Quantcast
Channel: PowerShell – CHUVASH.eu
Viewing all articles
Browse latest Browse all 20

A powershell script for activating an eligible role assignment in Azure AD

0
0

Recently my role assignments in Azure AD were switched from permanent to eligible ones. This is part of PIM – Privileged Identity Management, you can read more about it on MS Docs:

To activate your eligible assignment you can use Azure Portal, Graph API, and PowerShell. The activation in the portal and Graph API is described on MS Docs:

My roles within Privileged Identity Management in Azure Portal

I created a simple powershell script for activating my eligible roles quickier when I need it. There are two variants of this script:

  • a generic one, that can be run by anyone
  • a “shortcut” version that can be created for a specific account, a specific role, to make it even quicker.

A generic version

This version fetches the assignments you have, tenant id (resourcid), your account id (objectid, subjectid), and then it activates your desired role. Some parts can be made even more generic, but the key thing here is that you can adjust it and run for any account.

# I use SPO Admin a lot, change it to your desired role
$roleToActivate = "SharePoint Administrator"
# default 2 hours, update it to your needs
$hours = 2
$reason = Read-Host "Justify your elevation"
$connection = Connect-AzureAD
$account = $connection.Account
$tenantId = $connection.TenantId
$user = Get-AzureADUser SearchString $account
$objectId = $user.ObjectId
$roleDefs = Get-AzureADMSPrivilegedRoleDefinition ProviderId aadRoles ResourceId $tenantId
$roleDefinition = $roleDefs | Where-Object { $_.DisplayName -eq $roleToActivate }
$roleDefinitionId = $roleDefinition.Id
$filter = "(subjectId eq '$objectId') and (roleDefinitionId eq '$roleDefinitionId')"
$assignment = Get-AzureADMSPrivilegedRoleAssignment ProviderId "aadRoles" ResourceId $tenantId Filter $filter
if (!$assignment) {
Write-Error "There is no assignment for you as $roleToActivate"
} elseif ($assignment.AssignmentState -eq "Active") {
"Your role assignment as a $roleToActivate is already Active"
} else {
$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
$schedule.Type = "Once"
$now = (Get-Date).ToUniversalTime()
$schedule.StartDateTime = $now.ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
$schedule.EndDateTime = $now.AddHours($hours).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
Open-AzureADMSPrivilegedRoleAssignmentRequest `
ProviderId 'aadRoles' `
ResourceId $tenantId `
RoleDefinitionId $roleDefinitionId `
SubjectId $objectId `
Type 'UserAdd' `
AssignmentState 'Active' `
Schedule $schedule Reason $reason
"Your assignment as $roleToActivate is now active"
}

Shortcut version

This version assumes that you already know all the ids, by running the generic version or by looking it up in Azure. When you know those ids, you can skip many calls to Azure AD, which makes activation quicker and you can start working on your task rather than surfing around to activate your role in Azure.

Connect-AzureAD
# find your guids once and fill in the values
$values = [PSCustomObject]@{
Reason = "Support"
Hours = 2
ResourceId = "f7aa13e9-c03a-49f9-8fd4-c943d2612301"
SubjectId = "cafc35f9-bf31-489a-b468-76580f780506"
RoleDefinitionId = "9039a352-599b-4e09-8693-4a17eb83a73e"
}
$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
$schedule.Type = "Once"
$now = (Get-Date).ToUniversalTime()
$schedule.StartDateTime = $now.ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
$schedule.EndDateTime = $now.AddHours($values.Hours).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
Open-AzureADMSPrivilegedRoleAssignmentRequest `
ProviderId 'aadRoles' `
ResourceId $values.ResourceId `
RoleDefinitionId $values.RoleDefinitionId `
SubjectId $values.SubjectId `
Type 'UserAdd' `
AssignmentState 'Active' `
Schedule $schedule `
Reason $values.Reason

Conclusion

Save it as a script and run it when you need it. Much quicker. One important note, though: Please be aware that it still can take time to fully activate (propagate) your role, especially SharePoint Administrator, often a couple of minutes. But instead of clicking around, run the script and go grab a cup of coffee, when you’re back, you are good to go.

Security Note. Automating role activations is not less secure. You still have to log in to Azure AD using MFA (I hope you have it) even when you run the script.


Viewing all articles
Browse latest Browse all 20

Latest Images

Trending Articles





Latest Images