Skip to content

Commit 7b12ce4

Browse files
kayasaxkayasax
authored
Merge pull request #53 from kayasax/reporting
V1.6.3
2 parents bd59776 + fb0d86e commit 7b12ce4

9 files changed

+284
-10
lines changed

EasyPIM/EasyPIM.psd1

+1-1
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
RootModule = 'EasyPIM.psm1'
55

66
# Version number of this module.
7-
ModuleVersion = '1.6.2'
7+
ModuleVersion = '1.6.3'
88

99
# Supported PSEditions
1010
# CompatiblePSEditions = @()

EasyPIM/functions/Set-PIMAzureResourcePolicy.ps1

+34
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,30 @@ function Set-PIMAzureResourcePolicy {
5959
[System.String[]]
6060
# Activation requirement
6161
$ActivationRequirement,
62+
63+
[Parameter(HelpMessage = "Accepted values: 'None' or any combination of these options (Case SENSITIVE): 'Justification, 'MultiFactorAuthentication'")]
64+
[ValidateScript({
65+
# accepted values: "None","Justification", "MultiFactorAuthentication"
66+
# WARNING: options are CASE SENSITIVE
67+
$script:valid = $true
68+
$acceptedValues = @("None", "Justification", "MultiFactorAuthentication")
69+
$_ | ForEach-Object { if (!( $acceptedValues -Ccontains $_)) { $script:valid = $false } }
70+
return $script:valid
71+
})]
72+
[System.String[]]
73+
# Active Assignation requirement
74+
$ActiveAssignationRequirement,
6275

76+
[Parameter()]
77+
[Bool]
78+
# Is authentication context required? ($true|$false)
79+
$AuthenticationContext_Enabled,
80+
81+
[Parameter()]
82+
[String]
83+
# Authentication context value? (ex c1)
84+
$AuthenticationContext_Value,
85+
6386
[Parameter()]
6487
[Bool]
6588
# Is approval required to activate a role? ($true|$false)
@@ -175,6 +198,17 @@ function Set-PIMAzureResourcePolicy {
175198
if ($PSBoundParameters.Keys.Contains('ActivationRequirement')) {
176199
$rules += Set-ActivationRequirement $ActivationRequirement
177200
}
201+
if ($PSBoundParameters.Keys.Contains('ActiveAssignationRequirement')) {
202+
$rules += Set-ActiveAssignmentRequirement $ActiveAssignationRequirement
203+
}
204+
205+
if ($PSBoundParameters.Keys.Contains('AuthenticationContext_Enabled')) {
206+
if (!($PSBoundParameters.Keys.Contains('AuthenticationContext_Value'))) {
207+
$AuthenticationContext_Value = $null
208+
}
209+
$rules += Set-AuthenticationContext $AuthenticationContext_Enabled $AuthenticationContext_Value
210+
}
211+
178212

179213
# Approval and approvers
180214
if ( ($PSBoundParameters.Keys.Contains('ApprovalRequired')) -or ($PSBoundParameters.Keys.Contains('Approvers'))) {

EasyPIM/functions/Set-PIMEntraRolePolicy.ps1

+33
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,29 @@ function Set-PIMEntraRolePolicy {
4949
# Activation requirement
5050
$ActivationRequirement,
5151

52+
[Parameter(HelpMessage = "Accepted values: 'None' or any combination of these options (Case SENSITIVE): 'Justification, 'MultiFactorAuthentication'")]
53+
[ValidateScript({
54+
# accepted values: "None","Justification", "MultiFactorAuthentication"
55+
# WARNING: options are CASE SENSITIVE
56+
$script:valid = $true
57+
$acceptedValues = @("None", "Justification", "MultiFactorAuthentication")
58+
$_ | ForEach-Object { if (!( $acceptedValues -Ccontains $_)) { $script:valid = $false } }
59+
return $script:valid
60+
})]
61+
[System.String[]]
62+
# Active assignment requirement
63+
$ActiveAssignmentRequirement,
64+
65+
[Parameter()]
66+
[Bool]
67+
# Is authentication context required? ($true|$false)
68+
$AuthenticationContext_Enabled,
69+
70+
[Parameter()]
71+
[String]
72+
# Authentication context value? (ex c1)
73+
$AuthenticationContext_Value,
74+
5275
[Parameter()]
5376
[Bool]
5477
# Is approval required to activate a role? ($true|$false)
@@ -160,6 +183,16 @@ function Set-PIMEntraRolePolicy {
160183
$rules += Set-ActivationRequirement $ActivationRequirement -EntraRole
161184
}
162185

186+
if ($PSBoundParameters.Keys.Contains('ActiveAssignmentRequirement')) {
187+
$rules += Set-ActiveAssignmentRequirement $ActiveAssignmentRequirement -EntraRole
188+
}
189+
if ($PSBoundParameters.Keys.Contains('AuthenticationContext_Enabled')) {
190+
if (!($PSBoundParameters.Keys.Contains('AuthenticationContext_Value'))) {
191+
$AuthenticationContext_Value = $null
192+
}
193+
$rules += Set-AuthenticationContext $AuthenticationContext_Enabled $AuthenticationContext_Value -entraRole
194+
}
195+
163196
# Approval and approvers
164197
if ( ($PSBoundParameters.Keys.Contains('ApprovalRequired')) -or ($PSBoundParameters.Keys.Contains('Approvers'))) {
165198
$rules += Set-Approval $ApprovalRequired $Approvers -EntraRole

EasyPIM/functions/Set-PIMGroupPolicy.ps1

+38-7
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@
1919
Homepage: https://github.com/kayasax/EasyPIM
2020
#>
2121
function Set-PIMGroupPolicy {
22-
[CmdletBinding(DefaultParameterSetName='Default',SupportsShouldProcess = $true)]
22+
[CmdletBinding(DefaultParameterSetName = 'Default', SupportsShouldProcess = $true)]
2323
[OutputType([bool])]
2424
param (
2525
[Parameter(Position = 0, Mandatory = $true)]
@@ -53,7 +53,29 @@ function Set-PIMGroupPolicy {
5353
[System.String[]]
5454
# Activation requirement
5555
$ActivationRequirement,
56-
56+
[Parameter(HelpMessage = "Accepted values: 'None' or any combination of these options (Case SENSITIVE): 'Justification, 'MultiFactorAuthentication'")]
57+
[ValidateScript({
58+
# accepted values: "None","Justification", "MultiFactorAuthentication"
59+
# WARNING: options are CASE SENSITIVE
60+
$script:valid = $true
61+
$acceptedValues = @("None", "Justification", "MultiFactorAuthentication")
62+
$_ | ForEach-Object { if (!( $acceptedValues -Ccontains $_)) { $script:valid = $false } }
63+
return $script:valid
64+
})]
65+
[System.String[]]
66+
# Active assignment requirement
67+
$ActiveAssignmentRequirement,
68+
69+
[Parameter()]
70+
[Bool]
71+
# Is authentication context required? ($true|$false)
72+
$AuthenticationContext_Enabled,
73+
74+
[Parameter()]
75+
[String]
76+
# Authentication context value? (ex c1)
77+
$AuthenticationContext_Value,
78+
5779
[Parameter()]
5880
[Bool]
5981
# Is approval required to activate a role? ($true|$false)
@@ -147,7 +169,7 @@ function Set-PIMGroupPolicy {
147169

148170
log "Function Set-PIMGroupPolicy is starting with parameters: $p" -noEcho
149171

150-
$script:tenantID=$tenantID
172+
$script:tenantID = $tenantID
151173

152174
#at least one approver required if approval is enable
153175
# todo chech if a parameterset would be better
@@ -164,6 +186,15 @@ function Set-PIMGroupPolicy {
164186
if ($PSBoundParameters.Keys.Contains('ActivationRequirement')) {
165187
$rules += Set-ActivationRequirement $ActivationRequirement -EntraRole
166188
}
189+
if ($PSBoundParameters.Keys.Contains('ActiveAssignmentRequirement')) {
190+
$rules += Set-ActiveAssignmentRequirement $ActiveAssignmentRequirement -EntraRole
191+
}
192+
if ($PSBoundParameters.Keys.Contains('AuthenticationContext_Enabled')) {
193+
if (!($PSBoundParameters.Keys.Contains('AuthenticationContext_Value'))) {
194+
$AuthenticationContext_Value = $null
195+
}
196+
$rules += Set-AuthenticationContext $AuthenticationContext_Enabled $AuthenticationContext_Value -entraRole
197+
}
167198

168199
# Approval and approvers
169200
if ( ($PSBoundParameters.Keys.Contains('ApprovalRequired')) -or ($PSBoundParameters.Keys.Contains('Approvers'))) {
@@ -176,7 +207,7 @@ function Set-PIMGroupPolicy {
176207
write-verbose "Maximum Eligibiliy duration from curent config: $($script:config.MaximumEligibleAssignmentDuration)"
177208
if (!( $PSBoundParameters.ContainsKey('MaximumEligibilityDuration'))) { $MaximumEligibilityDuration = $script:config.MaximumEligibleAssignmentDuration }
178209
if (!( $PSBoundParameters.ContainsKey('AllowPermanentEligibility'))) { $AllowPermanentEligibility = $script:config.AllowPermanentEligibleAssignment }
179-
if ( ($false -eq $AllowPermanentEligibility) -and ( ($MaximumEligibilityDuration -eq "") -or ($null -eq $MaximumEligibilityDuration) )){
210+
if ( ($false -eq $AllowPermanentEligibility) -and ( ($MaximumEligibilityDuration -eq "") -or ($null -eq $MaximumEligibilityDuration) )) {
180211
throw "ERROR: you requested the assignement to expire but the maximum duration is not defined, please use the MaximumEligibilityDuration parameter"
181212
}
182213
$rules += Set-EligibilityAssignment $MaximumEligibilityDuration $AllowPermanentEligibility -entraRole
@@ -188,7 +219,7 @@ function Set-PIMGroupPolicy {
188219
write-verbose "Maximum Active duration from curent config: $($script:config.MaximumActiveAssignmentDuration)"
189220
if (!( $PSBoundParameters.ContainsKey('MaximumActiveAssignmentDuration'))) { $MaximumActiveAssignmentDuration = $script:config.MaximumActiveAssignmentDuration }
190221
if (!( $PSBoundParameters.ContainsKey('AllowPermanentActiveAssignment'))) { $AllowPermanentActiveAssignment = $script:config.AllowPermanentActiveAssignment }
191-
if ( ($false -eq $AllowPermanentActiveAssignment) -and ( ($MaximumActiveAssignmentDuration -eq "") -or ($null -eq $MaximumActiveAssignmentDuration) )){
222+
if ( ($false -eq $AllowPermanentActiveAssignment) -and ( ($MaximumActiveAssignmentDuration -eq "") -or ($null -eq $MaximumActiveAssignmentDuration) )) {
192223
throw "ERROR: you requested the assignement to expire but the maximum duration is not defined, please use the MaximumActiveAssignmentDuration parameter"
193224
}
194225
$rules += Set-ActiveAssignment $MaximumActiveAssignmentDuration $AllowPermanentActiveAssignment -entraRole
@@ -226,7 +257,7 @@ function Set-PIMGroupPolicy {
226257
# Notif Active Assignment Approvers
227258
if ($PSBoundParameters.Keys.Contains('Notification_ActiveAssignment_Approver')) {
228259
$rules += Set-Notification_ActiveAssignment_Approver $Notification_ActiveAssignment_Approver -entraRole
229-
}
260+
}
230261

231262
# Notification Activation alert
232263
if ($PSBoundParameters.Keys.Contains('Notification_Activation_Alert')) {
@@ -250,7 +281,7 @@ function Set-PIMGroupPolicy {
250281

251282
#Patching the policy
252283
if ($PSCmdlet.ShouldProcess($_, "Udpdating policy")) {
253-
$null = Update-EntraRolePolicy $script:config.policyID $allrules
284+
$null = Update-EntraRolePolicy $script:config.policyID $allrules
254285
}
255286

256287
}

EasyPIM/internal/functions/Set-ActiveAssignmentRequirement.ps1

+76
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,76 @@
1+
<#
2+
.Synopsis
3+
Rule for active assignment requirement
4+
.Description
5+
rule 2 in https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#activation-rules
6+
.Parameter ActiveAssignmentRequirement
7+
value can be "None", or one or more value from "Justification","MultiFactoAuthentication"
8+
WARNING options are case sensitive!
9+
.EXAMPLE
10+
PS> Set-ActiveAssignmentRequirement "Justification"
11+
12+
A justification will be required to activate the role
13+
14+
.Link
15+
16+
.Notes
17+
18+
#>
19+
function Set-ActiveAssignmentRequirement($ActiveAssignmentRequirement, [switch]$entraRole) {
20+
write-verbose "Set-ActiveAssignmentRequirementt : $($ActiveAssignmentRequirement.length)"
21+
if (($ActiveAssignmentRequirement -eq "None") -or ($ActiveAssignmentRequirement[0].length -eq 0 )) {
22+
#if none or a null array
23+
write-verbose "requirement is null"
24+
$enabledRules = "[],"
25+
}
26+
else {
27+
write-verbose "requirement is NOT null"
28+
$formatedRules = '['
29+
30+
$ActiveAssignmentRequirement | ForEach-Object {
31+
$formatedRules += '"'
32+
$formatedRules += "$_"
33+
$formatedRules += '",'
34+
}
35+
#remove last comma
36+
$formatedRules = $formatedRules -replace .$
37+
38+
$formatedRules += "],"
39+
$enabledRules = $formatedRules
40+
#Write-Verbose "************* $enabledRules "
41+
}
42+
43+
$properties = '{
44+
"enabledRules": '+ $enabledRules + '
45+
"id": "Enablement_Admin_Assignment",
46+
"ruleType": "RoleManagementPolicyEnablementRule",
47+
"target": {
48+
"caller": "Admin",
49+
"operations": [
50+
"All"
51+
],
52+
"level": "Assignment",
53+
"targetObjects": [],
54+
"inheritableSettings": [],
55+
"enforcedSettings": []
56+
}
57+
}'
58+
if ($entraRole) {
59+
$properties = '
60+
{
61+
"@odata.type" : "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
62+
"enabledRules": '+ $enabledRules + '
63+
"id": "Enablement_Admin_Assignment",
64+
"target": {
65+
"caller": "EndUser",
66+
"operations": [
67+
"All"
68+
],
69+
"level": "Assignment",
70+
"inheritableSettings": [],
71+
"enforcedSettings": []
72+
}
73+
}'
74+
}
75+
return $properties
76+
}

EasyPIM/internal/functions/Set-AuthenticationContext.ps1

+74
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
<#
2+
.Synopsis
3+
Rule for authentication context
4+
.Description
5+
rule 3 in https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#activation-rules
6+
.Parameter AuthenticationContext_Enabled
7+
$true or $false
8+
.PARAMETER AuthenticationContext_Value
9+
authentication context name ex "c1"
10+
.PARAMETER entraRole
11+
$true or $false
12+
13+
.EXAMPLE
14+
PS> Set-AuthenticationContext -authenticationContext_Enabled $true -authenticationContext_Value "c1"
15+
16+
Authentication context c1 will be required to activate the role
17+
18+
.Link
19+
20+
.Notes
21+
22+
#>
23+
function Set-AuthenticationContext($authenticationContext_Enabled, $authenticationContext_Value, [switch]$entraRole) {
24+
write-verbose "Set-AuthenticationContext : $($authenticationContext_Enabled), $($authenticationContext_Value)"
25+
26+
27+
28+
if ($true -eq $authenticationContext_Enabled) {
29+
$enabled = "true"
30+
if ($authenticationContext_Value -eq "None" -or $authenticationContext_Value.length -eq 0) {
31+
Throw "AuthenticationContext_Value cannot be null or empty if AuthenticationContext_Enabled is true"
32+
}
33+
if ( ([regex]::match($authenticationContext_Value, "c[0-9]{1,2}$").success -eq $false)) {
34+
Throw "AuthenticationContext_Value must be in the format c1 - c99"
35+
}
36+
}
37+
else { $enabled = "false" }
38+
39+
$properties = '{
40+
"id": "AuthenticationContext_EndUser_Assignment",
41+
"ruleType": "RoleManagementPolicyAuthenticationContextRule",
42+
"isEnabled": '+ $enabled + ',
43+
"claimValue": "'+ $authenticationContext_Value + '",
44+
"target": {
45+
"caller": "EndUser",
46+
"operations": [
47+
"All"
48+
],
49+
"level": "Assignment"
50+
}
51+
}'
52+
53+
if ($entraRole) {
54+
$properties = '
55+
{
56+
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule",
57+
"id": "AuthenticationContext_EndUser_Assignment",
58+
"isEnabled": '+ $enabled + ',
59+
"claimValue": "'+ $authenticationContext_Value + '",
60+
"target": {
61+
"caller": "EndUser",
62+
"operations": [
63+
"all"
64+
],
65+
"level": "Assignment",
66+
"inheritableSettings": [],
67+
"enforcedSettings": []
68+
}
69+
70+
71+
}'
72+
}
73+
return $properties
74+
}

EasyPIM/internal/functions/get-EntraRoleConfig.ps1

+9
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,12 @@ function Get-EntraRoleConfig ($rolename) {
4646
$_activationDuration = $response.value | Where-Object { $_.id -eq "Expiration_EndUser_Assignment" } | Select-Object -ExpandProperty maximumduration
4747
# End user enablement rule (MultiFactorAuthentication, Justification, Ticketing)
4848
$_enablementRules = $response.value | Where-Object { $_.id -eq "Enablement_EndUser_Assignment" } | Select-Object -expand enabledRules
49+
# Active assignment requirement
50+
$_activeAssignmentRequirement = $response.value | Where-Object { $_.id -eq "Enablement_Admin_Assignment" } | Select-Object -expand enabledRules
51+
# Authentication context
52+
$_authenticationContext_Enabled = $response.value | Where-Object { $_.id -eq "AuthenticationContext_EndUser_Assignment" } | Select-Object -expand isEnabled
53+
$_authenticationContext_value = $response.value | Where-Object { $_.id -eq "AuthenticationContext_EndUser_Assignment" } | Select-Object -expand claimValue
54+
4955
# approval required
5056
$_approvalrequired = $($response.value | Where-Object { $_.id -eq "Approval_EndUser_Assignment" }).setting.isapprovalrequired
5157
# approvers
@@ -120,6 +126,9 @@ function Get-EntraRoleConfig ($rolename) {
120126
PolicyID = $policyId
121127
ActivationDuration = $_activationDuration
122128
EnablementRules = $_enablementRules -join ','
129+
ActiveAssignmentRequirement = $_activeAssignmentRequirement -join ','
130+
AuthenticationContext_Enabled = $_authenticationContext_Enabled
131+
AuthenticationContext_Value = $_authenticationContext_value
123132
ApprovalRequired = $_approvalrequired
124133
Approvers = $_approvers -join ','
125134
AllowPermanentEligibleAssignment = $_permanantEligibility

0 commit comments

Comments
 (0)