functions/func-managedid.ps1

function M365cdeMIDgraph(){
    Clear-Host
    switch(Read-Host "Please select an option `
--------------------------------------------------
s Select Automation Account
m Manually set Managed Identity Object ID
--------------------------------------------------
1 Add Scope 'User.Read.All'
2 Add Scope 'User.ReadWrite.All'
3 Add Scope 'Group.Read.All'
4 Add Scope 'Group.ReadWrite.All'
5 Add Scope 'UserAuthenticationMethod.Read.All'
6 Add Scope 'AuditLog.Read.All'
7 Add Scope 'Policy.ReadWrite.ConditionalAccess'
8 Add Scope 'Mail.Send'
--------------------------------------------------
c Custom scope
--------------------------------------------------
e Exchange Online configurations
--------------------------------------------------
 
b ...back to main menu
 
Select"
){
        s {az_automation_set -breadcrumb M365cdeMIDgraph}
        m {managedid_define}
        1 {funcGraphScopeAssignment -ManagedIdentityID $AutomationAccountMId -GraphScope 'User.Read.All'}
        2 {funcGraphScopeAssignment -ManagedIdentityID $AutomationAccountMId -GraphScope 'User.ReadWrite.All'}
        3 {funcGraphScopeAssignment -ManagedIdentityID $AutomationAccountMId -GraphScope 'Group.Read.All'}
        4 {funcGraphScopeAssignment -ManagedIdentityID $AutomationAccountMId -GraphScope 'Group.ReadWrite.All'}
        5 {funcGraphScopeAssignment -ManagedIdentityID $AutomationAccountMId -GraphScope 'UserAuthenticationMethod.Read.All'}
        6 {funcGraphScopeAssignment -ManagedIdentityID $AutomationAccountMId -GraphScope 'AuditLog.Read.All'}
        7 {funcGraphScopeAssignment -ManagedIdentityID $AutomationAccountMId -GraphScope 'Policy.ReadWrite.ConditionalAccess'}
        8 {funcGraphScopeAssignment -ManagedIdentityID $AutomationAccountMId -GraphScope 'Mail.Send'}
        c {managedid_custom}
        e {M365cdeMIDexo}
        b {M365cdeAAASetup}
        default {M365cdeMIDgraph}
    }
}

#Function for Graph Scope assignment
function funcGraphScopeAssignment() {
    param (
        $ManagedIdentityID,
        $GraphScope
    )

    If($AutomationAccountMId) {
        $AppGraph = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
        $AppRole = $AppGraph.AppRoles | Where-Object {$_.Value -eq $GraphScope}

        if ($appRole) {
                $existingAppRole = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ManagedIdentityID | Where-Object { $_.ResourceId -eq $AppGraph.Id -and $_.AppRoleId -eq $AppRole.Id }
                if ($existingAppRole) { Write-Warning "The scope '$GraphScope' is already assigned" }
                else{
                    New-MgServicePrincipalAppRoleAssignment -PrincipalId $ManagedIdentityID -ServicePrincipalId $ManagedIdentityID -ResourceId $AppGraph.Id -AppRoleId $AppRole.Id > $null
                    $existingAppRole = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ManagedIdentityID | Where-Object { $_.ResourceId -eq $AppGraph.Id -and $_.AppRoleId -eq $AppRole.Id }
                        if ($existingAppRole) { Write-Output "The scope '$GraphScope' has been assigned" }
                        else { Write-Warning "The scope '$GraphScope' could not be assigned" }
                }
            }
        else { Write-Warning "No App Role found for scope '$GraphScope'"}
    }
    else {
        Write-Warning "`nManaged Identity Object ID is not defined!`n`nDefine it via the options s (from a existing Automation Account) or m (manually) and try it again!"
        Start-Sleep -Seconds 5
        M365cdeMIDgraph
    }
    Start-Sleep -Seconds 3
    M365cdeMIDgraph
}

function managedid_define(){
            $AutomationAccountMId = Read-Host "Enter the Object ID of your Managed Identity"
            Write-Output "Managed Identity ID is set to: $AutomationAccountMId"
            (Read-Host '
Press Enter to continue…'
)
            M365cdeMIDgraph
}

function managedid_custom(){
        $ScopeCustom = Read-Host "Enter the Scope-Name (e.g. 'User.Read.All')"
        funcGraphScopeAssignment -ManagedIdentityID $AutomationAccountMId -GraphScope $ScopeCustom
            (Read-Host '
Press Enter to continue…'
)
            M365cdeMIDgraph
}


function M365cdeMIDexo(){
    Clear-Host
    switch(Read-Host "Please select an option `
--------------------------------------------------
1 Add Scope 'Exchange.ManageAsApp'
2 Add Scope 'MailboxSettings.ReadWrite'
cs Add custom Exchange Scope
--------------------------------------------------
3 Add Role 'Exchange Recipient Administrator'
4 Add Role 'Exchange Administrator'
cr Add custom Exchange Role
--------------------------------------------------
 
b ...back to previous menu
 
Select"
){
        1 {funcExchangeScopeAssignment -ManagedIdentityID $AutomationAccountMId -ExchangeScope 'Exchange.ManageAsApp'}
        2 {funcExchangeScopeAssignment -ManagedIdentityID $AutomationAccountMId -ExchangeScope 'MailboxSettings.ReadWrite'}
        3 {funcEntraRoleAssignment -ManagedIdentityID $AutomationAccountMId -EntraRole 'Exchange Recipient Administrator'}
        4 {funcEntraRoleAssignment -ManagedIdentityID $AutomationAccountMId -EntraRole 'Exchange Administrator'}
        cs {managedid_customexchangescope}
        cr {managedid_customexchangerole}
        b {M365cdeMIDgraph}
        default {M365cdeMIDexo}
    }
}

function funcExchangeScopeAssignment() {
    param (
        $ManagedIdentityID,
        $ExchangeScope
    )

    If($AutomationAccountMId) {
        $AppGraph = Get-MgServicePrincipal -Filter "AppId eq '00000002-0000-0ff1-ce00-000000000000'"
        $AppRole = $AppGraph.AppRoles | Where-Object {$_.Value -eq $ExchangeScope}

        if ($appRole) {
                $existingAppRole = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ManagedIdentityID | Where-Object { $_.ResourceId -eq $AppGraph.Id -and $_.AppRoleId -eq $AppRole.Id }
                if ($existingAppRole) { Write-Warning "The scope '$ExchangeScope' is already assigned" }
                else{New-MgServicePrincipalAppRoleAssignment -PrincipalId $ManagedIdentityID -ServicePrincipalId $ManagedIdentityID -ResourceId $AppGraph.Id -AppRoleId $AppRole.Id ; Write-Output "The scope '$ExchangeScope' has been assigned" }
            }
        else { Write-Warning "No App Role found for scope '$ExchangeScope'"}
    }
    else {
        Write-Warning "`nManaged Identity Object ID is not defined!`n`nDefine it via the options s (from a existing Automation Account) or m (manually) and try it again!"
        Start-Sleep -Seconds 5
        M365cdeMIDgraph
    }
    Start-Sleep -Seconds 3
    M365cdeMIDexo
}

function funcEntraRoleAssignment() {
    param (
        $ManagedIdentityID,
        $EntraRole
    )

    If($AutomationAccountMId) {

        $EntraRoleID = (Get-MgRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq '$EntraRole'").Id

        if ($EntraRoleID) {
                $existingEntraRole = Get-MgRoleManagementDirectoryRoleAssignment -Filter "(PrincipalID eq '$ManagedIdentityID') and (RoleDefinitionID eq '$EntraRoleID')"
                if ($existingEntraRole) { Write-Warning "The role '$EntraRole' is already assigned" }
                else{New-MgRoleManagementDirectoryRoleAssignment -PrincipalId $ManagedIdentityID -RoleDefinitionId $EntraRoleID -DirectoryScopeId "/" ; Write-Output "The role '$EntraRole' has been assigned" }
            }
        else { Write-Warning "No Entra Role found for '$ExchangeScope'"}
    }
    else {
        Write-Warning "`nManaged Identity Object ID is not defined!`n`nDefine it via the options s (from a existing Automation Account) or m (manually) and try it again!"
        Start-Sleep -Seconds 5
        M365cdeMIDgraph
    }
    Start-Sleep -Seconds 3
    M365cdeMIDexo
}

function managedid_customexchangescope(){
    $ExchangeScopeCustom = Read-Host "Enter the Scope-Name (e.g. 'MailboxSettings.ReadWrite')"
    funcGraphScopeAssignment -ManagedIdentityID $AutomationAccountMId -GraphScope $ExchangeScopeCustom
    Start-Sleep -Seconds 3
    M365cdeMIDexo
}

function managedid_customexchangerole(){
    $ExchangeRoleCustom = Read-Host "Enter the Role-Name (e.g. 'Exchange Recipient Administrator')"
    funcEntraRoleAssignment -ManagedIdentityID $AutomationAccountMId -EntraRole $ExchangeRoleCustom
    Start-Sleep -Seconds 3
    M365cdeMIDexo
}