search

jlucaspains / blog-v2

lpains.net blog
https://lpains.net
1 stars 0 forks source link

Adding roles to Azure Entra app registration and user groups #11

Closed jlucaspains closed 6 months ago

jlucaspains commented 8 months ago

Script:

[CmdletBinding()] param ()

$RolesToAddFile = "./NewAppRole.json"
$AppNames = @(
    "OrdersApi",
    "PeopleApi"
)
$Roles = @{
    "Administrators" = "administrator"
    "Developers" = "developers"
    "Users" = "users"
}
$Envs = @(
    @("Dev", "dev"),
    @("QA", "qa")#,
    #@("Prod", "prod"))
)
foreach ($AppName in $AppNames) {
    Write-Host "Processing $($AppName)..."
    foreach ($Env in $Envs) {
        $FullAppName = "$($AppName)-$($Env[0])"
        Write-Host "Processing $FullAppName..."
        $appObjectId = (az ad app list --display-name $FullAppName --query "[0].id" -o tsv)
        $appSPObjectId = $(az ad sp list --display-name $FullAppName --query '[0].id' -o tsv)

        $jsonData = Get-Content -Path $RolesToAddFile | ConvertFrom-Json

        Write-Verbose "App Object Id: $appObjectId"
        Write-Verbose "App Service Principal Object Id: $appSPObjectId"

        Write-Host "Creating unique list of roles to update..."
        $existingAppRegRolesJson = (az ad app list --display-name $FullAppName --query "[0].appRoles")
        Write-Verbose ($existingAppRegRolesJson | ConvertTo-Json)
        $existingAppRegRoles = $existingAppRegRolesJson | ConvertFrom-Json
        $mergedUniqueRoles = $existingAppRegRoles + $jsonData | Sort-Object -Property Id -Unique

        $appRoles = $mergedUniqueRoles | ConvertTo-Json
        Write-Verbose $appRoles

        $appRoles > "./TempRoles.json"

        Write-Host "Adding app registration roles..."
        az ad app update --id $appObjectId --app-roles "./TempRoles.json"

        $existingRoles = (az rest -m GET -u "https://graph.microsoft.com/v1.0/servicePrincipals/$appSPObjectId/appRoleAssignedTo") | ConvertFrom-Json

        Write-Verbose $existingRoles

        foreach ($role in $jsonData) {
            if ($null -eq $Roles[$role.Value]) {
                Write-Host "Role $($role.Value) is not defined in the script. Skipping..."
                continue;
            }

            $existingRole = $existingRoles.value | Where-Object { $_.appRoleId -eq $role.id }

            if ($null -ne $existingRole) {
                Write-Verbose $existingRole
                Write-Host "Binding already exist between $($role.Value) and group prefix-$($Env[1])-$($Roles[$role.Value])..."
                continue;
            }

            Write-Host "Binding $($role.Value) to group prefix-$($Env[1])-$($Roles[$role.Value])..."
            $RoleGuid = $role.id
            $groupId = (az ad group list --display-name "prefix-$($Env[1])-$($Roles[$role.Value])" --query "[0].id" -o tsv)

            $postBody = "{\""principalId\"": \""$groupId\"", \""resourceId\"": \""$appSPObjectId\"", \""appRoleId\"": \""$RoleGuid\""}"

            Write-Verbose $postBody

            az rest -m POST -u "https://graph.microsoft.com/v1.0/servicePrincipals/$appSPObjectId/appRoleAssignments" -b $postBody --headers "Content-Type=application/json"
        }
    }

    Write-Host "Finished procesing $($AppName)"
}

Roles.json:

[
    {
        "allowedMemberTypes": [
            "User"
        ],
        "description": "Can use all app features including write capabilities",
        "displayName": "Administrator",
        "id": "25909a57-ce45-49d3-b1f3-4b6f3d03d15a",
        "isEnabled": true,
        "origin": "Application",
        "value": "Administrator"
    },
    {
        "allowedMemberTypes": [
            "User"
        ],
        "description": "Can configure aspects the application but generally not make administrative changes",
        "displayName": "Developer",
        "id": "07470a96-716a-4688-92fd-6fb452f81202",
        "isEnabled": true,
        "origin": "Application",
        "value": "Developer"
    },
    {
        "allowedMemberTypes": [
            "User"
        ],
        "description": "Can view data and perform user level actions but not make administrative changes",
        "displayName": "User",
        "id": "3e87b7be-a276-4e85-add7-974e0d29fed8",
        "isEnabled": true,
        "origin": "Application",
        "value": "User"
    }
]