Skip to content

Commit 401a9fe

Browse files
peombwapeombwa
authored
Merge pull request #644 from markwahl-msft/mwahl-em-newdirect
identity governance: entitlement management bulk direct assignment creation
2 parents 0daaa5e + 5ea7c8d commit 401a9fe

File tree

1 file changed

+266
-0
lines changed

1 file changed

+266
-0
lines changed

src/Identity.Governance/Identity.Governance/custom/New-MgEntitlementManagementAccessPackageAssignment.ps1

Lines changed: 266 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,266 @@
1+
# ----------------------------------------------------------------------------------
2+
#
3+
# Copyright Microsoft Corporation
4+
# Licensed under the Apache License, Version 2.0 (the "License");
5+
# you may not use this file except in compliance with the License.
6+
# You may obtain a copy of the License at
7+
# http://www.apache.org/licenses/LICENSE-2.0
8+
# Unless required by applicable law or agreed to in writing, software
9+
# distributed under the License is distributed on an "AS IS" BASIS,
10+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11+
# See the License for the specific language governing permissions and
12+
# limitations under the License.
13+
# ----------------------------------------------------------------------------------
14+
15+
<#
16+
.Synopsis
17+
Create a new entitlement management accessPackageAssignment
18+
.Description
19+
Create a new entitlement management accessPackageAssignment
20+
.Inputs
21+
Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAccessPackageAssignment
22+
.Outputs
23+
Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAccessPackageAssignment
24+
.Notes
25+
26+
.Link
27+
https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.identity.governance/new-mgentitlementmanagementaccesspackageassignment
28+
#>
29+
function New-MgEntitlementManagementAccessPackageAssignment {
30+
[OutputType([Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAccessPackageAssignment])]
31+
[CmdletBinding(DefaultParameterSetName='CreateMultipleRequestAdminAddExistingUser', PositionalBinding=$false, SupportsShouldProcess, ConfirmImpact='Medium')]
32+
[Microsoft.Graph.PowerShell.Profile('v1.0-beta')]
33+
param(
34+
35+
[Parameter(Mandatory = $True,
36+
ParameterSetName='CreateMultipleRequestAdminAddExistingGroupMember')]
37+
[PSCustomObject[]]$RequiredGroupMember,
38+
39+
[Parameter(Mandatory = $True,
40+
ParameterSetName='CreateMultipleRequestAdminAddExistingUser')]
41+
[ValidateScript( {
42+
try {
43+
[System.Guid]::Parse($_) | Out-Null
44+
$true
45+
}
46+
catch {
47+
throw "$_ is not a valid GUID"
48+
}
49+
})]
50+
[string[]]$RequiredUserId,
51+
52+
[Parameter(ParameterSetName='CreateMultipleRequestAdminAddExistingUser')]
53+
[Parameter(ParameterSetName='CreateMultipleRequestAdminAddExistingGroupMember')]
54+
[Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessPackageAssignment[]]$ExistingAssignment,
55+
56+
[Parameter(ParameterSetName='CreateMultipleRequestAdminAddExistingUser')]
57+
[Parameter(ParameterSetName='CreateMultipleRequestAdminAddExistingGroupMember')]
58+
[Microsoft.Graph.PowerShell.Category('Body')]
59+
[Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAccessPackageAnswer[]]
60+
# Answers provided by the requestor to accessPackageQuestions asked of them at the time of request.
61+
# To construct, see NOTES section for ANSWERS properties and create a hash table.
62+
${Answers},
63+
64+
[Parameter(ParameterSetName='CreateMultipleRequestAdminAddExistingUser')]
65+
[Parameter(ParameterSetName='CreateMultipleRequestAdminAddExistingGroupMember')]
66+
[Microsoft.Graph.PowerShell.Category('Body')]
67+
[System.String]
68+
# The requestor's supplied justification.
69+
${Justification},
70+
71+
[Parameter(ParameterSetName='CreateMultipleRequestAdminAddExistingUser')]
72+
[Parameter(ParameterSetName='CreateMultipleRequestAdminAddExistingGroupMember')]
73+
[Microsoft.Graph.PowerShell.Category('Body')]
74+
[string]
75+
${StartDate},
76+
77+
[Parameter(Mandatory = $True,
78+
ParameterSetName='CreateMultipleRequestAdminAddExistingUser')]
79+
[Parameter(Mandatory = $True,
80+
ParameterSetName='CreateMultipleRequestAdminAddExistingGroupMember')]
81+
[Microsoft.Graph.PowerShell.Category('Body')]
82+
[ValidateScript( {
83+
try {
84+
[System.Guid]::Parse($_) | Out-Null
85+
$true
86+
}
87+
catch {
88+
throw "$_ is not a valid ObjectID format. Valid value is a GUID format only."
89+
}
90+
})]
91+
[string]
92+
${AccessPackageId},
93+
94+
[Parameter(Mandatory = $True,
95+
ParameterSetName='CreateMultipleRequestAdminAddExistingUser')]
96+
[Parameter(Mandatory = $True,
97+
ParameterSetName='CreateMultipleRequestAdminAddExistingGroupMember')]
98+
[Microsoft.Graph.PowerShell.Category('Body')]
99+
[ValidateScript( {
100+
try {
101+
[System.Guid]::Parse($_) | Out-Null
102+
$true
103+
}
104+
catch {
105+
throw "$_ is not a valid ObjectID format. Valid value is a GUID format only."
106+
}
107+
})]
108+
[string]
109+
${AssignmentPolicyId},
110+
111+
[Parameter(DontShow)]
112+
[Microsoft.Graph.PowerShell.Category('Runtime')]
113+
[System.Management.Automation.SwitchParameter]
114+
# Wait for .NET debugger to attach
115+
${Break},
116+
117+
[Parameter(DontShow)]
118+
[ValidateNotNull()]
119+
[Microsoft.Graph.PowerShell.Category('Runtime')]
120+
[Microsoft.Graph.PowerShell.Runtime.SendAsyncStep[]]
121+
# SendAsync Pipeline Steps to be appended to the front of the pipeline
122+
${HttpPipelineAppend},
123+
124+
[Parameter(DontShow)]
125+
[ValidateNotNull()]
126+
[Microsoft.Graph.PowerShell.Category('Runtime')]
127+
[Microsoft.Graph.PowerShell.Runtime.SendAsyncStep[]]
128+
# SendAsync Pipeline Steps to be prepended to the front of the pipeline
129+
${HttpPipelinePrepend},
130+
131+
[Parameter(DontShow)]
132+
[Microsoft.Graph.PowerShell.Category('Runtime')]
133+
[System.Uri]
134+
# The URI for the proxy server to use
135+
${Proxy},
136+
137+
[Parameter(DontShow)]
138+
[ValidateNotNull()]
139+
[Microsoft.Graph.PowerShell.Category('Runtime')]
140+
[System.Management.Automation.PSCredential]
141+
# Credentials for a proxy server to use for the remote call
142+
${ProxyCredential},
143+
144+
[Parameter(DontShow)]
145+
[Microsoft.Graph.PowerShell.Category('Runtime')]
146+
[System.Management.Automation.SwitchParameter]
147+
# Use the default credentials for the proxy
148+
${ProxyUseDefaultCredentials}
149+
)
150+
151+
begin {
152+
$alreadyDelivered = 0
153+
$misdelivers = 0
154+
$expires = 0
155+
$notDelivered = 0
156+
$nonUsers = 0
157+
158+
if ($null -eq $StartDate -or $StartDate.Length -eq 0) {
159+
$now = Get-Date
160+
$ts = Get-Date $now.ToUniversalTime() -format "s"
161+
$StartDate = $ts + "Z"
162+
}
163+
164+
if ($null -eq $Justification) {
165+
$Justification = ""
166+
}
167+
168+
if ($PSBoundParameters.ContainsKey("ExistingAssignment") -eq $false) {
169+
write-verbose "retrieving existing assignments on $AccessPackageId"
170+
$ExistingAssignment = Get-MgEntitlementManagementAccessPackageAssignment -AccessPackageId $AccessPackageId -All -expandproperty target
171+
$eac = $ExistingAssignment.Length
172+
write-verbose "retrieved existing assignments $eac"
173+
}
174+
175+
$delivereds = @{ }
176+
$misdelivereds = @{ }
177+
$expireds = @{ }
178+
$noTarget = 0
179+
180+
if ($null -ne $ExistingAssignment) {
181+
foreach ($a in $ExistingAssignment) {
182+
if ($null -eq $a.Target) {
183+
$noTarget++
184+
continue
185+
}
186+
if ($a.target.type -ne "User") {
187+
$noTarget++
188+
continue
189+
}
190+
$uid = $a.Target.ObjectId
191+
if ($a.AssignmentState -eq "Delivered") {
192+
$delivereds.$uid = $a
193+
} elseif ($a.AssignmentState -eq "Expired") {
194+
$expireds.$uid = $a
195+
} elseif ($a.AssignmentState -eq "Delivering") {
196+
$delivereds.$uid = $a
197+
} else {
198+
$state = $a.AssignmentState
199+
write-verbose "assignment to $uid in state $state"
200+
$misdelivereds.$uid = $a
201+
}
202+
}
203+
204+
write-verbose "existing assignments no target user $noTarget"
205+
}
206+
207+
if ($null -ne $RequiredGroupMember) {
208+
foreach ($m in $RequiredGroupMember) {
209+
if ($m.ContainsKey("@odata.type")) {
210+
$membertype = $m.AdditionalProperties["@odata.type"]
211+
# do not include nested groups, devices or service principals
212+
if ($membertype -ne '#microsoft.graph.user') {
213+
$nonUsers++
214+
continue
215+
}
216+
}
217+
$uid = $m.Id
218+
$RequiredUserId += $uid
219+
220+
}
221+
}
222+
223+
}
224+
225+
process {
226+
foreach ($uid in $RequiredUserId) {
227+
if ($delivereds.ContainsKey($uid)) {
228+
$alreadyDelivered++
229+
}
230+
else {
231+
if ($misdelivereds.ContainsKey($uid)) {
232+
$misdelivers++
233+
}
234+
else {
235+
236+
if ($expireds.ContainsKey($uid)) {
237+
$expires++
238+
}
239+
else {
240+
$notDelivered++
241+
}
242+
243+
if($PSCmdlet.ShouldProcess($uid,"Add Request")) {
244+
try {
245+
$res = New-MgEntitlementManagementAccessPackageAssignmentRequest -RequestType "AdminAdd" `
246+
-AccessPackageId $AccessPackageId -AssignmentPolicyId $AssignmentPolicyId -TargetId $uid `
247+
-StartDate $StartDate -Justification $Justification
248+
write-output $res
249+
} catch {
250+
if ($ErrorActionPreference -eq "Continue") {
251+
write-error "error on assignment $_"
252+
$misdelivers++
253+
continue
254+
}
255+
throw
256+
}
257+
}
258+
}
259+
}
260+
}
261+
}
262+
263+
end {
264+
write-verbose "already delivered $alreadyDelivered mis-delivers $misdelivers expired $expires needing delivered $notDelivered nonusers $nonUsers"
265+
}
266+
}

0 commit comments

Comments
 (0)