ahmedig/Purview-AddGroupsToPolicies.ps1

## Purview-AddGroupsToPolicies.ps1
param(
  [string] $PurviewAccountName,
  [string] $SubscriptionId,
  [string] $ResourceGroupName,
  [string] $ManagedIdentityUserID = $null,
  [string] $PurviewDataCollectionAdminGroupObjectId,
  [string] $PurviewDataSourceAdGroupObjectId,
  [string] $PurviewDataCuratorAdGroupObjectId,
  [string] $PurviewReaderAdGroupObjectId,
  [string] $PurviewShareContributorAdGroupObjectId,

  [string] $PurviewDataSourceUserObjectId = $null,
  [string] $PurviewDataCuratorUserObjectId = $null,
  [string] $PurviewReaderUserObjectId = $null,
  [string] $PurviewShareContributorUserObjectId = $null
)

function Add-RootCollectionAdmin(
  [string] $objectId,
  [string] $SubscriptionId,
  [string] $ResourceGroupName,
  [string] $PurviewAccountName
) {
  if (($null -eq $objectId) -or ($objectId -eq "")) {
    return
  }

  Write-Host "Adding root collection admin $objectId"
  $token = (Get-AzAccessToken -Resource "https://management.azure.com").Token
  $headers = @{ Authorization = "Bearer $token" }
  $body = "{
        objectId: ""$objectId""
    }"
  $uri = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Purview/accounts/$PurviewAccountName/addRootCollectionAdmin?api-version=2021-07-01"
  $retrycount = 1
  $completed = $false
  while (-not $completed) {
    try {
      Invoke-RestMethod -Method Post -ContentType "application/json" -Uri $uri -Headers $headers -Body $body -ErrorAction Stop
      $completed = $true
    }
    catch {
      if ($retrycount -ge $retries) {
        Write-Host "Metadata policy update failed the maximum number of $retryCount times for $objectId"
        throw
      }
      else {
        Write-Host "Metadata policy update failed $retryCount time(s). Retrying in $secondsDelay seconds for $objectId"
        Write-Warning $Error[0]
        Start-Sleep $secondsDelay
        $retrycount++
      }
    }
  }
}

function CallPurviewApi (
  [string] $Method,
  [string] $Url,
  [string] $Body
) {

  $Headers = @{}
  $Headers.Add("Accept", "*/*")
  $Headers.Add("User-Agent", "Windows PowerShell 7.x Purview API PS")
  $Headers.Add("Authorization", "Bearer $token")
  $Headers.Add("Content-Type", "application/json")
  Write-Host "Invoking API : Sending Request ... " -ForegroundColor DarkCyan -NoNewLine
  Write-Host "  $Method   $Url"

  Try {
    $result = Invoke-RestMethod -Method $Method -Uri $Url -Headers $Headers -Body $Body
  }
  Catch {
    Write-Host $_ :-> $_.Exception
    throw
  }

  Write-Host "API Response Received :-> " -ForegroundColor Green
  Write-Output $result
}

function Get-PolicyId() {
  $uri = "https://$PurviewAccountName.purview.azure.com/policystore/metadataPolicies?api-version=2021-07-01"
  $res = (CallPurviewApi -Method "GET" -Url $uri -Body $body)
  $policy = $res
  $policyId = $policy.values.id
  return $policyId
}

function Add-GroupToPolicy (
  [string] $GroupId,
  [string] $PolicyId,
  [string] $PolicyName,
  [System.Array] $dnfCondition

) {
  if ($null -eq $GroupId) {
    return $dnfCondition
  }

  # If there are no groups in the policy, create the whole array item with the policy name
  if ($null -eq $dnfCondition[1]) {
    $obj1 = New-Object PSObject -Property @{
      fromRule               = $PolicyName;
      attributeName          = "derived.purview.role";
      attributeValueIncludes = $PolicyName
    }
    $obj2 = New-Object PSObject -Property @{
      attributeName            = "principal.microsoft.groups";
      attributeValueIncludedIn = @("$GroupId")
    }
    $array = @($obj1, $obj2)

    $dnfCondition = @($dnfCondition[0], $array)
  }
  # If the array item exists, add the group to the existing array
  else {
    $dnfCondition[1][1].attributeValueIncludedIn += $GroupId
  }
  return $dnfCondition
}

function Add-UserToPolicy (
  [string] $UserId,
  [System.Array] $dnfCondition

) {
  # If there is no UserId, return the original dnfCondition
  if (($null -eq $userId) -or ($userId -eq "")) {
    return $dnfCondition
  }

  $dnfCondition[0][0].attributeValueIncludedIn += $UserId
  return $dnfCondition
}

# Add Root Collection Admin
Add-RootCollectionAdmin -objectId $PurviewDataCollectionAdminGroupObjectId -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -PurviewAccountName $PurviewAccountName
Add-RootCollectionAdmin -objectId $ManagedIdentityUserID -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -PurviewAccountName $PurviewAccountName

$token = (Get-AzAccessToken -Resource "https://purview.azure.net").Token
$purviewEndpoint = "https://$PurviewAccountName.purview.azure.com"
$policyId = Get-PolicyId

# Set the Url and get the policy by Id through the API call
$uri = "$purviewEndpoint/policystore/metadataPolicies/$policyId`?api-version=2021-07-01"
$res = (CallPurviewApi -Method "GET" -Url $uri -Body $body)

foreach ($attributeRule in $res.properties.attributeRules) {
  if ($attributeRule.id -like "*data-source-administrator*") {
    $attributeRule.dnfCondition = Add-GroupToPolicy -GroupId $PurviewDataSourceAdGroupObjectId -PolicyId $policyId -PolicyName "purviewmetadatarole_builtin_data-source-administrator" -dnfCondition $attributeRule.dnfCondition
    $attributeRule.dnfCondition = Add-UserToPolicy -UserId $PurviewDataSourceUserObjectId -dnfCondition $attributeRule.dnfCondition
  }
  elseif ($attributeRule.id -like "*data-curator*") {
    $attributeRule.dnfCondition = Add-GroupToPolicy -GroupId $PurviewDataCuratorAdGroupObjectId -PolicyId $policyId -PolicyName "purviewmetadatarole_builtin_data-curator" -dnfCondition $attributeRule.dnfCondition
    $attributeRule.dnfCondition = Add-UserToPolicy -UserId $PurviewDataCuratorUserObjectId -dnfCondition $attributeRule.dnfCondition

  }
  elseif ($attributeRule.id -like "*purview-reader*") {
    $attributeRule.dnfCondition = Add-GroupToPolicy -GroupId $PurviewReaderAdGroupObjectId -PolicyId $policyId -PolicyName "purviewmetadatarole_builtin_purview-reader" -dnfCondition $attributeRule.dnfCondition
    $attributeRule.dnfCondition = Add-UserToPolicy -UserId $PurviewReaderUserObjectId -dnfCondition $attributeRule.dnfCondition

  }
  elseif ($attributeRule.id -like "*share-contributor*") {
    $attributeRule.dnfCondition = Add-GroupToPolicy -GroupId $PurviewShareContributorAdGroupObjectId -PolicyId $policyId -PolicyName "purviewmetadatarole_builtin_data-share-contributor" -dnfCondition $attributeRule.dnfCondition
    $attributeRule.dnfCondition = Add-UserToPolicy -UserId $PurviewShareContributorUserObjectId -dnfCondition $attributeRule.dnfCondition
  }
}
Write-Host "Update metadata policy (ID $policyId)..."
$body = ConvertTo-Json -InputObject $res -Depth 100
$uri = "$purviewEndpoint/policystore/metadataPolicies/" + $policyId + "?api-version=2021-07-01"
CallPurviewApi -Method "PUT" -Url $uri  -Body $body
	param(
	[string] $PurviewAccountName,
	[string] $SubscriptionId,
	[string] $ResourceGroupName,
	[string] $ManagedIdentityUserID = $null,
	[string] $PurviewDataCollectionAdminGroupObjectId,
	[string] $PurviewDataSourceAdGroupObjectId,
	[string] $PurviewDataCuratorAdGroupObjectId,
	[string] $PurviewReaderAdGroupObjectId,
	[string] $PurviewShareContributorAdGroupObjectId,

	[string] $PurviewDataSourceUserObjectId = $null,
	[string] $PurviewDataCuratorUserObjectId = $null,
	[string] $PurviewReaderUserObjectId = $null,
	[string] $PurviewShareContributorUserObjectId = $null
	)

	function Add-RootCollectionAdmin(
	[string] $objectId,
	[string] $SubscriptionId,
	[string] $ResourceGroupName,
	[string] $PurviewAccountName
	) {
	if (($null -eq $objectId) -or ($objectId -eq "")) {
	return
	}

	Write-Host "Adding root collection admin $objectId"
	$token = (Get-AzAccessToken -Resource "https://management.azure.com").Token
	$headers = @{ Authorization = "Bearer $token" }
	$body = "{
	objectId: ""$objectId""
	}"
	$uri = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Purview/accounts/$PurviewAccountName/addRootCollectionAdmin?api-version=2021-07-01"
	$retrycount = 1
	$completed = $false
	while (-not $completed) {
	try {
	Invoke-RestMethod -Method Post -ContentType "application/json" -Uri $uri -Headers $headers -Body $body -ErrorAction Stop
	$completed = $true
	}
	catch {
	if ($retrycount -ge $retries) {
	Write-Host "Metadata policy update failed the maximum number of $retryCount times for $objectId"
	throw
	}
	else {
	Write-Host "Metadata policy update failed $retryCount time(s). Retrying in $secondsDelay seconds for $objectId"
	Write-Warning $Error[0]
	Start-Sleep $secondsDelay
	$retrycount++
	}
	}
	}
	}

	function CallPurviewApi (
	[string] $Method,
	[string] $Url,
	[string] $Body
	) {

	$Headers = @{}
	$Headers.Add("Accept", "/")
	$Headers.Add("User-Agent", "Windows PowerShell 7.x Purview API PS")
	$Headers.Add("Authorization", "Bearer $token")
	$Headers.Add("Content-Type", "application/json")
	Write-Host "Invoking API : Sending Request ... " -ForegroundColor DarkCyan -NoNewLine
	Write-Host " $Method $Url"

	Try {
	$result = Invoke-RestMethod -Method $Method -Uri $Url -Headers $Headers -Body $Body
	}
	Catch {
	Write-Host $_ :-> $_.Exception
	throw
	}

	Write-Host "API Response Received :-> " -ForegroundColor Green
	Write-Output $result
	}

	function Get-PolicyId() {
	$uri = "https://$PurviewAccountName.purview.azure.com/policystore/metadataPolicies?api-version=2021-07-01"
	$res = (CallPurviewApi -Method "GET" -Url $uri -Body $body)
	$policy = $res
	$policyId = $policy.values.id
	return $policyId
	}

	function Add-GroupToPolicy (
	[string] $GroupId,
	[string] $PolicyId,
	[string] $PolicyName,
	[System.Array] $dnfCondition

	) {
	if ($null -eq $GroupId) {
	return $dnfCondition
	}

	# If there are no groups in the policy, create the whole array item with the policy name
	if ($null -eq $dnfCondition[1]) {
	$obj1 = New-Object PSObject -Property @{
	fromRule = $PolicyName;
	attributeName = "derived.purview.role";
	attributeValueIncludes = $PolicyName
	}
	$obj2 = New-Object PSObject -Property @{
	attributeName = "principal.microsoft.groups";
	attributeValueIncludedIn = @("$GroupId")
	}
	$array = @($obj1, $obj2)

	$dnfCondition = @($dnfCondition[0], $array)
	}
	# If the array item exists, add the group to the existing array
	else {
	$dnfCondition[1][1].attributeValueIncludedIn += $GroupId
	}
	return $dnfCondition
	}

	function Add-UserToPolicy (
	[string] $UserId,
	[System.Array] $dnfCondition

	) {
	# If there is no UserId, return the original dnfCondition
	if (($null -eq $userId) -or ($userId -eq "")) {
	return $dnfCondition
	}

	$dnfCondition[0][0].attributeValueIncludedIn += $UserId
	return $dnfCondition
	}

	# Add Root Collection Admin
	Add-RootCollectionAdmin -objectId $PurviewDataCollectionAdminGroupObjectId -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -PurviewAccountName $PurviewAccountName
	Add-RootCollectionAdmin -objectId $ManagedIdentityUserID -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -PurviewAccountName $PurviewAccountName

	$token = (Get-AzAccessToken -Resource "https://purview.azure.net").Token
	$purviewEndpoint = "https://$PurviewAccountName.purview.azure.com"
	$policyId = Get-PolicyId

	# Set the Url and get the policy by Id through the API call
	$uri = "$purviewEndpoint/policystore/metadataPolicies/$policyId`?api-version=2021-07-01"
	$res = (CallPurviewApi -Method "GET" -Url $uri -Body $body)

	foreach ($attributeRule in $res.properties.attributeRules) {
	if ($attributeRule.id -like "data-source-administrator") {
	$attributeRule.dnfCondition = Add-GroupToPolicy -GroupId $PurviewDataSourceAdGroupObjectId -PolicyId $policyId -PolicyName "purviewmetadatarole_builtin_data-source-administrator" -dnfCondition $attributeRule.dnfCondition
	$attributeRule.dnfCondition = Add-UserToPolicy -UserId $PurviewDataSourceUserObjectId -dnfCondition $attributeRule.dnfCondition
	}
	elseif ($attributeRule.id -like "data-curator") {
	$attributeRule.dnfCondition = Add-GroupToPolicy -GroupId $PurviewDataCuratorAdGroupObjectId -PolicyId $policyId -PolicyName "purviewmetadatarole_builtin_data-curator" -dnfCondition $attributeRule.dnfCondition
	$attributeRule.dnfCondition = Add-UserToPolicy -UserId $PurviewDataCuratorUserObjectId -dnfCondition $attributeRule.dnfCondition

	}
	elseif ($attributeRule.id -like "purview-reader") {
	$attributeRule.dnfCondition = Add-GroupToPolicy -GroupId $PurviewReaderAdGroupObjectId -PolicyId $policyId -PolicyName "purviewmetadatarole_builtin_purview-reader" -dnfCondition $attributeRule.dnfCondition
	$attributeRule.dnfCondition = Add-UserToPolicy -UserId $PurviewReaderUserObjectId -dnfCondition $attributeRule.dnfCondition

	}
	elseif ($attributeRule.id -like "share-contributor") {
	$attributeRule.dnfCondition = Add-GroupToPolicy -GroupId $PurviewShareContributorAdGroupObjectId -PolicyId $policyId -PolicyName "purviewmetadatarole_builtin_data-share-contributor" -dnfCondition $attributeRule.dnfCondition
	$attributeRule.dnfCondition = Add-UserToPolicy -UserId $PurviewShareContributorUserObjectId -dnfCondition $attributeRule.dnfCondition
	}
	}
	Write-Host "Update metadata policy (ID $policyId)..."
	$body = ConvertTo-Json -InputObject $res -Depth 100
	$uri = "$purviewEndpoint/policystore/metadataPolicies/" + $policyId + "?api-version=2021-07-01"
	CallPurviewApi -Method "PUT" -Url $uri -Body $body