Skip to content

Commit a430ed6

Browse files
pull[bot]pull[bot]
authored
Merge pull request #159 from KelvinTegelaar/dev
[pull] dev from KelvinTegelaar:dev
2 parents 46e3849 + ef88031 commit a430ed6

File tree

1 file changed

+146
-92
lines changed

1 file changed

+146
-92
lines changed

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/GDAP/Invoke-ExecAddGDAPRole.ps1

Lines changed: 146 additions & 92 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
using namespace System.Net
22

3-
Function Invoke-ExecAddGDAPRole {
3+
function Invoke-ExecAddGDAPRole {
44
<#
55
.FUNCTIONALITY
66
Entrypoint,AnyTenant
@@ -13,109 +13,163 @@ Function Invoke-ExecAddGDAPRole {
1313
$APIName = $Request.Params.CIPPEndpoint
1414
Write-LogMessage -headers $Request.Headers -API $APINAME -message 'Accessed this API' -Sev 'Debug'
1515

16-
$CippDefaults = @(
17-
@{ label = 'Application Administrator'; value = '9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3' },
18-
@{ label = 'User Administrator'; value = 'fe930be7-5e62-47db-91af-98c3a49a38b1' },
19-
@{ label = 'Intune Administrator'; value = '3a2c62db-5318-420d-8d74-23affee5d9d5' },
20-
@{ label = 'Exchange Administrator'; value = '29232cdf-9323-42fd-ade2-1d097af3e4de' },
21-
@{ label = 'Security Administrator'; value = '194ae4cb-b126-40b2-bd5b-6091b380977d' },
22-
@{ label = 'Cloud App Security Administrator'; value = '892c5842-a9a6-463a-8041-72aa08ca3cf6' },
23-
@{ label = 'Cloud Device Administrator'; value = '7698a772-787b-4ac8-901f-60d6b08affd2' },
24-
@{ label = 'Teams Administrator'; value = '69091246-20e8-4a56-aa4d-066075b2a7a8' },
25-
@{ label = 'SharePoint Administrator'; value = 'f28a1f50-f6e7-4571-818b-6a12f2af6b6c' },
26-
@{ label = 'Authentication Policy Administrator'; value = '0526716b-113d-4c15-b2c8-68e3c22b9f80' },
27-
@{ label = 'Privileged Role Administrator'; value = 'e8611ab8-c189-46e8-94e1-60213ab1f814' },
28-
@{ label = 'Privileged Authentication Administrator'; value = '7be44c8a-adaf-4e2a-84d6-ab2649e08a13' }
29-
)
16+
$Action = $Request.Body.Action ?? $Request.Query.Action ?? 'AddRoleSimple'
17+
$GroupBlockList = @('All Users', 'AdminAgents', 'HelpdeskAgents', 'SalesAgents')
3018

31-
$Groups = $Request.body.gdapRoles ?? $CippDefaults
19+
switch ($Action) {
20+
'ListGroups' {
21+
$Groups = New-GraphGetRequest -NoAuthCheck $True -uri 'https://graph.microsoft.com/beta/groups?$filter=securityEnabled eq true&$select=id,displayName&$top=999' -tenantid $env:TenantID -AsApp $true | Where-Object -Property displayName -NotIn $GroupBlockList
22+
$Results = @($Groups)
23+
}
24+
'AddRoleAdvanced' {
25+
$Mappings = $Request.Body.mappings
26+
$Table = Get-CIPPTable -TableName 'GDAPRoles'
27+
$ExistingGroups = New-GraphGetRequest -NoAuthCheck $True -uri 'https://graph.microsoft.com/beta/groups?$filter=securityEnabled eq true&$select=id,displayName&$top=999' -tenantid $env:TenantID -AsApp $true
28+
$Results = [System.Collections.Generic.List[object]]::new()
29+
$ErrorsFound = $false
30+
$Entities = foreach ($Mapping in $Mappings) {
31+
$GroupId = $Mapping.GroupId
32+
if ($ExistingGroups.id -contains $GroupId) {
33+
$ExistingGroup = $ExistingGroups | Where-Object -Property id -EQ $GroupId
34+
if ($ExistingGroup.displayName -in $GroupBlockList) {
35+
$Results.Add(@{
36+
state = 'error'
37+
resultText = "Group $($ExistingGroup.displayName) is a reserved group and cannot be mapped to a GDAP role"
38+
})
39+
$ErrorsFound = $true
40+
} else {
41+
@{
42+
PartitionKey = 'Roles'
43+
RowKey = $GroupId
44+
RoleName = $Mapping.RoleName
45+
GroupName = $ExistingGroup.displayName
46+
GroupId = $GroupId
47+
roleDefinitionId = $Mapping.roleDefinitionId
48+
}
49+
$Results.Add(@{
50+
state = 'success'
51+
resultText = "Mapped $($ExistingGroup.displayName) to $($Mapping.RoleName)"
52+
})
53+
}
54+
}
55+
}
56+
if (($Entities | Measure-Object).Count -gt 0) {
57+
Write-Warning "Adding $($Entities.Count) entities to table"
58+
Write-Information ($Entities | ConvertTo-Json -Depth 10 -Compress)
59+
Add-CIPPAzDataTableEntity @Table -Entity $Entities -Force
60+
} elseif ($ErrorsFound -eq $false) {
61+
$Results.Add(@{
62+
state = 'success'
63+
resultText = 'All role mappings already exist'
64+
})
65+
}
66+
}
67+
'AddRoleSimple' {
68+
$CippDefaults = @(
69+
@{ label = 'Application Administrator'; value = '9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3' },
70+
@{ label = 'User Administrator'; value = 'fe930be7-5e62-47db-91af-98c3a49a38b1' },
71+
@{ label = 'Intune Administrator'; value = '3a2c62db-5318-420d-8d74-23affee5d9d5' },
72+
@{ label = 'Exchange Administrator'; value = '29232cdf-9323-42fd-ade2-1d097af3e4de' },
73+
@{ label = 'Security Administrator'; value = '194ae4cb-b126-40b2-bd5b-6091b380977d' },
74+
@{ label = 'Cloud App Security Administrator'; value = '892c5842-a9a6-463a-8041-72aa08ca3cf6' },
75+
@{ label = 'Cloud Device Administrator'; value = '7698a772-787b-4ac8-901f-60d6b08affd2' },
76+
@{ label = 'Teams Administrator'; value = '69091246-20e8-4a56-aa4d-066075b2a7a8' },
77+
@{ label = 'SharePoint Administrator'; value = 'f28a1f50-f6e7-4571-818b-6a12f2af6b6c' },
78+
@{ label = 'Authentication Policy Administrator'; value = '0526716b-113d-4c15-b2c8-68e3c22b9f80' },
79+
@{ label = 'Privileged Role Administrator'; value = 'e8611ab8-c189-46e8-94e1-60213ab1f814' },
80+
@{ label = 'Privileged Authentication Administrator'; value = '7be44c8a-adaf-4e2a-84d6-ab2649e08a13' }
81+
)
3282

33-
$CustomSuffix = $Request.body.customSuffix
34-
$Table = Get-CIPPTable -TableName 'GDAPRoles'
83+
$Groups = $Request.body.gdapRoles ?? $CippDefaults
3584

36-
$Results = [System.Collections.Generic.List[string]]::new()
37-
$Requests = [System.Collections.Generic.List[object]]::new()
38-
$ExistingGroups = New-GraphGetRequest -NoAuthCheck $True -uri 'https://graph.microsoft.com/beta/groups' -tenantid $env:TenantID -AsApp $true
85+
$CustomSuffix = $Request.body.customSuffix
86+
$Table = Get-CIPPTable -TableName 'GDAPRoles'
3987

40-
$ExistingRoleMappings = foreach ($Group in $Groups) {
41-
$RoleName = $Group.label ?? $Group.Name
42-
$Value = $Group.value ?? $Group.ObjectId
88+
$Results = [System.Collections.Generic.List[string]]::new()
89+
$Requests = [System.Collections.Generic.List[object]]::new()
90+
$ExistingGroups = New-GraphGetRequest -NoAuthCheck $True -uri 'https://graph.microsoft.com/beta/groups' -tenantid $env:TenantID -AsApp $true
4391

44-
if ($CustomSuffix) {
45-
$GroupName = "M365 GDAP $($RoleName) - $CustomSuffix"
46-
$MailNickname = "M365GDAP$(($RoleName).replace(' ',''))$($CustomSuffix.replace(' ',''))"
47-
} else {
48-
$GroupName = "M365 GDAP $($RoleName)"
49-
$MailNickname = "M365GDAP$(($RoleName).replace(' ',''))"
50-
}
92+
$ExistingRoleMappings = foreach ($Group in $Groups) {
93+
$RoleName = $Group.label ?? $Group.Name
94+
$Value = $Group.value ?? $Group.ObjectId
5195

52-
if ($GroupName -in $ExistingGroups.displayName) {
53-
@{
54-
PartitionKey = 'Roles'
55-
RowKey = ($ExistingGroups | Where-Object -Property displayName -EQ $GroupName).id
56-
RoleName = $RoleName
57-
GroupName = $GroupName
58-
GroupId = ($ExistingGroups | Where-Object -Property displayName -EQ $GroupName).id
59-
roleDefinitionId = $Value
60-
}
61-
$Results.Add("$GroupName already exists")
62-
} else {
63-
$Requests.Add(@{
64-
id = $Value
65-
url = '/groups'
66-
method = 'POST'
67-
headers = @{
68-
'Content-Type' = 'application/json'
69-
}
70-
body = @{
71-
displayName = $GroupName
72-
description = "This group is used to manage M365 partner tenants at the $($RoleName) level."
73-
securityEnabled = $true
74-
mailEnabled = $false
75-
mailNickname = $MailNickname
96+
if ($CustomSuffix) {
97+
$GroupName = "M365 GDAP $($RoleName) - $CustomSuffix"
98+
$MailNickname = "M365GDAP$(($RoleName).replace(' ',''))$($CustomSuffix.replace(' ',''))"
99+
} else {
100+
$GroupName = "M365 GDAP $($RoleName)"
101+
$MailNickname = "M365GDAP$(($RoleName).replace(' ',''))"
102+
}
103+
104+
if ($GroupName -in $ExistingGroups.displayName) {
105+
@{
106+
PartitionKey = 'Roles'
107+
RowKey = ($ExistingGroups | Where-Object -Property displayName -EQ $GroupName).id
108+
RoleName = $RoleName
109+
GroupName = $GroupName
110+
GroupId = ($ExistingGroups | Where-Object -Property displayName -EQ $GroupName).id
111+
roleDefinitionId = $Value
76112
}
77-
})
78-
}
79-
}
80-
if ($ExistingRoleMappings) {
81-
Add-CIPPAzDataTableEntity @Table -Entity $ExistingRoleMappings -Force
82-
}
113+
$Results.Add("$GroupName already exists")
114+
} else {
115+
$Requests.Add(@{
116+
id = $Value
117+
url = '/groups'
118+
method = 'POST'
119+
headers = @{
120+
'Content-Type' = 'application/json'
121+
}
122+
body = @{
123+
displayName = $GroupName
124+
description = "This group is used to manage M365 partner tenants at the $($RoleName) level."
125+
securityEnabled = $true
126+
mailEnabled = $false
127+
mailNickname = $MailNickname
128+
}
129+
})
130+
}
131+
}
132+
if ($ExistingRoleMappings) {
133+
Add-CIPPAzDataTableEntity @Table -Entity $ExistingRoleMappings -Force
134+
}
83135

84-
if ($Requests) {
85-
$ReturnedData = New-GraphBulkRequest -Requests $Requests -tenantid $env:TenantID -NoAuthCheck $True -asapp $true
86-
$NewRoleMappings = foreach ($Return in $ReturnedData) {
87-
if ($Return.body.error) {
88-
$Results.Add("Could not create GDAP group: $($Return.body.error.message)")
89-
} else {
90-
$GroupName = $Return.body.displayName
91-
@{
92-
PartitionKey = 'Roles'
93-
RowKey = $Return.body.id
94-
RoleName = $Return.body.displayName -replace '^M365 GDAP ', '' -replace " - $CustomSuffix$", ''
95-
GroupName = $Return.body.displayName
96-
GroupId = $Return.body.id
97-
roleDefinitionId = $Return.id
136+
if ($Requests) {
137+
$ReturnedData = New-GraphBulkRequest -Requests $Requests -tenantid $env:TenantID -NoAuthCheck $True -asapp $true
138+
$NewRoleMappings = foreach ($Return in $ReturnedData) {
139+
if ($Return.body.error) {
140+
$Results.Add("Could not create GDAP group: $($Return.body.error.message)")
141+
} else {
142+
$GroupName = $Return.body.displayName
143+
@{
144+
PartitionKey = 'Roles'
145+
RowKey = $Return.body.id
146+
RoleName = $Return.body.displayName -replace '^M365 GDAP ', '' -replace " - $CustomSuffix$", ''
147+
GroupName = $Return.body.displayName
148+
GroupId = $Return.body.id
149+
roleDefinitionId = $Return.id
150+
}
151+
$Results.Add("Created $($GroupName)")
152+
}
153+
}
154+
Write-Information ($NewRoleMappings | ConvertTo-Json -Depth 10 -Compress)
155+
if ($NewRoleMappings) {
156+
Add-CIPPAzDataTableEntity @Table -Entity $NewRoleMappings -Force
98157
}
99-
$Results.Add("Created $($GroupName)")
100158
}
101-
}
102-
Write-Information ($NewRoleMappings | ConvertTo-Json -Depth 10 -Compress)
103-
if ($NewRoleMappings) {
104-
Add-CIPPAzDataTableEntity @Table -Entity $NewRoleMappings -Force
105-
}
106-
}
107159

108-
$RoleMappings = [System.Collections.Generic.List[object]]::new()
109-
if ($ExistingRoleMappings) {
110-
$RoleMappings.AddRange(@($ExistingRoleMappings))
111-
}
112-
if ($NewRoleMappings) {
113-
$RoleMappings.AddRange(@($NewRoleMappings))
114-
}
160+
$RoleMappings = [System.Collections.Generic.List[object]]::new()
161+
if ($ExistingRoleMappings) {
162+
$RoleMappings.AddRange(@($ExistingRoleMappings))
163+
}
164+
if ($NewRoleMappings) {
165+
$RoleMappings.AddRange(@($NewRoleMappings))
166+
}
115167

116-
if ($Request.Body.templateId) {
117-
Add-CIPPGDAPRoleTemplate -TemplateId $Request.Body.templateId -RoleMappings ($RoleMappings | Select-Object -Property RoleName, GroupName, GroupId, roleDefinitionId)
118-
$Results.Add("Added role mappings to template $($Request.Body.templateId)")
168+
if ($Request.Body.templateId) {
169+
Add-CIPPGDAPRoleTemplate -TemplateId $Request.Body.templateId -RoleMappings ($RoleMappings | Select-Object -Property RoleName, GroupName, GroupId, roleDefinitionId)
170+
$Results.Add("Added role mappings to template $($Request.Body.templateId)")
171+
}
172+
}
119173
}
120174

121175
$body = @{Results = @($Results) }

0 commit comments

Comments
 (0)