Last active
November 26, 2024 06:35
-
-
Save darrenjrobinson/483e6930a58b96c549553b864e22e633 to your computer and use it in GitHub Desktop.
An AI Agent for Entra ID using PowerShell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
From an Admin Powershell Session install the following PowerShell Modules that are dependancies. | |
Install-Module -Name PShell-AI | |
Install-Module -Name PSAI | |
Install-Module Microsoft.Graph | |
#> | |
Import-Module -Name PShell-AI | |
Import-Module -Name PSAI | |
Import-Module Microsoft.Graph.Authentication | |
Import-Module Microsoft.Graph.Users | |
Import-Module Microsoft.Graph.Groups | |
# Enter your OpenAI API Key and export to a local file that is encrypted and secure to the user running the command and the computer it is run on. | |
# Use any text for the Username (e.g. OpenAIAPIKey) and the API Key as the password. | |
$apiKeyFile = get-item -Path .\openAIcred.xml | |
if (-not $apiKeyFile.Exists) { | |
$cred = Get-Credential | |
$cred | Export-Clixml .\openAIcred.xml | |
$env:OpenAIKey = (Import-Clixml .\openAIcred.xml).GetNetworkCredential().password | |
} | |
else { | |
$env:OpenAIKey = (Import-Clixml .\openAIcred.xml).GetNetworkCredential().password | |
} | |
# Create Entra ID Application Registration using app (application) permissions to Microsoft Graph API with Directory.Read.All, User.Read.All and Group.Read.All | |
# Enter the ClientID of the Application registration and the Client Secret created for the application registration as configured in the Azure Portal. | |
$entraIDKeyFile = get-item -Path .\entraIDAppCred.xml | |
if (-not $entraIDKeyFile.Exists) { | |
$entraIDcred = Get-Credential | |
$entraIDcred | Export-Clixml .\entraIDAppCred.xml | |
} | |
else { | |
$entraIDcred = Import-Clixml .\entraIDAppCred.xml | |
} | |
Try { | |
$tenantID = 'yourEntraIDTenantID' | |
Connect-MgGraph -ClientSecretCredential $entraIDcred -TenantId $tenantID | |
(Get-MgContext).Scopes | |
} | |
catch { | |
Write-Host "Failed to connect to Azure AD. Check the credentials and try again." | |
Write-Debug $_.Exception.Message | |
Exit | |
} | |
# Create an Agent to use for the Entra ID queries | |
# Pass Query to the Agent, analyse/display the response and execute it. | |
function Query-EntraID { | |
[CmdletBinding()] | |
[Alias("Entra")] | |
Param ( | |
[Parameter(Mandatory = $true, ValueFromPipeline = $true)] | |
[string]$query | |
) | |
if (-not $agent.Instructions){ | |
$agent = New-Agent -Instructions "An agent that performs Entra ID/Azure AD queries with PowerShell for User Accounts and Groups using the Microsoft.Graph PowerShell Module. There is no need to install the module, connect to MgGraph or disconnect, just the query to get the result." | |
} | |
try { | |
$agentResponse = $agent | Get-AgentResponse $query | |
$resultMatches = [regex]::Matches($agentResponse, '(?s)powershell(.*?)```') | |
if ($resultMatches.count -eq 1) { | |
$query = $resultMatches.value.replace('powershell', '').trim() | |
$query = $query.replace('```', '').trim() | |
Clear-Host | |
Write-Host "Generated query ...." -ForegroundColor DarkMagenta | |
Write-Host -ForegroundColor Blue $query | |
$graphResult = Invoke-Expression $query | |
return $graphResult | |
} | |
else { | |
write-output $resultMatches.value | |
} | |
} catch { | |
write-host $_.Exception.Message | |
} | |
} | |
# Entra is an alias for Query-EntraID | |
Query-EntraID "Find all the accounts that have a first name that starts with A and return their ID, mail, UPN" | |
Entra "How many Groups are there?" | |
Entra "List each group and how many members they have" | |
Entra "how many user accounts are guests" | |
Entra "show the accounts that are guests" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment