pankajsurti/FindSCAHttpTrigger.ps1

## FindSCAHttpTrigger.ps1
using namespace System.Net

# Input bindings are passed in via param block.
param($Request, $TriggerMetadata)

# Write to the Azure Functions log stream.
Write-Host "PowerShell HTTP trigger function processed a request."

# get the PFX secret from the key vault
$tenantPrefix = "M365x162783"; # replace with your tenant id TODO to replace
$adminAppId = "03451a0d-fbfd-4cd5-8c87-7cb8e58894a3"; #admin-app TODO to replace
$tenantName = $tenantPrefix +".onmicrosoft.com";
$spoTenantName = "https://" + $tenantPrefix + ".sharepoint.com";

$KeyVaultName = "findsca-kv"
$KeyVaultSecretName = "findscakv"
$kvSecret = Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name $KeyVaultSecretName
$certificateBase64Encode = '';
$ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($kvSecret.SecretValue)
try
{
	$certificateBase64Encode = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr)
}
finally
{
	[System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr)
}


# Interact with query parameters or the body of the request.
$siteURL2Process = $Request.Query.SiteURL
if (-not $siteURL2Process) {
    $siteURL2Process = $Request.Body.SiteURL
}
Write-Host "siteURL2Process = $siteURL2Process"


function WriteExceptionInformation($AnItem)
{
    Write-Output $AnItem.Exception.Message
    Write-Output $AnItem.Exception.StackTrace
    Write-Output $AnItem.Exception.ScriptStackTrace
    Write-Output $AnItem.InvocationInfo | Format-List *
}

function ExtractAddUserInfo ( $anUser, $claimsArray )
{

    $delimiterCharForRK = ";"
    try
    {
        # ignore following users
        #Id Title                 LoginName                                          Email
        #-- -----                 ---------                                          -----
        # 8 Company Administrator c:0t.c|tenant|GUID
        if($anUser.LoginName.Contains("provisioning") -eq $false -and $anUser.LoginName.Contains("SHAREPOINT\system") -eq $false -and $anUser.LoginName.Contains("c:0t.c|tenant") -eq $false)
        {
            if($anUser.LoginName.Contains("@"))
            {
                # i:0#.f|membership|joe.smith@contoso.com
                # remove prefix from email.
				$emailAddress = $anUser.LoginName -replace "i:0#.f\|membership\|", ""
                $emailAddress = $emailAddress.ToLower()
                if ( $emailAddress.Length -gt 0 )
                {
					$claimsArray.Add(
						@{
							"Claims" = $emailAddress
						}
					)
                }
            }
            else
            {
                if($anUser.LoginName.Contains("_o"))
                {
                    #LoginName                                                                     Title
                    #---------                                                                     -----
                    #c:0o.c|federateddirectoryclaimprovider|GUID_o Site Provisioning Dev Owners
                    # If there is an underscore 'o' that means it is a O365 Group.
                    $grpID = $anUser.LoginName.replace("_o"," ").Trim()
                    # take the last part of the as GUID
                    $groupOwners = Get-PnPAzureADGroupOwner -Identity "$($grpID.split('|')[2].Trim())"
                    foreach($groupOwner in $groupOwners)
                    {
                        $emailAddress = $groupOwner.UserPrincipalName
                        $emailAddress = $emailAddress.ToLower()
                        if ( $emailAddress.Length -gt 0 )
                        {
						    $claimsArray.Add(
							    @{
								    "Claims" = $emailAddress
							    }
						    )
                        }
                    }#endGroupMembersForeach
                }
                else
                {
                    $roleMembers = Get-PnPAzureADGroupMember -Identity "$($anUser.LoginName.split('|')[2].Trim())"
                    Write-Output " owner = $($anUser)"
                    foreach($roleMember in $roleMembers)
                    {
                        $emailAddress = $roleMember.UserPrincipalName
                        $emailAddress = $emailAddress.ToLower()
                        if ( $emailAddress.Length -gt 0 )
                        {
						    $claimsArray.Add(
							    @{
								    "Claims" = $emailAddress
							    }
						    )
                        }
                    }#endRoleMembersForeach
                }
            }
        }
    }
    catch
    {
        WriteExceptionInformation ( $PSItem )
    }
}


# Using Splat to convert
$HashArguments = @{
    Url                      = $siteURL2Process
    ClientId                 = $adminAppId
    CertificateBase64Encoded = $certificateBase64Encode
    Tenant                   = $tenantName
}
Write-Output $("Connecting to {0}" -f $siteURL2Process);
$aSiteConn = Connect-PnPOnline @HashArguments  -ReturnConnection
Write-Output $("Connected  to {0}" -f $siteURL2Process);

Write-Output $("aSiteConn $aSiteConn")


$allSCAs = Get-PnPSiteCollectionAdmin -Connection $aSiteConn
Write-Output $("Total SCAs count {0}" -f $allSCAs.Count)
$body = New-Object System.Collections.ArrayList

foreach($anSCA in $allSCAs)
{
	ExtractAddUserInfo -anUser $anSCA -claimsArray $body
}

$bodyJson = ConvertTo-Json $body

# Associate values to output bindings by calling 'Push-OutputBinding'.
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
    StatusCode = [HttpStatusCode]::OK
    Body = $bodyJson
})
	using namespace System.Net

	# Input bindings are passed in via param block.
	param($Request, $TriggerMetadata)

	# Write to the Azure Functions log stream.
	Write-Host "PowerShell HTTP trigger function processed a request."

	# get the PFX secret from the key vault
	$tenantPrefix = "M365x162783"; # replace with your tenant id TODO to replace
	$adminAppId = "03451a0d-fbfd-4cd5-8c87-7cb8e58894a3"; #admin-app TODO to replace
	$tenantName = $tenantPrefix +".onmicrosoft.com";
	$spoTenantName = "https://" + $tenantPrefix + ".sharepoint.com";

	$KeyVaultName = "findsca-kv"
	$KeyVaultSecretName = "findscakv"
	$kvSecret = Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name $KeyVaultSecretName
	$certificateBase64Encode = '';
	$ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($kvSecret.SecretValue)
	try
	{
	$certificateBase64Encode = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr)
	}
	finally
	{
	[System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr)
	}


	# Interact with query parameters or the body of the request.
	$siteURL2Process = $Request.Query.SiteURL
	if (-not $siteURL2Process) {
	$siteURL2Process = $Request.Body.SiteURL
	}
	Write-Host "siteURL2Process = $siteURL2Process"


	function WriteExceptionInformation($AnItem)
	{
	Write-Output $AnItem.Exception.Message
	Write-Output $AnItem.Exception.StackTrace
	Write-Output $AnItem.Exception.ScriptStackTrace
	Write-Output $AnItem.InvocationInfo \| Format-List *
	}

	function ExtractAddUserInfo ( $anUser, $claimsArray )
	{

	$delimiterCharForRK = ";"
	try
	{
	# ignore following users
	#Id Title LoginName Email
	#-- ----- --------- -----
	# 8 Company Administrator c:0t.c\|tenant\|GUID
	if($anUser.LoginName.Contains("provisioning") -eq $false -and $anUser.LoginName.Contains("SHAREPOINT\system") -eq $false -and $anUser.LoginName.Contains("c:0t.c\|tenant") -eq $false)
	{
	if($anUser.LoginName.Contains("@"))
	{
	# i:0#.f\|membership\|joe.smith@contoso.com
	# remove prefix from email.
	$emailAddress = $anUser.LoginName -replace "i:0#.f\\|membership\\|", ""
	$emailAddress = $emailAddress.ToLower()
	if ( $emailAddress.Length -gt 0 )
	{
	$claimsArray.Add(
	@{
	"Claims" = $emailAddress
	}
	)
	}
	}
	else
	{
	if($anUser.LoginName.Contains("_o"))
	{
	#LoginName Title
	#--------- -----
	#c:0o.c\|federateddirectoryclaimprovider\|GUID_o Site Provisioning Dev Owners
	# If there is an underscore 'o' that means it is a O365 Group.
	$grpID = $anUser.LoginName.replace("_o"," ").Trim()
	# take the last part of the as GUID
	$groupOwners = Get-PnPAzureADGroupOwner -Identity "$($grpID.split('\|')[2].Trim())"
	foreach($groupOwner in $groupOwners)
	{
	$emailAddress = $groupOwner.UserPrincipalName
	$emailAddress = $emailAddress.ToLower()
	if ( $emailAddress.Length -gt 0 )
	{
	$claimsArray.Add(
	@{
	"Claims" = $emailAddress
	}
	)
	}
	}#endGroupMembersForeach
	}
	else
	{
	$roleMembers = Get-PnPAzureADGroupMember -Identity "$($anUser.LoginName.split('\|')[2].Trim())"
	Write-Output " owner = $($anUser)"
	foreach($roleMember in $roleMembers)
	{
	$emailAddress = $roleMember.UserPrincipalName
	$emailAddress = $emailAddress.ToLower()
	if ( $emailAddress.Length -gt 0 )
	{
	$claimsArray.Add(
	@{
	"Claims" = $emailAddress
	}
	)
	}
	}#endRoleMembersForeach
	}
	}
	}
	}
	catch
	{
	WriteExceptionInformation ( $PSItem )
	}
	}



	# Using Splat to convert
	$HashArguments = @{
	Url = $siteURL2Process
	ClientId = $adminAppId
	CertificateBase64Encoded = $certificateBase64Encode
	Tenant = $tenantName
	}
	Write-Output $("Connecting to {0}" -f $siteURL2Process);
	$aSiteConn = Connect-PnPOnline @HashArguments -ReturnConnection
	Write-Output $("Connected to {0}" -f $siteURL2Process);

	Write-Output $("aSiteConn $aSiteConn")


	$allSCAs = Get-PnPSiteCollectionAdmin -Connection $aSiteConn
	Write-Output $("Total SCAs count {0}" -f $allSCAs.Count)
	$body = New-Object System.Collections.ArrayList

	foreach($anSCA in $allSCAs)
	{
	ExtractAddUserInfo -anUser $anSCA -claimsArray $body
	}

	$bodyJson = ConvertTo-Json $body

	# Associate values to output bindings by calling 'Push-OutputBinding'.
	Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
	StatusCode = [HttpStatusCode]::OK
	Body = $bodyJson
	})