Created
July 25, 2018 03:46
-
-
Save russcam/3c45e4f26600d2937eeee3711b112ef8 to your computer and use it in GitHub Desktop.
Creates a Service Principal within the Tenant of the selected Subscription
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| param | |
| ( | |
| [Parameter(Mandatory=$true, HelpMessage="Provide a unique name for Service Principal")] | |
| [ValidateScript({if ($_ -match '^[a-zA-Z0-9\-_]{8,}$') { | |
| $true | |
| } else { | |
| throw "name must be a minimum 8 alphanumeric characters with no spaces. Hyphens and underscores also allowed" | |
| }})] | |
| [string] $name, | |
| [Parameter(Mandatory=$true, HelpMessage="Provide a password for Service Principal")] | |
| [ValidateScript({If (-not $_ -or $_.Length -lt 8) { | |
| throw "password must be a minimum 8 characters" | |
| } else { | |
| $true | |
| }})] | |
| [securestring] $password | |
| ) | |
| $azureRmModule = Get-Module -Name AzureRM* -ListAvailable | |
| if ([String]::IsNullOrEmpty($azureRmModule)) { | |
| Write-Error "Script requires AzureRM module. See https://docs.microsoft.com/en-us/powershell/azure/install-azurerm-ps?view=azurermps-6.5.0" | |
| return | |
| } | |
| function Log($message) { | |
| Write-Host "[$(Get-Date -format 'u')] $message" -ForegroundColor Green | |
| } | |
| function Prompt-Custom($title, $optionValues, $optionDescriptions) { | |
| Write-Host $title | |
| Write-Host | |
| $a = @() | |
| for($i = 0; $i -lt $optionValues.Length; $i++) { | |
| Write-Host "$($i+1))" $optionDescriptions[$i] | |
| } | |
| Write-Host | |
| while($true) { | |
| Write-Host "Choose an option: " | |
| $option = Read-Host | |
| $option = $option -as [int] | |
| if($option -ge 1 -and $option -le $optionValues.Length) { | |
| return $optionValues[$option-1] | |
| } | |
| } | |
| } | |
| function Prompt-Subscription() { | |
| $subscriptions = Get-AzureRmSubscription | |
| $subscriptionId = "" | |
| if($subscriptions.Length -eq 0) { | |
| Write-Error "No subscriptions bound to this account." | |
| return | |
| } | |
| if($subscriptions.Length -eq 1) { | |
| $subscriptionId = $subscriptions[0].Id | |
| } | |
| else { | |
| $subscriptionChoices = @() | |
| $subscriptionValues = @() | |
| foreach($subscription in $subscriptions) { | |
| $subscriptionChoices += "$($subscription.Name) ($($subscription.Id))" | |
| $subscriptionValues += $subscription.Id; | |
| } | |
| $subscriptionId = Prompt-Custom "Choose a subscription" $subscriptionValues $subscriptionChoices | |
| } | |
| return $subscriptionId | |
| } | |
| function Prompt-Role() { | |
| $roles = Get-AzureRmRoleDefinition | |
| $roleChoices = @() | |
| $roleValues = @() | |
| foreach($role in $roles) { | |
| $roleChoices += "$($role.Name) ($($role.Description))" | |
| $roleValues += $role.Name; | |
| } | |
| Prompt-Custom "Choose a role" $roleValues $roleChoices | |
| } | |
| $ErrorActionPreference = "Stop" | |
| Write-Host "Please Login" | |
| Login-AzureRmAccount | Out-Null | |
| $subscriptionId = Prompt-Subscription | |
| $subscription = Select-AzureRmSubscription -SubscriptionId $subscriptionId | |
| $tenantId = $subscription.Tenant.TenantId | |
| $identifierUri = "http://$tenantId/$name" | |
| Log "Checking if identifier URI is unique ($identifierUri)" | |
| $existingApplication = Get-AzureRmADApplication -IdentifierUri $identifierUri | |
| if ($existingApplication -ne $null) { | |
| $applicationId = $existingApplication.ApplicationId | |
| Write-Error "An AAD Application already exists with URI $identifierUri (Application Id: $applicationId). Choose a different Service Principal name" | |
| return | |
| } | |
| Log "Creating new AAD application with URI $identifierUri" | |
| $azureAdApplication = New-AzureRmADApplication -DisplayName $name -HomePage $identifierUri -IdentifierUris $identifierUri -Password $password | |
| $applicationId = $azureAdApplication.ApplicationId | |
| Log "AAD application successfully created" | |
| Log "Creating a new Service Principal for AAD application" | |
| $servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $applicationId | |
| $servicePrincipalName = $servicePrincipal.ServicePrincipalNames[0] | |
| Log "Service principal successfully created" | |
| while ($true) { | |
| Log "Waiting for Service Principal to be reflected in Directory" | |
| Start-Sleep 20 | |
| $check = Get-AzureRmADServicePrincipal -ServicePrincipalName $servicePrincipalName -ErrorAction Continue 2>&1 | ?{ $_ -match "error" } | |
| if (-not $check) { | |
| break | |
| } | |
| } | |
| $role = Prompt-Role | |
| Log "Assigning role $role to Service Principal" | |
| New-AzureRmRoleAssignment -RoleDefinitionName $role -ServicePrincipalName $applicationId | Out-Null | |
| Log "Role assignment completed successfully" | |
| Write-Output "`nCopy and Paste below values for Service Principal" | |
| Write-Output "***************************************************" | |
| Write-Output "Subscription Id: $subscriptionId" | |
| Write-Output "Tenant Id: $tenantId" | |
| Write-Output "Client Id: $applicationId" | |
| Write-Output "Client Secret: <password you provided>" | |
| Write-Output "***************************************************" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment