pankajsurti/SPOSitesSelected-run.ps1

## SPOSitesSelected-run.ps1
using namespace System.Net

# Input bindings are passed in via param block.
param($Request, $TriggerMetadata)

# Write to the Azure Functions log stream.
Write-Host "PowerShell HTTP trigger function processed a request."

# get the PFX secret from the key vault
$tenantPrefix = "M365x162783"; # replace with your tenant id TODO to replace
$adminAppId = "9a6f4c8a-e9cf-44fd-b3ad-4413ed66a2ce"; #admin-app TODO to replace
$tenantName = $tenantPrefix +".onmicrosoft.com";
$spoTenantName = "https://" + $tenantPrefix + ".sharepoint.com";

# Site URL.
$ClientAppID = $Request.Query.ClientAppID
if (-not $ClientAppID) {
    $ClientAppID = $Request.Body.ClientAppID
}
Write-Host ( $Request.Body.ClientAppID )
# Site URL.
$SiteURL = $Request.Query.SiteURL
if (-not $SiteURL) {
    $SiteURL = $Request.Body.SiteURL
}
# Action Grant Or Revoke.
$Action = $Request.Query.Action
if (-not $Action) {
    $Action = $Request.Body.Action
}

# Permission Read Or Write.
$Permission = $Request.Query.Permission
if (-not $Permission) {
    $Permission = $Request.Body.Permission
}
$DisplayName = $Request.Query.DisplayName
if (-not $DisplayName) {
    $DisplayName = $Request.Body.DisplayName
}


$KeyVaultName = "sitesselectedkv"
$KeyVaultSecretName = "pnpSites-Selected"
$kvSecret = Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name $KeyVaultSecretName
$certificateBase64Encode = '';
$ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($kvSecret.SecretValue)
try
{
	$certificateBase64Encode = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr)
}
finally
{
	[System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr)
}

#Write-Host "certificateBase64Encode $certificateBase64Encode"

# Using Splat to convert
$HashArguments = @{
	Url                      = $spoTenantName
	ClientId                 = $adminAppId
	CertificateBase64Encoded = $certificateBase64Encode
	Tenant                   = $tenantName
}
$RequestSitesConnection = Connect-PnPOnline @HashArguments  -ReturnConnection

Write-Host "RequestSitesConnection $RequestSitesConnection"


$body = "`n`n"

$site2apply = $SiteURL
$clientAppId = $ClientAppID
if ( $Action.ToUpper() -eq "REVOKE" )
{
    $perms = Get-PnPAzureADAppSitePermission -Site $site2apply -AppIdentity $clientAppId -Connection $RequestSitesConnection -Verbose
    #### REVOKE
    if ( $perms )
    {
        Revoke-PnPAzureADAppSitePermission -Site $site2apply -PermissionId $perms.Id -Connection $RequestSitesConnection -Force -Verbose
        $body += "REVOKED permissions for $site2apply for $DisplayName for ID = $clientAppId.`n`n"
    }
    else
    {
        $body += "Permission was never assigned for $site2apply on $clientAppId.`n`n"
    }
}
if ( $Action.ToUpper() -eq "GRANT" )
{
    $perms = Get-PnPAzureADAppSitePermission -Site $site2apply -AppIdentity $clientAppId -Connection $RequestSitesConnection
    if (-not $perms)
    {
        # this means there was no perms granted before so go ahead and grant it with read or write perms.
        if ($Permission.ToUpper() -eq "READ")
        {
            Grant-PnPAzureADAppSitePermission -DisplayName $DisplayName -AppId $clientAppId -Permissions Read -Site $site2apply -Verbose -Connection $RequestSitesConnection
            $body += "Granted ***READ*** permission for $site2apply for $DisplayName for ID = $clientAppId.`n`n"
        }
        if ($Permission.ToUpper() -eq "WRITE")
        {
            Grant-PnPAzureADAppSitePermission -DisplayName $site2apply -AppId $clientAppId -Permissions Write -Site $site2apply -Verbose -Connection $RequestSitesConnection
            $body += "Granted ***WRITE*** permission for $site2apply for $DisplayName for ID = $clientAppId.`n`n"
        }
    }
    else
    {
        # means perms is already there use Set to change to READ or WRITE role.
        if ($Permission.ToUpper() -eq "READ")
        {
            Set-PnPAzureADAppSitePermission -Site $site2apply -PermissionId $perms.Id -Permissions Read -Connection $RequestSitesConnection -Verbose
            $body += "Using Set-PnPAzureADAppSitePermission changed as ***READ*** permission for $site2apply for $DisplayName for ID = $clientAppId.`n`n"
        }
        if ($Permission.ToUpper() -eq "WRITE")
        {
            Set-PnPAzureADAppSitePermission -Site $site2apply -PermissionId $perms.Id -Permissions Write -Connection $RequestSitesConnection -Verbose
            $body += "Using Set-PnPAzureADAppSitePermission changed as ***WRITE*** permission for $site2apply for $DisplayName for ID = $clientAppId.`n`n"
        }
    }
}

Write-Host $body

# Associate values to output bindings by calling 'Push-OutputBinding'.
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
    StatusCode = [HttpStatusCode]::OK
    Body = $body
})
	using namespace System.Net

	# Input bindings are passed in via param block.
	param($Request, $TriggerMetadata)

	# Write to the Azure Functions log stream.
	Write-Host "PowerShell HTTP trigger function processed a request."

	# get the PFX secret from the key vault
	$tenantPrefix = "M365x162783"; # replace with your tenant id TODO to replace
	$adminAppId = "9a6f4c8a-e9cf-44fd-b3ad-4413ed66a2ce"; #admin-app TODO to replace
	$tenantName = $tenantPrefix +".onmicrosoft.com";
	$spoTenantName = "https://" + $tenantPrefix + ".sharepoint.com";

	# Site URL.
	$ClientAppID = $Request.Query.ClientAppID
	if (-not $ClientAppID) {
	$ClientAppID = $Request.Body.ClientAppID
	}
	Write-Host ( $Request.Body.ClientAppID )
	# Site URL.
	$SiteURL = $Request.Query.SiteURL
	if (-not $SiteURL) {
	$SiteURL = $Request.Body.SiteURL
	}
	# Action Grant Or Revoke.
	$Action = $Request.Query.Action
	if (-not $Action) {
	$Action = $Request.Body.Action
	}

	# Permission Read Or Write.
	$Permission = $Request.Query.Permission
	if (-not $Permission) {
	$Permission = $Request.Body.Permission
	}
	$DisplayName = $Request.Query.DisplayName
	if (-not $DisplayName) {
	$DisplayName = $Request.Body.DisplayName
	}



	$KeyVaultName = "sitesselectedkv"
	$KeyVaultSecretName = "pnpSites-Selected"
	$kvSecret = Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name $KeyVaultSecretName
	$certificateBase64Encode = '';
	$ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($kvSecret.SecretValue)
	try
	{
	$certificateBase64Encode = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr)
	}
	finally
	{
	[System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr)
	}

	#Write-Host "certificateBase64Encode $certificateBase64Encode"

	# Using Splat to convert
	$HashArguments = @{
	Url = $spoTenantName
	ClientId = $adminAppId
	CertificateBase64Encoded = $certificateBase64Encode
	Tenant = $tenantName
	}
	$RequestSitesConnection = Connect-PnPOnline @HashArguments -ReturnConnection

	Write-Host "RequestSitesConnection $RequestSitesConnection"


	$body = "`n`n"

	$site2apply = $SiteURL
	$clientAppId = $ClientAppID
	if ( $Action.ToUpper() -eq "REVOKE" )
	{
	$perms = Get-PnPAzureADAppSitePermission -Site $site2apply -AppIdentity $clientAppId -Connection $RequestSitesConnection -Verbose
	#### REVOKE
	if ( $perms )
	{
	Revoke-PnPAzureADAppSitePermission -Site $site2apply -PermissionId $perms.Id -Connection $RequestSitesConnection -Force -Verbose
	$body += "REVOKED permissions for $site2apply for $DisplayName for ID = $clientAppId.`n`n"
	}
	else
	{
	$body += "Permission was never assigned for $site2apply on $clientAppId.`n`n"
	}
	}
	if ( $Action.ToUpper() -eq "GRANT" )
	{
	$perms = Get-PnPAzureADAppSitePermission -Site $site2apply -AppIdentity $clientAppId -Connection $RequestSitesConnection
	if (-not $perms)
	{
	# this means there was no perms granted before so go ahead and grant it with read or write perms.
	if ($Permission.ToUpper() -eq "READ")
	{
	Grant-PnPAzureADAppSitePermission -DisplayName $DisplayName -AppId $clientAppId -Permissions Read -Site $site2apply -Verbose -Connection $RequestSitesConnection
	$body += "Granted *READ* permission for $site2apply for $DisplayName for ID = $clientAppId.`n`n"
	}
	if ($Permission.ToUpper() -eq "WRITE")
	{
	Grant-PnPAzureADAppSitePermission -DisplayName $site2apply -AppId $clientAppId -Permissions Write -Site $site2apply -Verbose -Connection $RequestSitesConnection
	$body += "Granted *WRITE* permission for $site2apply for $DisplayName for ID = $clientAppId.`n`n"
	}
	}
	else
	{
	# means perms is already there use Set to change to READ or WRITE role.
	if ($Permission.ToUpper() -eq "READ")
	{
	Set-PnPAzureADAppSitePermission -Site $site2apply -PermissionId $perms.Id -Permissions Read -Connection $RequestSitesConnection -Verbose
	$body += "Using Set-PnPAzureADAppSitePermission changed as *READ* permission for $site2apply for $DisplayName for ID = $clientAppId.`n`n"
	}
	if ($Permission.ToUpper() -eq "WRITE")
	{
	Set-PnPAzureADAppSitePermission -Site $site2apply -PermissionId $perms.Id -Permissions Write -Connection $RequestSitesConnection -Verbose
	$body += "Using Set-PnPAzureADAppSitePermission changed as *WRITE* permission for $site2apply for $DisplayName for ID = $clientAppId.`n`n"
	}
	}
	}

	Write-Host $body

	# Associate values to output bindings by calling 'Push-OutputBinding'.
	Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
	StatusCode = [HttpStatusCode]::OK
	Body = $body
	})