Last active
June 1, 2021 21:07
-
-
Save darrenjrobinson/3482e7cbdfe42d5894de4a10cac0ec7c to your computer and use it in GitHub Desktop.
Azure PowerShell Function to receive and validate Azure AD Change Notification Subscriptions. Associated Blogpost https://blog.darrenjrobinson.com/subscribing-to-azure-ad-change-notifications-with-powershell/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using namespace System.Net | |
| # Input bindings are passed in via param block. | |
| param($Request, $TriggerMetadata) | |
| # Write to the Azure Functions log stream. | |
| Write-Host "PowerShell HTTP trigger function received a new Azure AD Change Notification." | |
| # Convert Notification Details to a PSObject | |
| $objNotification = ($Request.RawBody | convertfrom-json).value | |
| # Output Notification to host | |
| write-host "NOTIFICATION: clientState '$($objNotification.clientState)'" | |
| write-host "NOTIFICATION: changedResource '$($objNotification.resource)'" | |
| write-host "NOTIFICATION: changeType '$($objNotification.changeType)'" | |
| # Build Notification Email | |
| $emailSubject = "New Azure AD Change Notification" | |
| $emailBody = "Azure AD User Change Notification Summary. `r`n `r`n clientState '$($objNotification.clientState)' `r`n changedResource '$($objNotification.resource)' `r`n changeType '$($objNotification.changeType)'" | |
| $mail = @{ | |
| "personalizations" = @( | |
| @{ | |
| "to" = @( | |
| @{ | |
| "email" = "$($env:sendGridToAddress)" | |
| } | |
| ) | |
| } | |
| ) | |
| "from" = @{ | |
| "email" = "$($env:sendGridFromAddress)" | |
| } | |
| "subject" = "$($emailSubject)" | |
| "content" = @( | |
| @{ | |
| "type" = "text/plain" | |
| "value" = "$($emailBody)" | |
| } | |
| ) | |
| } | |
| # Send Email Notification via SendGrid | |
| # Only if we have received a change notification via HTTP Trigger. | |
| if ($objNotification.clientState -and $objNotification.resource -and $objNotification.changeType) { | |
| Push-OutputBinding -Name message -Value (ConvertTo-Json -InputObject $mail -Depth 4) | |
| } | |
| # Response for Subscription Notification Validation | |
| # Must respond with the validationToken and HTTP 200 | |
| if ($Request.Query.validationToken) { | |
| write-host "RESPONSE: Sending 'OK' and validationToken to Subscription Notification Validation Request" | |
| Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ | |
| StatusCode = [HttpStatusCode]::OK | |
| Body = $Request.Query.validationToken | |
| }) | |
| } | |
| # Response for Subscription Notifications | |
| # https://docs.microsoft.com/en-us/graph/webhooks#processing-the-change-notification | |
| # Must respond with HTTP 202 | |
| if ($objNotification.clientState) { | |
| if ($objNotification.clientState -eq "$($env:clientStateValue)") { | |
| write-host "RESPONSE: Sending 'Accepted' to Subscription Notification" | |
| Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ | |
| StatusCode = [HttpStatusCode]::Accepted | |
| }) | |
| } | |
| } | |
| # Call the AD Query Function to retrieve objects and perform required logic. | |
| #if ($objNotification.clientState -and $objNotification.resource) { | |
| # write-host "FORWARDING: Sending change notification details to AzureADQuery Function" | |
| # Invoke-RestMethod -Method Post ` | |
| # -Uri "https://yourAzureFunctionApp.azurewebsites.net/api/azureadquery?code=spl3I...yourFunctionCode...g%3D%3D" ` | |
| # -headers @{"Content-Type" = "application/json" } ` | |
| # -body "clientState=$($objNotification.clientState)&updatedObject=$($objNotification.resource)" | |
| #} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment