Skip to content

Commit

Permalink
Merge pull request #64 from kayasax/Approval
Browse files Browse the repository at this point in the history 
Approval
  • Loading branch information
@kayasax
kayasax authored Sep 16, 2024
2 parents edcea23 + 87d7b2e commit 520fc44
Show file tree
Hide file tree
Showing 8 changed files with 470 additions and 2 deletions.
8 changes: 7 additions & 1 deletion EasyPIM/EasyPIM.psd1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,13 @@ FunctionsToExport = @(
'New-PIMGroupEligibleAssignment',
'Remove-PIMGroupActiveAssignment',
'Remove-PIMGroupEligibleAssignment',
'Show-PIMReport'
'Show-PIMReport',
'Get-PIMAzureResourcePendingApproval',
'Approve-PIMAzureResourcePendingApproval',
'Deny-PIMAzureResourcePendingApproval',
'Get-PIMEntraRolePendingApproval',
'Approve-PIMEntraRolePendingApproval',
'Deny-PIMEntraRolePendingApproval'
)

# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
Expand Down
74 changes: 74 additions & 0 deletions EasyPIM/functions/Approve-PIMAzureResourcePendingApproval.ps1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
<#
.Synopsis
EASYPIM
Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMEntraRolePolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
.Description
Get-PIMAzureResourcePendingApproval will use the Microsoft Graph APIs to retrieve the requests pending your approval
.PARAMETER approvalID
approval ID from get-PIMAzureResourcePendingApproval
.PARAMETER justification
justification for the approval
.Example
PS> approve-PIMAzureResourcePendingApproval -approvalID $approvalID -justification "I approve this request"
Approve a pending request
.Link
.Notes
Homepage: https://github.com/kayasax/easyPIM
Author: MICHEL, Loic
Changelog:
Todo:
* allow other scopes
#>
function Approve-PIMAzureResourcePendingApproval {
[CmdletBinding()]
[OutputType([String])]
param (

[Parameter(Position = 0, Mandatory = $true,ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true)]
[System.String]
# Tenant ID
$approvalID,

[Parameter(Position = 1, Mandatory = $true)]
[System.String]
# justification
$justification

)
process{
try {
$script:tenantID = $tenantID

Write-Verbose "approve-PIMAzureResourcePendingApproval start with parameters: approvalid => $approvalID, justification => $justification"

#Get the stages:
#Role Assignment Approval Steps - List - REST API (Azure Authorization) | Microsoft Learn
$stages=Invoke-AzRestMethod -Uri "https://management.azure.com/$approvalID/stages?api-version=2021-01-01-preview" -Method GET

$stageid=($stages.Content | convertfrom-json).value.id

#approve the request
#Role Assignment Approval Step - Patch - REST API (Azure Authorization) | Microsoft Learn

$body='{"properties":{"justification":"'+$justification+'","reviewResult":"Approve"}}'

Invoke-AzRestMethod -Uri "https://management.azure.com/$stageid/?api-version=2021-01-01-preview" -Payload $body -Method PUT
return "Success, request approved"

}
catch {
MyCatch $_
}
}
}
74 changes: 74 additions & 0 deletions EasyPIM/functions/Approve-PIMEntraRolePendingApproval.ps1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
<#
.Synopsis
EASYPIM
Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMEntraRolePolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
.Description
Approve-PIMEntraRolePendingApprovall will use the Microsoft Graph APIs to retrieve the requests pending your approval
.PARAMETER approvalID
approval ID from get-PIMAzureResourcePendingApproval
.PARAMETER justification
justification for the approval
.Example
PS> approve-PIMAzureResourcePendingApproval -approvalID $approvalID -justification "I approve this request"
Approve a pending request
.Link
.Notes
Homepage: https://github.com/kayasax/easyPIM
Author: MICHEL, Loic
Changelog:
Todo:
* allow other scopes
#>
function Approve-PIMEntraRolePendingApproval {
[CmdletBinding()]
[OutputType([String])]
param (

[Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true)]
[System.String]
# Approval ID
$approvalID,

[Parameter(Position = 1, Mandatory = $true)]
[System.String]
# justification
$justification

)
process {
try {
#$script:tenantID = $tenantID

Write-Verbose "approve-PIMEntraRolePendingApproval start with parameters: approvalid => $approvalID, justification => $justification"

#Get the stages:
#Role Assignment Approval Steps - List - REST API (Azure Authorization) | Microsoft Learn
$stages = Invoke-graph -endpoint "roleManagement/directory/roleAssignmentApprovals/$approvalID/" -Method GET -version "beta"

$stageid = $stages.id

#approve the request
#Role Assignment Approval Step - Patch - REST API (Azure Authorization) | Microsoft Learn

$body = '{"justification":"' + $justification + '","reviewResult":"Approve"}'

Invoke-graph -endpoint "roleManagement/directory/roleAssignmentApprovals/$approvalID/steps/$stageID" -body $body -version "beta" -Method PATCH
return "Success, request approved"

}
catch {
MyCatch $_
}
}
}
73 changes: 73 additions & 0 deletions EasyPIM/functions/Deny-PIMAzureResourcePendingApproval.ps1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
<#
.Synopsis
EASYPIM
Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMEntraRolePolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
.Description
Deny-PIMAzureResourcePendingApproval will deny request
.PARAMETER approvalID
approval ID from get-PIMAzureResourcePendingApproval
.PARAMETER justification
justification for the deny
.Example
PS> Deny-PIMAzureResourcePendingApproval -approvalID $approvalID -justification "You don't need this role"
Deny a pending request
.Link
.Notes
Homepage: https://github.com/kayasax/easyPIM
Author: MICHEL, Loic
Changelog:
Todo:
* allow other scopes
#>
function Deny-PIMAzureResourcePendingApproval {
[CmdletBinding()]
[OutputType([String])]
param (
[Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true)]
[System.String]
# Tenant ID
$approvalID,

[Parameter(Position = 1, Mandatory = $true)]
[System.String]
# justification
$justification

)
process{
try {
$script:tenantID = $tenantID

Write-Verbose "approve-PIMAzureResourcePendingApproval start with parameters: approvalid => $approvalID, justification => $justification"

#Get the stages:
#Role Assignment Approval Steps - List - REST API (Azure Authorization) | Microsoft Learn
$stages = Invoke-AzRestMethod -Uri "https://management.azure.com/$approvalID/stages?api-version=2021-01-01-preview" -Method GET

$stageid = ($stages.Content | convertfrom-json).value.id

#approve the request
#Role Assignment Approval Step - Patch - REST API (Azure Authorization) | Microsoft Learn

$body = '{"properties":{"justification":"' + $justification + '","reviewResult":"Deny"}}'

Invoke-AzRestMethod -Uri "https://management.azure.com/$stageid/?api-version=2021-01-01-preview" -Payload $body -Method PUT
return "Success, request denied"

}
catch {
MyCatch $_
}

}}
74 changes: 74 additions & 0 deletions EasyPIM/functions/Deny-PIMEntraRolePendingApproval.ps1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
<#
.Synopsis
EASYPIM
Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMEntraRolePolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
.Description
Deny-PIMEntraRolePendingApprovall will use the Microsoft Graph APIs to retrieve the requests pending your approval
.PARAMETER approvalID
approval ID from get-PIMAzureResourcePendingApproval
.PARAMETER justification
justification for the approval
.Example
PS> Deny-PIMAzureResourcePendingApproval -approvalID $approvalID -justification "I Deny this request"
Deny a pending request
.Link
.Notes
Homepage: https://github.com/kayasax/easyPIM
Author: MICHEL, Loic
Changelog:
Todo:
* allow other scopes
#>
function Deny-PIMEntraRolePendingApproval {
[CmdletBinding()]
[OutputType([String])]
param (

[Parameter(Position = 0, Mandatory = $true,ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true)]
[System.String]
# Approval ID
$approvalID,

[Parameter(Position = 1, Mandatory = $true)]
[System.String]
# justification
$justification

)
process{
try {
#$script:tenantID = $tenantID

Write-Verbose "Deny-PIMEntraRolePendingApproval start with parameters: approvalid => $approvalID, justification => $justification"

#Get the stages:
#Role Assignment Approval Steps - List - REST API (Azure Authorization) | Microsoft Learn
$stages=Invoke-graph -endpoint "roleManagement/directory/roleAssignmentApprovals/$approvalID/" -Method GET -version "beta"

$stageid=$stages.id

#Deny the request
#Role Assignment Approval Step - Patch - REST API (Azure Authorization) | Microsoft Learn

$body='{"justification":"'+$justification+'","reviewResult":"Deny"}'

Invoke-graph -endpoint "roleManagement/directory/roleAssignmentApprovals/$approvalID/steps/$stageID" -body $body -version "beta" -Method PATCH
return "Success, request Denyd"

}
catch {
MyCatch $_
}

}}
Loading

0 comments on commit 520fc44

Please sign in to comment.