Last active
July 6, 2022 20:39
-
-
Save pankajsurti/02ea353d3023298e87b117ef4e1512c3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using namespace System.Net | |
# Input bindings are passed in via param block. | |
param($Request, $TriggerMetadata) | |
# Write to the Azure Functions log stream. | |
Write-Host "PowerShell HTTP trigger function processed a request." | |
# get the PFX secret from the key vault | |
$tenantPrefix = "M365x162783"; # replace with your tenant id TODO to replace | |
$adminAppId = "9a6f4c8a-e9cf-44fd-b3ad-4413ed66a2ce"; #admin-app TODO to replace | |
$tenantName = $tenantPrefix +".onmicrosoft.com"; | |
$spoTenantName = "https://" + $tenantPrefix + ".sharepoint.com"; | |
# Site URL. | |
$ClientAppID = $Request.Query.ClientAppID | |
if (-not $ClientAppID) { | |
$ClientAppID = $Request.Body.ClientAppID | |
} | |
Write-Host ( $Request.Body.ClientAppID ) | |
# Site URL. | |
$SiteURL = $Request.Query.SiteURL | |
if (-not $SiteURL) { | |
$SiteURL = $Request.Body.SiteURL | |
} | |
# Action Grant Or Revoke. | |
$Action = $Request.Query.Action | |
if (-not $Action) { | |
$Action = $Request.Body.Action | |
} | |
# Permission Read Or Write. | |
$Permission = $Request.Query.Permission | |
if (-not $Permission) { | |
$Permission = $Request.Body.Permission | |
} | |
$DisplayName = $Request.Query.DisplayName | |
if (-not $DisplayName) { | |
$DisplayName = $Request.Body.DisplayName | |
} | |
$KeyVaultName = "sitesselectedkv" | |
$KeyVaultSecretName = "pnpSites-Selected" | |
$kvSecret = Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name $KeyVaultSecretName | |
$certificateBase64Encode = ''; | |
$ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($kvSecret.SecretValue) | |
try | |
{ | |
$certificateBase64Encode = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr) | |
} | |
finally | |
{ | |
[System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr) | |
} | |
#Write-Host "certificateBase64Encode $certificateBase64Encode" | |
# Using Splat to convert | |
$HashArguments = @{ | |
Url = $spoTenantName | |
ClientId = $adminAppId | |
CertificateBase64Encoded = $certificateBase64Encode | |
Tenant = $tenantName | |
} | |
$RequestSitesConnection = Connect-PnPOnline @HashArguments -ReturnConnection | |
Write-Host "RequestSitesConnection $RequestSitesConnection" | |
$body = "`n`n" | |
$site2apply = $SiteURL | |
$clientAppId = $ClientAppID | |
if ( $Action.ToUpper() -eq "REVOKE" ) | |
{ | |
$perms = Get-PnPAzureADAppSitePermission -Site $site2apply -AppIdentity $clientAppId -Connection $RequestSitesConnection -Verbose | |
#### REVOKE | |
if ( $perms ) | |
{ | |
Revoke-PnPAzureADAppSitePermission -Site $site2apply -PermissionId $perms.Id -Connection $RequestSitesConnection -Force -Verbose | |
$body += "REVOKED permissions for $site2apply for $DisplayName for ID = $clientAppId.`n`n" | |
} | |
else | |
{ | |
$body += "Permission was never assigned for $site2apply on $clientAppId.`n`n" | |
} | |
} | |
if ( $Action.ToUpper() -eq "GRANT" ) | |
{ | |
$perms = Get-PnPAzureADAppSitePermission -Site $site2apply -AppIdentity $clientAppId -Connection $RequestSitesConnection | |
if (-not $perms) | |
{ | |
# this means there was no perms granted before so go ahead and grant it with read or write perms. | |
if ($Permission.ToUpper() -eq "READ") | |
{ | |
Grant-PnPAzureADAppSitePermission -DisplayName $DisplayName -AppId $clientAppId -Permissions Read -Site $site2apply -Verbose -Connection $RequestSitesConnection | |
$body += "Granted ***READ*** permission for $site2apply for $DisplayName for ID = $clientAppId.`n`n" | |
} | |
if ($Permission.ToUpper() -eq "WRITE") | |
{ | |
Grant-PnPAzureADAppSitePermission -DisplayName $site2apply -AppId $clientAppId -Permissions Write -Site $site2apply -Verbose -Connection $RequestSitesConnection | |
$body += "Granted ***WRITE*** permission for $site2apply for $DisplayName for ID = $clientAppId.`n`n" | |
} | |
} | |
else | |
{ | |
# means perms is already there use Set to change to READ or WRITE role. | |
if ($Permission.ToUpper() -eq "READ") | |
{ | |
Set-PnPAzureADAppSitePermission -Site $site2apply -PermissionId $perms.Id -Permissions Read -Connection $RequestSitesConnection -Verbose | |
$body += "Using Set-PnPAzureADAppSitePermission changed as ***READ*** permission for $site2apply for $DisplayName for ID = $clientAppId.`n`n" | |
} | |
if ($Permission.ToUpper() -eq "WRITE") | |
{ | |
Set-PnPAzureADAppSitePermission -Site $site2apply -PermissionId $perms.Id -Permissions Write -Connection $RequestSitesConnection -Verbose | |
$body += "Using Set-PnPAzureADAppSitePermission changed as ***WRITE*** permission for $site2apply for $DisplayName for ID = $clientAppId.`n`n" | |
} | |
} | |
} | |
Write-Host $body | |
# Associate values to output bindings by calling 'Push-OutputBinding'. | |
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ | |
StatusCode = [HttpStatusCode]::OK | |
Body = $body | |
}) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment