devblackops/aad_pim_register.ps1

## aad_pim_register.ps1
# Registered an AAD group with Priviledged Identity Management (PIM)

function Get-PimToken {
    <#
    .SYNOPSIS
        Gets the Azure auth token for PIM.
    #>
    [cmdletbinding()]
    param()

    Get-AzAccessToken -ResourceUrl 'https://api.azrbac.mspim.azure.com' -ErrorAction Stop -Debug:$false
}

function Get-PIMAuthHeader {
    <#
    .SYNOPSIS
        Gets the PIM auth header for REST calls.
    #>
    [OutputType([hashtable])]
    [cmdletbinding()]
    param()

    @{
        Authorization = 'Bearer {0}' -f (Get-PimToken).Token
    }
}

function Invoke-PimApi {
    [OutputType([PSCustomObject])]
    [cmdletbinding()]
    param(
        [parameter(Mandatory)]
        [string]$Route,

        [ValidateSet('Get', 'Post', 'Put', 'Delete', 'Patch')]
        [string]$Method = 'Get',

        [string]$Body = $null
    )

    $baseUri = 'https://api.azrbac.mspim.azure.com/api/v2'
    $uri = $baseUri + $Route

    $params = @{
        Uri         = $uri
        Method      = $Method
        Headers     = (Get-PimAuthHeader)
        ContentType = 'application/json'
        Debug       = $false
        Verbose     = $false
    }
    if ($Body) {
        $params.Body = $Body
    }

    $response = Invoke-WebRequest @params
    if ($response.BaseResponse.IsSuccessStatusCode -ne $true) {
        Write-Error "Error received from PIM API. HTTP response [$($response.StatusCode)] - [$($response.StatusDescription)]"
    } else {
        $response.Content | ConvertFrom-Json -Depth 99
    }
}

$aadGroup = '<AAD-GROUP-NAME>'

# Register group with PIM
$aadGroupId = (Get-AzAdGroup -DisplayName $aadGroup).Id
$body = [pscustomobject]@{
    externalId = $aadGroupId
} | ConvertTo-Json -Compress

Invoke-PimApi -Route '/privilegedAccess/aadGroups/resources/register' -Method Post -Body $body
	# Registered an AAD group with Priviledged Identity Management (PIM)

	function Get-PimToken {
	<#
	.SYNOPSIS
	Gets the Azure auth token for PIM.
	#>
	[cmdletbinding()]
	param()

	Get-AzAccessToken -ResourceUrl 'https://api.azrbac.mspim.azure.com' -ErrorAction Stop -Debug:$false
	}

	function Get-PIMAuthHeader {
	<#
	.SYNOPSIS
	Gets the PIM auth header for REST calls.
	#>
	[OutputType([hashtable])]
	[cmdletbinding()]
	param()

	@{
	Authorization = 'Bearer {0}' -f (Get-PimToken).Token
	}
	}

	function Invoke-PimApi {
	[OutputType([PSCustomObject])]
	[cmdletbinding()]
	param(
	[parameter(Mandatory)]
	[string]$Route,

	[ValidateSet('Get', 'Post', 'Put', 'Delete', 'Patch')]
	[string]$Method = 'Get',

	[string]$Body = $null
	)

	$baseUri = 'https://api.azrbac.mspim.azure.com/api/v2'
	$uri = $baseUri + $Route

	$params = @{
	Uri = $uri
	Method = $Method
	Headers = (Get-PimAuthHeader)
	ContentType = 'application/json'
	Debug = $false
	Verbose = $false
	}
	if ($Body) {
	$params.Body = $Body
	}

	$response = Invoke-WebRequest @params
	if ($response.BaseResponse.IsSuccessStatusCode -ne $true) {
	Write-Error "Error received from PIM API. HTTP response [$($response.StatusCode)] - [$($response.StatusDescription)]"
	} else {
	$response.Content \| ConvertFrom-Json -Depth 99
	}
	}

	$aadGroup = '<AAD-GROUP-NAME>'

	# Register group with PIM
	$aadGroupId = (Get-AzAdGroup -DisplayName $aadGroup).Id
	$body = [pscustomobject]@{
	externalId = $aadGroupId
	} \| ConvertTo-Json -Compress

	Invoke-PimApi -Route '/privilegedAccess/aadGroups/resources/register' -Method Post -Body $body