Created
January 29, 2022 08:02
-
-
Save JustinGrote/01667f5b17d8f1d67f6b247b06c6d45e to your computer and use it in GitHub Desktop.
Use Az Module and Microsoft Graph to Grant an Application Role to a User Assigned Managed Identity
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #requires -module Az.Resources | |
| #requires -module Az.ManagedServiceIdentity | |
| function Assert-SingleResult ([Object[]]$inputObject, [String]$Description) { | |
| <# | |
| .SYNOPSIS | |
| Helper function to ensure one and only one item. | |
| #> | |
| if ($inputObject.count -lt 1) { | |
| Write-Error [InvalidOperationException]"$Description was not found." | |
| return $false | |
| } elseif ($inputObject.count -eq 1) { | |
| return $true | |
| } else { | |
| Write-Error [InvalidOperationException]"$Description is ambiguous and refers to $($inputObject.count) objects." | |
| return $false | |
| } | |
| } | |
| function Grant-ApplicationRoleToUserAssignedManagedIdentityById { | |
| #No Az Cmdlet for this yet I don't think, Mg command is New-MgServicePrincipalAppRoleAssignedTo | |
| #Graph Reference: https://docs.microsoft.com/en-us/graph/api/serviceprincipal-post-approleassignedto?view=graph-rest-1.0&tabs=powershell | |
| param( | |
| [Guid]$PrincipalId, | |
| [Guid]$ResourceId, | |
| [Guid]$AppRoleId | |
| ) | |
| $GrantAppRoleParams = @{ | |
| Uri = "https://graph.microsoft.com/v1.0/servicePrincipals/$ResourceId/appRoleAssignedTo" | |
| Method = 'POST' | |
| Payload = @{ | |
| principalId = $PrincipalId | |
| resourceId = $ResourceId | |
| appRoleId = $AppRoleId | |
| } | ConvertTo-Json | |
| } | |
| $result = Invoke-AzRestMethod @GrantAppRoleParams | |
| if ($result.StatusCode -ne 201) { | |
| $errResult = ($result.content | ConvertFrom-Json).error | |
| Write-Error ('{0}: {1}' -f $errResult.code, $errResult.message) | |
| return | |
| } | |
| [hashtable]$resultHashTable = $result.content | ConvertFrom-Json -AsHashTable | |
| $resultHashTable.Remove('@odata.context') | |
| [Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAppRoleAssignment]$resultHashTable | |
| } | |
| function Grant-ApplicationRoleToUserAssignedManagedIdentity { | |
| <# | |
| .SYNOPSIS | |
| Assigns a service principal role to a user assigned managed identity | |
| .EXAMPLE | |
| Grant-ApplicationRoleToUserAssignedManagedIdentity -appname TestGraphApp -RoleName TestAppRole -UserAssignedManagedIdentityName TestUAManagedIdentity -ResourceGroupName MyTestAppRG | |
| #> | |
| [CmdletBinding(SupportsShouldProcess)] | |
| param ( | |
| #The display name of the application | |
| [String]$AppName, | |
| #The name of the role you wish to grant | |
| [String]$RoleName, | |
| #The managed identity name to grant to | |
| [String]$UserAssignedManagedIdentityName, | |
| #The resource group in which the managed identity resides | |
| [String]$ResourceGroupName | |
| ) | |
| $app = Get-AzADServicePrincipal -ConsistencyLevel eventual -Search "displayName:$AppName" | |
| if (-not (Assert-SingleResult $app $appName)) { return } | |
| $role = $app.AppRole | Where-Object DisplayName -EQ $RoleName | |
| if (-not (Assert-SingleResult $role $roleName)) { return } | |
| $identity = Get-AzUserAssignedIdentity -ResourceGroupName $ResourceGroupName -Name $UserAssignedManagedIdentityName | |
| if (-not (Assert-SingleResult $identity "$ResourceGroupName\$UserAssignedManagedIdentityName")) { return } | |
| if ($PSCmdlet.ShouldProcess($App.DisplayName, "Grant $($role.DisplayName) to $($identity.Name)")) { | |
| Grant-ApplicationRoleToUserAssignedManagedIdentityById -ResourceId $app.Id -PrincipalId $identity.PrincipalId -AppRoleId $role.id | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment