Skip to content

Commit

Permalink
V1.7.1 add approval management for groups
Browse files Browse the repository at this point in the history
  • Loading branch information
kayasax committed Oct 7, 2024
1 parent 05f236e commit 1f619b5
Show file tree
Hide file tree
Showing 4 changed files with 234 additions and 1 deletion.
5 changes: 4 additions & 1 deletion EasyPIM/EasyPIM.psd1
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,10 @@ FunctionsToExport = @(
'Deny-PIMAzureResourcePendingApproval',
'Get-PIMEntraRolePendingApproval',
'Approve-PIMEntraRolePendingApproval',
'Deny-PIMEntraRolePendingApproval'
'Deny-PIMEntraRolePendingApproval',
'Get-PIMGroupPendingApproval',
'Approve-PIMGroupPendingApproval',
'Deny-PIMGroupPendingApproval'
)

# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
Expand Down
71 changes: 71 additions & 0 deletions EasyPIM/functions/Approve-PIMGroupPendingApproval.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
<#
.Synopsis
EASYPIM
Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMGroupPolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
.Description
Approve-PIMGroupPendingApprovall will use the Microsoft Graph APIs to retrieve the requests pending your approval
.PARAMETER approvalID
approval ID from get-PIMAzureResourcePendingApproval
.PARAMETER justification
justification for the approval
.Example
PS> approve-PIMAzureResourcePendingApproval -approvalID $approvalID -justification "I approve this request"
Approve a pending request
.Link
.Notes
Homepage: https://github.com/kayasax/easyPIM
Author: MICHEL, Loic
Changelog:
Todo:
* allow other scopes
#>
function Approve-PIMGroupPendingApproval {
[CmdletBinding()]
[OutputType([String])]
param (

[Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true)]
[System.String]
# Approval ID
$approvalID,

[Parameter(Position = 1, Mandatory = $true)]
[System.String]
# justification
$justification

)
process {
try {
#$script:tenantID = $tenantID

Write-Verbose "approve-PIMGroupPendingApproval start with parameters: approvalid => $approvalID, justification => $justification"

#Get the stages:
#in groups stageID is the same as the approvalID


#approve the request
#https://learn.microsoft.com/en-us/graph/api/approvalstage-update?view=graph-rest-1.0&tabs=http

$body = '{"justification":"' + $justification + '","reviewResult":"Approve"}'
Invoke-graph -endpoint "identityGovernance/privilegedAccess/group/assignmentApprovals/$approvalID/steps/$approvalID" -body $body -version "beta" -Method PATCH
return "Success, request approved"

}
catch {
MyCatch $_
}
}
}
71 changes: 71 additions & 0 deletions EasyPIM/functions/Deny-PIMGroupPendingApproval.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
<#
.Synopsis
EASYPIM
Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMGroupPolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
.Description
Deny-PIMGroupPendingApprovall will use the Microsoft Graph APIs to retrieve the requests pending your approval
.PARAMETER approvalID
approval ID from get-PIMAzureResourcePendingApproval
.PARAMETER justification
justification for the approval
.Example
PS> Deny-PIMAzureResourcePendingApproval -approvalID $approvalID -justification "I Deny this request"
Deny a pending request
.Link
.Notes
Homepage: https://github.com/kayasax/easyPIM
Author: MICHEL, Loic
Changelog:
Todo:
* allow other scopes
#>
function Deny-PIMGroupPendingApproval {
[CmdletBinding()]
[OutputType([String])]
param (

[Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true)]
[System.String]
# Approval ID
$approvalID,

[Parameter(Position = 1, Mandatory = $true)]
[System.String]
# justification
$justification

)
process {
try {
#$script:tenantID = $tenantID

Write-Verbose "Deny-PIMGroupPendingApproval start with parameters: approvalid => $approvalID, justification => $justification"

#Get the stages:
#in groups stageID is the same as the approvalID


#Deny the request
#https://learn.microsoft.com/en-us/graph/api/approvalstage-update?view=graph-rest-1.0&tabs=http

$body = '{"justification":"' + $justification + '","reviewResult":"Deny"}'
Invoke-graph -endpoint "identityGovernance/privilegedAccess/group/assignmentApprovals/$approvalID/steps/$approvalID" -body $body -version "beta" -Method PATCH
return "Success, request Denied"

}
catch {
MyCatch $_
}
}
}
88 changes: 88 additions & 0 deletions EasyPIM/functions/Get-PIMGroupPendingApproval.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
<#
.Synopsis
EASYPIM
Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMGroupPolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
.Description
Get-PIMGroupPendingApproval will use the Microsoft Graph APIs to retrieve the requests pending your approval
.PARAMETER tenantID
Tenant ID
.Example
PS> Get-PIMGroupPendingApproval -tenantID $tenantID
show pending request you can approve
.Link
.Notes
Homepage: https://github.com/kayasax/easyPIM
Author: MICHEL, Loic
Changelog:
Todo:
* allow other scopes
#>
function Get-PIMGroupPendingApproval{
[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseOutputTypeCorrectly", "")]
[CmdletBinding()]
param (

[Parameter(Position = 0, Mandatory = $true)]
[System.String]
# Tenant ID
$tenantID

)
try {
$script:tenantID = $tenantID

Write-Verbose "Get-PIMAzureResourcePendingApproval start with parameters: tenantID => $tenantID"

$endpoint="identityGovernance/privilegedAccess/group/assignmentScheduleRequests/filterByCurrentUser(on='approver')?`$filter=status eq 'PendingApproval'"
$response = Invoke-Graph -Endpoint $endpoint -Method "GET"

$out = @()

$pendingApproval = $response.value

if ($null -ne $pendingApproval) {
$pendingApproval | ForEach-Object {
$details=invoke-mgGraphRequest $("https://graph.microsoft.com/v1.0/identityGovernance/privilegedAccess/group/assignmentScheduleRequests/"+$_.id) -Method get
#$details
$principalDisplayName = invoke-mgGraphRequest $("https://graph.microsoft.com/v1.0/directoryobjects/"+$details.Principalid+"/") -Method get
$groupDisplayName = invoke-mgGraphRequest $("https://graph.microsoft.com/v1.0/directoryobjects/"+$details.Groupid+"/") -Method get


$request = @{
"principalId" = $details.Principalid;
"principalDisplayname" = $principalDisplayName.displayName;
"groupId" = $details.groupId;
"groupDisplayname" = $groupDisplayName.displayName;
"role" = $details.AccessID;
"status" = $details.status;
"startDateTime" = $details.CreatedDateTime;
"ticketInfo" = $details.ticketInfo;
"justification" = $details.justification;
"approvalId" = $details.approvalId;
"createdOn" = $details.createdDateTime;
}
$o = New-Object -TypeName PSObject -Property $request
$out += $o
}
}
if ($out.length -eq 0) {
#write-host "No pending approval"
return $null
}
return $out

}
catch {
MyCatch $_
}

}

0 comments on commit 1f619b5

Please sign in to comment.