Created
September 21, 2020 11:23
-
-
Save DaveRuijter/37597d6f370db7a776f9af04585fed13 to your computer and use it in GitHub Desktop.
Script to remove Service Principal from Power BI workspaces
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ================================================================================================================================================= | |
| ## This script will remove the given Service Principal from Power BI workspaces | |
| ## It will first ask for the (correct) ObjectId of the Service Principal | |
| ## Then it will ask for the credentials of a Power BI Service Administrator | |
| # ================================================================================================================================================= | |
| ## Parameters | |
| # Remove the Service Principal from workspaces that are in Premium capacity? | |
| $RemoveFromPremiumCapacityWorkspaces = $true | |
| # Remove the Service Principal from workspaces that are in shared capacity? | |
| $RemoveFromSharedCapacityWorkspaces = $true | |
| # ================================================================================================================================================= | |
| Clear-Host | |
| $ErrorActionPreference = 'Stop' | |
| Write-Host " | |
| ======================================================================== | |
| __ ___ __ ___ __ _ | |
| / |/ /___ ___/ /___ ____ ___ / _ \ ___ _ / /_ ___ _ ___ _ (_) | |
| / /|_/ // _ \/ _ // -_)/ __// _ \ / // // _ '// __// _ '/_ / _ '// / | |
| /_/ /_/ \___/\_,_/ \__//_/ /_//_//____/ \_,_/ \__/ \_,_/(_)\_,_//_/ | |
| ___ ___ _ _ __ | |
| / _ \ ___ _ _ __ ___ / _ \ __ __ (_) (_)/ /_ ___ ____ | |
| / // // _ '/| |/ // -_) / , _// // // / / // __// -_)/ __/ | |
| /____/ \_,_/ |___/ \__/ /_/|_| \_,_//_/__/ / \__/ \__//_/ | |
| |___/ | |
| ======================================================================== | |
| " | |
| #IMPORTANT: you need the correct ObjectId of the Service Principal | |
| $PowerBIServicePrincipalObjectId = Read-Host -Prompt 'Specify ObjectId of Service Principal (find this in the "Enterprise applications" in Azure Active Directory)' | |
| if ($PowerBIServicePrincipalObjectId) { | |
| # Connecting to Power BI (this will prompt for credentials, use an account that has the Power BI admin role!) | |
| Write-Host "`Connecting to Power BI (this will prompt for credentials, use an account that has the Power BI admin role!)..." | |
| Connect-PowerBIServiceAccount | |
| # Keep track of all the workspaces that we 'touch' | |
| $listofworkspaces = [System.Collections.ArrayList]::new() | |
| # Get all workspaces (and filter to only v2 workspaces) | |
| Write-Host "Retrieving workspaces..." | |
| $AllV2Workspaces = Get-PowerBIWorkspace -All -Scope Organization -Include All | Where-Object { $_.Type -eq "Workspace" -and ` | |
| ( ` | |
| ($_.IsOnDedicatedCapacity -eq $True -and $RemoveFromPremiumCapacityWorkspaces -eq $true) ` | |
| -or ($_.IsOnDedicatedCapacity -eq $False -and $RemoveFromSharedCapacityWorkspaces -eq $true) ` | |
| ) ` | |
| -and $_.Users.Identifier -eq $PowerBIServicePrincipalObjectId ` | |
| } | |
| Write-Host "==================================================================================================================================" | |
| # Check if there are workspaces to work with | |
| if ($AllV2Workspaces) | |
| { | |
| Write-Host "Found $($AllV2Workspaces.Count) workspaces..." | |
| # Warn if there are more than 200 workspaces, as this might trigger API thresholds | |
| if ($AllV2Workspaces.Count -ge 200) | |
| { | |
| Write-Warning "Found 200 workspaces or more. This might trigger the thresholds of the Power BI REST API." | |
| } | |
| # Remove the Service Principal from workspaces | |
| $AllV2Workspaces | ForEach-Object { | |
| Write-Host "==================================================================================================================================" | |
| $WorkspaceName = $_.Name | |
| $WorkspaceId = $_.Id | |
| Write-Host "Found workspace: $WorkspaceName." | |
| # Track this workspace | |
| $listofworkspaces += $WorkspaceName | |
| # Check if Service Principal is in the workspace | |
| $ServicePrincipalInWorkspace = $_.Users | Where-Object {$_.Identifier -eq $PowerBIServicePrincipalObjectId} | |
| if ($ServicePrincipalInWorkspace) | |
| { | |
| Write-Host "Service Principal is a member of: $WorkspaceName, with role type $($ServicePrincipalInWorkspace.AccessRight)." | |
| # Remove Service Principal | |
| Write-Host "Removing Service Principal from workspace..." -ForegroundColor DarkCyan | |
| # Call the REST API (updating a role type is not a native cmdlet in the module) | |
| try { | |
| Invoke-PowerBIRestMethod -Method Delete -Url "admin/groups/$WorkspaceId/users/$PowerBIServicePrincipalObjectId" | |
| Write-Host "Done." | |
| } | |
| catch { | |
| Resolve-PowerBIError -Last | |
| } | |
| } | |
| else { | |
| Write-Host "Service Principal is not a member of: $WorkspaceName." | |
| } | |
| } | |
| Write-Host "==================================================================================================================================" | |
| # Report the tracked list of workspaces | |
| Write-Host "List of workspaces we checked during the script:" | |
| $listofworkspaces | |
| } | |
| else { | |
| Write-Warning "No workspaces that contain the Service Principal!" | |
| } | |
| } | |
| else { | |
| Write-Error "No ObjectId provided for the Service Principal!" | |
| } | |
| Logout-PowerBIServiceAccount | |
| Write-Host "`nScript finished." |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment