darknoon29/gist:8b6c93f13373021b5c01adcbe5d2927d

## gistfile1.ps1
# Gives Azure Active Directory read permission to a Service Principal representing the SQL Managed Instance.
# Can be executed only by a "Global Administrator" or "Privileged Role Administrator" type of user.

$aadTenant = "<YourTenantId>" # Enter your tenant ID
$managedInstanceName = "MyManagedInstance"

# Get Azure AD role "Directory Users" and create if it doesn't exist
$roleName = "Directory Readers"
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq $roleName}
if ($role -eq $null) {
    # Instantiate an instance of the role template
    $roleTemplate = Get-AzureADDirectoryRoleTemplate | Where-Object {$_.displayName -eq $roleName}
    Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId
    $role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq $roleName}
}

# Get service principal for your SQL Managed Instance
$roleMember = Get-AzureADServicePrincipal -SearchString $managedInstanceName
$roleMember.Count
if ($roleMember -eq $null) {
    Write-Output "Error: No Service Principals with name '$    ($managedInstanceName)', make sure that managedInstanceName parameter was     entered correctly."
    exit
}
if (-not ($roleMember.Count -eq 1)) {
    Write-Output "Error: More than one service principal with name pattern '$    ($managedInstanceName)'"
    Write-Output "Dumping selected service principals...."
    $roleMember
    exit
}

# Check if service principal is already member of readers role
$allDirReaders = Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId
$selDirReader = $allDirReaders | where{$_.ObjectId -match     $roleMember.ObjectId}

if ($selDirReader -eq $null) {
    # Add principal to readers role
    Write-Output "Adding service principal '$($managedInstanceName)' to     'Directory Readers' role'..."
    Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId     $roleMember.ObjectId
    Write-Output "'$($managedInstanceName)' service principal added to     'Directory Readers' role'..."

    #Write-Output "Dumping service principal '$($managedInstanceName)':"
    #$allDirReaders = Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId
    #$allDirReaders | where{$_.ObjectId -match $roleMember.ObjectId}
}
else {
    Write-Output "Service principal '$($managedInstanceName)' is already     member of 'Directory Readers' role'."
}
	# Gives Azure Active Directory read permission to a Service Principal representing the SQL Managed Instance.
	# Can be executed only by a "Global Administrator" or "Privileged Role Administrator" type of user.

	$aadTenant = "<YourTenantId>" # Enter your tenant ID
	$managedInstanceName = "MyManagedInstance"

	# Get Azure AD role "Directory Users" and create if it doesn't exist
	$roleName = "Directory Readers"
	$role = Get-AzureADDirectoryRole \| Where-Object {$_.displayName -eq $roleName}
	if ($role -eq $null) {
	# Instantiate an instance of the role template
	$roleTemplate = Get-AzureADDirectoryRoleTemplate \| Where-Object {$_.displayName -eq $roleName}
	Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId
	$role = Get-AzureADDirectoryRole \| Where-Object {$_.displayName -eq $roleName}
	}

	# Get service principal for your SQL Managed Instance
	$roleMember = Get-AzureADServicePrincipal -SearchString $managedInstanceName
	$roleMember.Count
	if ($roleMember -eq $null) {
	Write-Output "Error: No Service Principals with name '$ ($managedInstanceName)', make sure that managedInstanceName parameter was entered correctly."
	exit
	}
	if (-not ($roleMember.Count -eq 1)) {
	Write-Output "Error: More than one service principal with name pattern '$ ($managedInstanceName)'"
	Write-Output "Dumping selected service principals...."
	$roleMember
	exit
	}

	# Check if service principal is already member of readers role
	$allDirReaders = Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId
	$selDirReader = $allDirReaders \| where{$_.ObjectId -match $roleMember.ObjectId}

	if ($selDirReader -eq $null) {
	# Add principal to readers role
	Write-Output "Adding service principal '$($managedInstanceName)' to 'Directory Readers' role'..."
	Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $roleMember.ObjectId
	Write-Output "'$($managedInstanceName)' service principal added to 'Directory Readers' role'..."

	#Write-Output "Dumping service principal '$($managedInstanceName)':"
	#$allDirReaders = Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId
	#$allDirReaders \| where{$_.ObjectId -match $roleMember.ObjectId}
	}
	else {
	Write-Output "Service principal '$($managedInstanceName)' is already member of 'Directory Readers' role'."
	}