Skip to content

Instantly share code, notes, and snippets.

@darrenjrobinson
Last active June 1, 2021 21:07
Show Gist options
  • Save darrenjrobinson/3482e7cbdfe42d5894de4a10cac0ec7c to your computer and use it in GitHub Desktop.
Save darrenjrobinson/3482e7cbdfe42d5894de4a10cac0ec7c to your computer and use it in GitHub Desktop.
Azure PowerShell Function to receive and validate Azure AD Change Notification Subscriptions. Associated Blogpost https://blog.darrenjrobinson.com/subscribing-to-azure-ad-change-notifications-with-powershell/
using namespace System.Net
# Input bindings are passed in via param block.
param($Request, $TriggerMetadata)
# Write to the Azure Functions log stream.
Write-Host "PowerShell HTTP trigger function received a new Azure AD Change Notification."
# Convert Notification Details to a PSObject
$objNotification = ($Request.RawBody | convertfrom-json).value
# Output Notification to host
write-host "NOTIFICATION: clientState '$($objNotification.clientState)'"
write-host "NOTIFICATION: changedResource '$($objNotification.resource)'"
write-host "NOTIFICATION: changeType '$($objNotification.changeType)'"
# Build Notification Email
$emailSubject = "New Azure AD Change Notification"
$emailBody = "Azure AD User Change Notification Summary. `r`n `r`n clientState '$($objNotification.clientState)' `r`n changedResource '$($objNotification.resource)' `r`n changeType '$($objNotification.changeType)'"
$mail = @{
"personalizations" = @(
@{
"to" = @(
@{
"email" = "$($env:sendGridToAddress)"
}
)
}
)
"from" = @{
"email" = "$($env:sendGridFromAddress)"
}
"subject" = "$($emailSubject)"
"content" = @(
@{
"type" = "text/plain"
"value" = "$($emailBody)"
}
)
}
# Send Email Notification via SendGrid
# Only if we have received a change notification via HTTP Trigger.
if ($objNotification.clientState -and $objNotification.resource -and $objNotification.changeType) {
Push-OutputBinding -Name message -Value (ConvertTo-Json -InputObject $mail -Depth 4)
}
# Response for Subscription Notification Validation
# Must respond with the validationToken and HTTP 200
if ($Request.Query.validationToken) {
write-host "RESPONSE: Sending 'OK' and validationToken to Subscription Notification Validation Request"
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
StatusCode = [HttpStatusCode]::OK
Body = $Request.Query.validationToken
})
}
# Response for Subscription Notifications
# https://docs.microsoft.com/en-us/graph/webhooks#processing-the-change-notification
# Must respond with HTTP 202
if ($objNotification.clientState) {
if ($objNotification.clientState -eq "$($env:clientStateValue)") {
write-host "RESPONSE: Sending 'Accepted' to Subscription Notification"
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
StatusCode = [HttpStatusCode]::Accepted
})
}
}
# Call the AD Query Function to retrieve objects and perform required logic.
#if ($objNotification.clientState -and $objNotification.resource) {
# write-host "FORWARDING: Sending change notification details to AzureADQuery Function"
# Invoke-RestMethod -Method Post `
# -Uri "https://yourAzureFunctionApp.azurewebsites.net/api/azureadquery?code=spl3I...yourFunctionCode...g%3D%3D" `
# -headers @{"Content-Type" = "application/json" } `
# -body "clientState=$($objNotification.clientState)&updatedObject=$($objNotification.resource)"
#}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment