Skip to content

Instantly share code, notes, and snippets.

@lrakai

lrakai/RoleTest.ps1

Last active July 18, 2017 18:33
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save lrakai/6ce79e20c778e56f0192d4b45305787b to your computer and use it in GitHub Desktop.
Save lrakai/6ce79e20c778e56f0192d4b45305787b to your computer and use it in GitHub Desktop.
Download ZIP
Azure AD RBAC - Create user, group, role and assign RBAC role with PowerShell
Raw
RoleTest.ps1
# Requires Azure Resource Manager and Azure Active Directory Cmdlets
# Install-Module AzureRM
# Install-Module AzureADPreview
Login-AzureRmAccount
$TenantId = (Get-AzureRmSubscription).TenantId
Connect-AzureAD -TenantId $TenantId
$ResourceGroupName = "TestRG"
$Location = "westus2"
$StorageAccountBaseName = -join ((97..122) | Get-Random -Count 19 | % {[char]$_})
$ResourceGroup = New-AzureRmResourceGroup -Name $ResourceGroupName -Location $Location
$StorageAccountA = New-AzureRmStorageAccount -ResourceGroupName $ResourceGroup.ResourceGroupName -Name "$($StorageAccountBaseName)1a" -Kind Storage -SkuName Standard_LRS -Location $ResourceGroup.Location
$StorageAccountB = New-AzureRmStorageAccount -ResourceGroupName $ResourceGroup.ResourceGroupName -Name "$($StorageAccountBaseName)1b" -Kind Storage -SkuName Standard_LRS -Location $ResourceGroup.Location
$StopWatch = New-Object -TypeName System.Diagnostics.Stopwatch
$StopWatch.Start()
$GroupName = "TestADGroup"
$ADGroup = New-AzureADGroup -DisplayName $GroupName -MailEnabled $False -SecurityEnabled $True -MailNickName "NotSet"
$Domain = (Get-AzureADDomain).Name
$UserName = "testStudent"
$UserPrincipalName = "$UserName@$Domain"
$Password = "Password"
$PasswordPolicy = "DisablePasswordExpiration, DisableStrongPassword"
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = $Password
$PasswordProfile.ForceChangePasswordNextLogin = $False
$PasswordProfile.EnforceChangePasswordPolicy = $False
$ADUser = New-AzureADUser -AccountEnabled $True -DisplayName $UserName -MailNickName $UserName -UserPrincipalName $UserPrincipalName `
-UserType "Member" -PasswordProfile $PasswordProfile -PasswordPolicies $PasswordPolicy
Add-AzureADGroupMember -ObjectId $ADGroup.ObjectId -RefObjectId $ADUser.ObjectId
$RbacFile = $env:TEMP + "\rbac.json"
@"
{
"Name": "Reader Storage",
"Id": null,
"IsCustom": true,
"Description": "Allows for read access to Azure storage",
"Actions": [
"Microsoft.Storage/*/read",
"Microsoft.Storage/storageAccounts/listKeys/action"
],
"NotActions": [
],
"AssignableScopes": [
"$($StorageAccountA.Id)"
]
}
"@ > $RbacFile
$RoleDefinition = New-AzureRmRoleDefinition -InputFile $RbacFile
$RoleTarget = $ADUser.ObjectId
$AssignRoleAttempt = 0
While ($True)
{
$AssignRoleAttempt++
Try
{
New-AzureRmRoleAssignment -ObjectId $RoleTarget -RoleDefinitionId $RoleDefinition.Id -Scope $StorageAccountA.Id -ErrorAction "Stop"
}
Catch
{
"Exception on assign role attempt #$AssignRoleAttempt"
Start-Sleep -Seconds 1
Continue
}
Break
}
"Assigned Role on attempt #$AssignRoleAttempt"
$StopWatch.Stop()
"AD Group Created, User Created, User Added to Group, Role Created, Group Assigned to Role in:"
$StopWatch.Elapsed.TotalSeconds
$StopWatch.Restart()
Remove-AzureRmRoleAssignment -ObjectId $RoleTarget -RoleDefinitionId $RoleDefinition.Id -Scope $StorageAccountA.Id
Remove-AzureRmRoleDefinition -Id $RoleDefinition.Id -Force
Remove-AzureADUser -ObjectId $ADUser.ObjectId
Remove-AzureADGroup -ObjectId $ADGroup.ObjectId
$StopWatch.Stop()
"AD Group Removed, User Removed, Role Removed, Group Removed from Role in:"
$StopWatch.Elapsed.TotalSeconds
Remove-AzureRmResourceGroup -Name $ResourceGroupName -Force
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment