function/microsoft365/New-AzureADApplicationAccess.ps1
|
Function New-AzureADApplicationAccess { <# .SYNOPSIS Create Azure AD access .DESCRIPTION This function will create an Azure Application and will add a specific Service Principal Role. With the function New-AzureADApplicationCertificate you can create a certificate based access to the Applicattion. .PARAMETER AzureADDirectoryRole AzureADDirectoryRole to access .INPUTS System.String[] .OUTPUTS System.Object[] .EXAMPLE New-AzureADApplicationAccess -Name 'newcert' -Role "Global Administrator" .LINK https://github.com/gisp497/psgisp #> [CmdletBinding(SupportsShouldProcess)] param ( [Parameter( Mandatory = $false, ValueFromPipeline = $true, HelpMessage = "Name of the New Azure AD Application" )] [string]$Name = "AzureAccess", [Parameter( Mandatory = $false, ValueFromPipeline = $true, HelpMessage = "AzureADDirectoryRole to access" )] [string]$Role = "Global Reader" ) Begin { #check if there is a connection to azure ad try { $null = Get-AzureADTenantDetail -ErrorAction Stop }catch{ Throw "You need to connect to Azure AD to use this function." } #Check if Azure AD Role is enabled or enable it $azureaddirectoryrole = Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq $Role} if ($null -eq $azureaddirectoryrole) { $azureaddirectoryroletemplate = Get-AzureADDirectoryRoleTemplate | Where-Object {$_.DisplayName -eq $azureaddirectoryrole} $null = Enable-AzureADDirectoryRole -RoleTemplateId $azureaddirectoryroletemplate.ObjectId $azureaddirectoryrole = Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq $azureaddirectoryrole} if ($null -eq $azureaddirectoryrole) { Throw "Can't find Azure Directory Role: $Role" } } } Process { #create azure application try { $application = New-AzureADApplication -DisplayName $Name } catch { Throw "Can't create new Azure AD Application: $_" } #check if new create application is ready do{ $checkapp = Get-AzureADApplication | Where-Object {$_.ObjectId -eq $application.ObjectId} }while ($null -eq $checkapp) $null = Remove-Variable checkapp #create the service principal and connect it to the azure application try { $sp=New-AzureADServicePrincipal -AppId $application.AppId -ErrorAction Stop } catch { Throw "Can't create AzureADServicePrincipal: $_" } #Give the Service Principal Reader access to the current tenant (Get-AzureADDirectoryRole) try { $null = Add-AzureADDirectoryRoleMember -ObjectId $azureaddirectoryrole.ObjectId -RefObjectId $sp.ObjectId -ErrorAction Stop } catch { Throw "Can't Add AzureADDirectoryRoleMember: $_ " } #Get Tenant Detail $Tenant = Get-AzureADTenantDetail #create output object $OutputObject = New-Object -TypeName psobject Add-Member -InputObject $OutputObject -MemberType NoteProperty -Name 'Customer' -Value $Tenant.DisplayName Add-Member -InputObject $OutputObject -MemberType NoteProperty -Name 'TenantId' -Value $Tenant.ObjectId Add-Member -InputObject $OutputObject -MemberType NoteProperty -Name 'ApplicationId' -Value $sp.AppId Add-Member -InputObject $OutputObject -MemberType NoteProperty -Name 'ObjectId' -Value $application.ObjectId } End { Return $outputobject } } |