Last active
July 18, 2017 18:33
-
-
Save lrakai/6ce79e20c778e56f0192d4b45305787b to your computer and use it in GitHub Desktop.
Azure AD RBAC - Create user, group, role and assign RBAC role with PowerShell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Requires Azure Resource Manager and Azure Active Directory Cmdlets | |
# Install-Module AzureRM | |
# Install-Module AzureADPreview | |
Login-AzureRmAccount | |
$TenantId = (Get-AzureRmSubscription).TenantId | |
Connect-AzureAD -TenantId $TenantId | |
$ResourceGroupName = "TestRG" | |
$Location = "westus2" | |
$StorageAccountBaseName = -join ((97..122) | Get-Random -Count 19 | % {[char]$_}) | |
$ResourceGroup = New-AzureRmResourceGroup -Name $ResourceGroupName -Location $Location | |
$StorageAccountA = New-AzureRmStorageAccount -ResourceGroupName $ResourceGroup.ResourceGroupName -Name "$($StorageAccountBaseName)1a" -Kind Storage -SkuName Standard_LRS -Location $ResourceGroup.Location | |
$StorageAccountB = New-AzureRmStorageAccount -ResourceGroupName $ResourceGroup.ResourceGroupName -Name "$($StorageAccountBaseName)1b" -Kind Storage -SkuName Standard_LRS -Location $ResourceGroup.Location | |
$StopWatch = New-Object -TypeName System.Diagnostics.Stopwatch | |
$StopWatch.Start() | |
$GroupName = "TestADGroup" | |
$ADGroup = New-AzureADGroup -DisplayName $GroupName -MailEnabled $False -SecurityEnabled $True -MailNickName "NotSet" | |
$Domain = (Get-AzureADDomain).Name | |
$UserName = "testStudent" | |
$UserPrincipalName = "$UserName@$Domain" | |
$Password = "Password" | |
$PasswordPolicy = "DisablePasswordExpiration, DisableStrongPassword" | |
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile | |
$PasswordProfile.Password = $Password | |
$PasswordProfile.ForceChangePasswordNextLogin = $False | |
$PasswordProfile.EnforceChangePasswordPolicy = $False | |
$ADUser = New-AzureADUser -AccountEnabled $True -DisplayName $UserName -MailNickName $UserName -UserPrincipalName $UserPrincipalName ` | |
-UserType "Member" -PasswordProfile $PasswordProfile -PasswordPolicies $PasswordPolicy | |
Add-AzureADGroupMember -ObjectId $ADGroup.ObjectId -RefObjectId $ADUser.ObjectId | |
$RbacFile = $env:TEMP + "\rbac.json" | |
@" | |
{ | |
"Name": "Reader Storage", | |
"Id": null, | |
"IsCustom": true, | |
"Description": "Allows for read access to Azure storage", | |
"Actions": [ | |
"Microsoft.Storage/*/read", | |
"Microsoft.Storage/storageAccounts/listKeys/action" | |
], | |
"NotActions": [ | |
], | |
"AssignableScopes": [ | |
"$($StorageAccountA.Id)" | |
] | |
} | |
"@ > $RbacFile | |
$RoleDefinition = New-AzureRmRoleDefinition -InputFile $RbacFile | |
$RoleTarget = $ADUser.ObjectId | |
$AssignRoleAttempt = 0 | |
While ($True) | |
{ | |
$AssignRoleAttempt++ | |
Try | |
{ | |
New-AzureRmRoleAssignment -ObjectId $RoleTarget -RoleDefinitionId $RoleDefinition.Id -Scope $StorageAccountA.Id -ErrorAction "Stop" | |
} | |
Catch | |
{ | |
"Exception on assign role attempt #$AssignRoleAttempt" | |
Start-Sleep -Seconds 1 | |
Continue | |
} | |
Break | |
} | |
"Assigned Role on attempt #$AssignRoleAttempt" | |
$StopWatch.Stop() | |
"AD Group Created, User Created, User Added to Group, Role Created, Group Assigned to Role in:" | |
$StopWatch.Elapsed.TotalSeconds | |
$StopWatch.Restart() | |
Remove-AzureRmRoleAssignment -ObjectId $RoleTarget -RoleDefinitionId $RoleDefinition.Id -Scope $StorageAccountA.Id | |
Remove-AzureRmRoleDefinition -Id $RoleDefinition.Id -Force | |
Remove-AzureADUser -ObjectId $ADUser.ObjectId | |
Remove-AzureADGroup -ObjectId $ADGroup.ObjectId | |
$StopWatch.Stop() | |
"AD Group Removed, User Removed, Role Removed, Group Removed from Role in:" | |
$StopWatch.Elapsed.TotalSeconds | |
Remove-AzureRmResourceGroup -Name $ResourceGroupName -Force |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment