Last active
June 22, 2021 14:38
-
-
Save darknoon29/8b6c93f13373021b5c01adcbe5d2927d to your computer and use it in GitHub Desktop.
AD Grand Rights
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Gives Azure Active Directory read permission to a Service Principal representing the SQL Managed Instance. | |
# Can be executed only by a "Global Administrator" or "Privileged Role Administrator" type of user. | |
$aadTenant = "<YourTenantId>" # Enter your tenant ID | |
$managedInstanceName = "MyManagedInstance" | |
# Get Azure AD role "Directory Users" and create if it doesn't exist | |
$roleName = "Directory Readers" | |
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq $roleName} | |
if ($role -eq $null) { | |
# Instantiate an instance of the role template | |
$roleTemplate = Get-AzureADDirectoryRoleTemplate | Where-Object {$_.displayName -eq $roleName} | |
Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId | |
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq $roleName} | |
} | |
# Get service principal for your SQL Managed Instance | |
$roleMember = Get-AzureADServicePrincipal -SearchString $managedInstanceName | |
$roleMember.Count | |
if ($roleMember -eq $null) { | |
Write-Output "Error: No Service Principals with name '$ ($managedInstanceName)', make sure that managedInstanceName parameter was entered correctly." | |
exit | |
} | |
if (-not ($roleMember.Count -eq 1)) { | |
Write-Output "Error: More than one service principal with name pattern '$ ($managedInstanceName)'" | |
Write-Output "Dumping selected service principals...." | |
$roleMember | |
exit | |
} | |
# Check if service principal is already member of readers role | |
$allDirReaders = Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | |
$selDirReader = $allDirReaders | where{$_.ObjectId -match $roleMember.ObjectId} | |
if ($selDirReader -eq $null) { | |
# Add principal to readers role | |
Write-Output "Adding service principal '$($managedInstanceName)' to 'Directory Readers' role'..." | |
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $roleMember.ObjectId | |
Write-Output "'$($managedInstanceName)' service principal added to 'Directory Readers' role'..." | |
#Write-Output "Dumping service principal '$($managedInstanceName)':" | |
#$allDirReaders = Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | |
#$allDirReaders | where{$_.ObjectId -match $roleMember.ObjectId} | |
} | |
else { | |
Write-Output "Service principal '$($managedInstanceName)' is already member of 'Directory Readers' role'." | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment