Closed jlucaspains closed 6 months ago
Script:
[CmdletBinding()] param () $RolesToAddFile = "./NewAppRole.json" $AppNames = @( "OrdersApi", "PeopleApi" ) $Roles = @{ "Administrators" = "administrator" "Developers" = "developers" "Users" = "users" } $Envs = @( @("Dev", "dev"), @("QA", "qa")#, #@("Prod", "prod")) ) foreach ($AppName in $AppNames) { Write-Host "Processing $($AppName)..." foreach ($Env in $Envs) { $FullAppName = "$($AppName)-$($Env[0])" Write-Host "Processing $FullAppName..." $appObjectId = (az ad app list --display-name $FullAppName --query "[0].id" -o tsv) $appSPObjectId = $(az ad sp list --display-name $FullAppName --query '[0].id' -o tsv) $jsonData = Get-Content -Path $RolesToAddFile | ConvertFrom-Json Write-Verbose "App Object Id: $appObjectId" Write-Verbose "App Service Principal Object Id: $appSPObjectId" Write-Host "Creating unique list of roles to update..." $existingAppRegRolesJson = (az ad app list --display-name $FullAppName --query "[0].appRoles") Write-Verbose ($existingAppRegRolesJson | ConvertTo-Json) $existingAppRegRoles = $existingAppRegRolesJson | ConvertFrom-Json $mergedUniqueRoles = $existingAppRegRoles + $jsonData | Sort-Object -Property Id -Unique $appRoles = $mergedUniqueRoles | ConvertTo-Json Write-Verbose $appRoles $appRoles > "./TempRoles.json" Write-Host "Adding app registration roles..." az ad app update --id $appObjectId --app-roles "./TempRoles.json" $existingRoles = (az rest -m GET -u "https://graph.microsoft.com/v1.0/servicePrincipals/$appSPObjectId/appRoleAssignedTo") | ConvertFrom-Json Write-Verbose $existingRoles foreach ($role in $jsonData) { if ($null -eq $Roles[$role.Value]) { Write-Host "Role $($role.Value) is not defined in the script. Skipping..." continue; } $existingRole = $existingRoles.value | Where-Object { $_.appRoleId -eq $role.id } if ($null -ne $existingRole) { Write-Verbose $existingRole Write-Host "Binding already exist between $($role.Value) and group prefix-$($Env[1])-$($Roles[$role.Value])..." continue; } Write-Host "Binding $($role.Value) to group prefix-$($Env[1])-$($Roles[$role.Value])..." $RoleGuid = $role.id $groupId = (az ad group list --display-name "prefix-$($Env[1])-$($Roles[$role.Value])" --query "[0].id" -o tsv) $postBody = "{\""principalId\"": \""$groupId\"", \""resourceId\"": \""$appSPObjectId\"", \""appRoleId\"": \""$RoleGuid\""}" Write-Verbose $postBody az rest -m POST -u "https://graph.microsoft.com/v1.0/servicePrincipals/$appSPObjectId/appRoleAssignments" -b $postBody --headers "Content-Type=application/json" } } Write-Host "Finished procesing $($AppName)" }
Roles.json:
[ { "allowedMemberTypes": [ "User" ], "description": "Can use all app features including write capabilities", "displayName": "Administrator", "id": "25909a57-ce45-49d3-b1f3-4b6f3d03d15a", "isEnabled": true, "origin": "Application", "value": "Administrator" }, { "allowedMemberTypes": [ "User" ], "description": "Can configure aspects the application but generally not make administrative changes", "displayName": "Developer", "id": "07470a96-716a-4688-92fd-6fb452f81202", "isEnabled": true, "origin": "Application", "value": "Developer" }, { "allowedMemberTypes": [ "User" ], "description": "Can view data and perform user level actions but not make administrative changes", "displayName": "User", "id": "3e87b7be-a276-4e85-add7-974e0d29fed8", "isEnabled": true, "origin": "Application", "value": "User" } ]
Script:
Roles.json: