Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
# I use SPO Admin a lot, change it to your desired role
$roleToActivate = "SharePoint Administrator"
# default 2 hours, update it to your needs
$hours = 2
$reason = Read-Host "Justify your elevation"
$connection = Connect-AzureAD
$account = $connection.Account
$tenantId = $connection.TenantId
$user = Get-AzureADUser -SearchString $account
$objectId = $user.ObjectId
$roleDefs = Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $tenantId
$roleDefinition = $roleDefs | Where-Object { $_.DisplayName -eq $roleToActivate }
$roleDefinitionId = $roleDefinition.Id
$filter = "(subjectId eq '$objectId') and (roleDefinitionId eq '$roleDefinitionId')"
$assignment = Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadRoles" -ResourceId $tenantId -Filter $filter
if (!$assignment) {
Write-Error "There is no assignment for you as $roleToActivate"
} elseif ($assignment.AssignmentState -eq "Active") {
"Your role assignment as a $roleToActivate is already Active"
} else {
$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
$schedule.Type = "Once"
$now = (Get-Date).ToUniversalTime()
$schedule.StartDateTime = $now.ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
$schedule.EndDateTime = $now.AddHours($hours).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
Open-AzureADMSPrivilegedRoleAssignmentRequest `
-ProviderId 'aadRoles' `
-ResourceId $tenantId `
-RoleDefinitionId $roleDefinitionId `
-SubjectId $objectId `
-Type 'UserAdd' `
-AssignmentState 'Active' `
-Schedule $schedule -Reason $reason
"Your assignment as $roleToActivate is now active"
}
Connect-AzureAD
# find your guids once and fill in the values
$values = [PSCustomObject]@{
Reason = "Support"
Hours = 2
ResourceId = "f7aa13e9-c03a-49f9-8fd4-c943d2612301"
SubjectId = "cafc35f9-bf31-489a-b468-76580f780506"
RoleDefinitionId = "9039a352-599b-4e09-8693-4a17eb83a73e"
}
$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
$schedule.Type = "Once"
$now = (Get-Date).ToUniversalTime()
$schedule.StartDateTime = $now.ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
$schedule.EndDateTime = $now.AddHours($values.Hours).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
Open-AzureADMSPrivilegedRoleAssignmentRequest `
-ProviderId 'aadRoles' `
-ResourceId $values.ResourceId `
-RoleDefinitionId $values.RoleDefinitionId `
-SubjectId $values.SubjectId `
-Type 'UserAdd' `
-AssignmentState 'Active' `
-Schedule $schedule `
-Reason $values.Reason
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment