Last active
November 4, 2022 20:20
-
-
Save kenmuse/f2cbe401a04b42835732aefb5def2e18 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Requires –Modules Az.Accounts, Az.Resources | |
#Requires -Version 7.2 | |
Set-StrictMode -Version Latest | |
$ErrorActionPreference = "Stop" | |
$PSDefaultParameterValues['*:ErrorAction']='Stop' | |
New-Variable -Name DirectoryReadAllAppRoleId -Value '7ab1d382-f21e-4acd-a863-ba3e13f7da61' -Option Constant -Scope Script | |
New-Variable -Name MsGraphResourceId -Value 'e51b873a-e178-4e6a-ab84-b07d68b33bc8' -Option Constant -Scope Script | |
New-Variable -Name AzRoleUserAccessAdministrator -Value '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' -Option Constant -Scope Script | |
New-Variable -Name AzRoleContributor -Value 'b24988ac-6180-42a0-ab88-20f7382dd24c' -Option Constant -Scope Script | |
New-Variable -Name MicrosoftGraphApiId -Value '00000003-0000-0000-c000-000000000000' -Option Constant -Scope Script | |
New-Variable -Name FedCredentialName -Value 'GitHub' -Option Constant -Scope Script | |
<# | |
.SYNOPSIS | |
Creates an Azure AD application with Federated Credentials for GitHub | |
.DESCRIPTION | |
Creates an Azure AD application and the associated Federated Credentials | |
required to integrate a GitHub environment using OIDC | |
.PARAMETER Name | |
Specifies the name of the application. | |
.PARAMETER Subject | |
Specifies the subject for the OIDC integration, such as "repo:kenmuse/MyRepo:environment:dev" | |
.PARAMETER SubscriptionID | |
Specifies the subscription that should receive contributor permissions for the application. | |
.INPUTS | |
Pipe objects are not supported | |
.OUTPUTS | |
MicrosoftGraphServicePrincipal. The service principal for the application. | |
#> | |
function New-GhAzOidcApplication { | |
[OutputType([System.Guid])] | |
[CmdletBinding()] | |
param ( | |
[Parameter(Mandatory=$true)] | |
[string] | |
$Name, | |
[Parameter(Mandatory=$true)] | |
[string] | |
$Subject | |
) | |
# If the service principal exists, return the service principal | |
$spn = Get-AzADServicePrincipal -DisplayName $Name | |
if ($spn) { | |
return $spn | |
} | |
# If the SPN doesn't exist, create it. This creates an associated application. | |
$spn = New-AzADServicePrincipal -DisplayName $Name | |
$app = Get-AzADApplication -ApplicationId $spn.AppId | |
# Create the federated credentials and assign them to the application | |
$FedCredential = @{ | |
ApplicationObjectId = $app.Id | |
Audience = @('api://AzureADTokenExchange') | |
Issuer = 'https://token.actions.githubusercontent.com' | |
Name = $FedCredentialName | |
Subject = $Subject | |
} | |
New-AzADAppFederatedCredential @FedCredential | Out-Null | |
$spn | |
} | |
<# | |
.SYNOPSIS | |
Creates a role for the principal with administrative consent | |
.DESCRIPTION | |
Creates a role and applies administrative consent for a Graph Resource | |
.PARAMETER PrincipalId | |
The service principal ID associated with the application | |
.PARAMETER RoleId | |
The Microsoft Graph Role to be applied | |
.OUTPUTS | |
None | |
#> | |
function Set-AzGraphConsentedRole { | |
[CmdletBinding()] | |
param( | |
[Parameter(Mandatory=$true)] | |
[Guid] | |
$PrincipalId, | |
[Parameter(Mandatory=$true)] | |
[Guid] | |
$RoleId | |
) | |
$token = Get-AzAccessToken -ResourceTypeName MSGraph | |
$headers = @{ | |
Authorization = "Bearer $($token.Token)" | |
'Content-Type' = 'application/json' | |
} | |
$AdminConsent = @{ | |
Method = 'POST' | |
Uri = "https://graph.microsoft.com/v1.0/servicePrincipals/$PrincipalId/appRoleAssignments" | |
Body = @{ | |
principalId = $PrincipalId | |
resourceId = $MsGraphResourceId | |
appRoleId = $RoleId | |
} | ConvertTo-Json | |
Headers = $headers | |
} | |
Invoke-RestMethod @AdminConsent | Out-Null | |
} | |
<# | |
.SYNOPSIS | |
Adds Directory Read All permissions to an application and grants consent. | |
.DESCRIPTION | |
Adds Graph permissions to an application and provides administrative consent. | |
.PARAMETER ServicePrincipal | |
The service principal associated with the application | |
.OUTPUTS | |
None | |
#> | |
function Set-GraphDirectoryReadAllPermissions { | |
[CmdletBinding()] | |
param( | |
[Parameter( | |
Mandatory = $true, | |
Position = 0, | |
ValueFromPipeline = $true)] | |
[Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Models.ApiV10.MicrosoftGraphServicePrincipal] | |
$ServicePrincipal | |
) | |
$AppPermissions = @{ | |
ObjectId = (Get-AzADApplication -ApplicationId $ServicePrincipal.AppId).Id | |
ApiId = $MicrosoftGraphApiId | |
PermissionId = $DirectoryReadAllAppRoleId | |
Type = 'Role' | |
} | |
$ConsentAssignment = @{ | |
PrincipalId = $ServicePrincipal.Id | |
RoleId = $DirectoryReadAllAppRoleId | |
} | |
Add-AzADAppPermission @AppPermissions | Out-Null | |
Set-AzGraphConsentedRole @ConsentAssignment | |
} | |
Export-ModuleMember -Function New-GhAzOidcApplication, Set-AzGraphConsentedRole, Set-GraphDirectoryReadAllPermissions |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment