": '/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf',        'groupNames': [ 'group2' ]","Check the spell of :."
 "Az.Resources","New-AzRoleAssignment","5","2","Mismatched_Parameter_Value_Type","5111","2","New-AzRoleAssignment -ApplicationId $servicePrincipal.ApplicationId is not an expected parameter value type.","-ApplicationId","Use correct parameter value type. Expected Type is string. Now the type is .(Command)."
+"Az.Resources","New-AzRoleAssignment","1","1","Invalid_Cmdlet","5000","1","New-AzRoleAssignment is not a valid command name.","New-AzRoleAssignment -ResourceGroupName rg1 -SignInName allen.young@live.com -RoleDefinitionName Reader -AllowDelegation","Check the spell of New-AzRoleAssignment."
+"Az.Resources","New-AzRoleAssignment","3","1","Invalid_Cmdlet","5000","1","New-AzRoleAssignment is not a valid command name.","New-AzRoleAssignment -SignInName john.doe@contoso.com -RoleDefinitionName Owner -Scope '/subscriptions/00001111-aaaa-2222-bbbb-3333cccc4444/resourcegroups/rg1/providers/Microsoft.Web/sites/site1'","Check the spell of New-AzRoleAssignment."
+"Az.Resources","New-AzRoleAssignment","4","1","Invalid_Cmdlet","5000","1","New-AzRoleAssignment is not a valid command name.","New-AzRoleAssignment -ObjectId 00001111-aaaa-2222-bbbb-3333cccc4444 -RoleDefinitionName 'Virtual Machine Contributor' -ResourceName Devices-Engineering-ProjectRND -ResourceType Microsoft.Network/virtualNetworks/subnets -ParentResource virtualNetworks/VNET-EASTUS-01 -ResourceGroupName Network","Check the spell of New-AzRoleAssignment."
+"Az.Resources","New-AzRoleAssignment","5","1","Invalid_Cmdlet","5000","1","New-AzADServicePrincipal is not a valid command name.","New-AzADServicePrincipal -DisplayName 'testServiceprincipal'","Check the spell of New-AzADServicePrincipal."
+"Az.Resources","New-AzRoleAssignment","5","2","Invalid_Cmdlet","5000","1","New-AzRoleAssignment is not a valid command name.","New-AzRoleAssignment -RoleDefinitionName 'Reader' -ApplicationId $servicePrincipal.ApplicationId","Check the spell of New-AzRoleAssignment."
+"Az.Resources","New-AzRoleAssignment","6","29","Invalid_Cmdlet","5000","1","New-AzRoleAssignment is not a valid command name.","New-AzRoleAssignment @DelegationParams","Check the spell of New-AzRoleAssignment."
+"Az.Resources","New-AzRoleAssignment","7","33","Invalid_Cmdlet","5000","1","New-AzRoleAssignment is not a valid command name.","New-AzRoleAssignment @DelegationParams","Check the spell of New-AzRoleAssignment."
 "Az.Resources","Remove-AzADAppCredential","1","1","Unassigned_Variable","5110","2","Remove-AzADAppCredential -DisplayName $name is a null-valued parameter value.","-DisplayName","Assign value for $name."
 "Az.Resources","Remove-AzADAppCredential","1","1","Unassigned_Variable","5110","2","Remove-AzADAppCredential -KeyId $keyid is a null-valued parameter value.","-KeyId","Assign value for $keyid."
 "Az.Resources","Remove-AzADAppCredential","2","1","Unassigned_Variable","5110","2","Get-AzADApplication -DisplayName $name is a null-valued parameter value.","-DisplayName","Assign value for $name."
