functions/general/Get-TmfRequiredScope.ps1
function Get-TmfRequiredScope { <# .SYNOPSIS Returns required Microsoft Graph permission scopes. .DESCRIPTION Depending on the resources you want to configure, different Microsoft Graph permission scopes are required. This command returns the required scopes. .PARAMETER All Return all scopes that TMF requires. .PARAMETER Groups Return all scopes required for managing group-resources. .PARAMETER Users Return all scopes required for managing user-resources. .PARAMETER NamedLocations Return all scopes required for managing namedLocation-resources. .PARAMETER Agreements Return all scopes required for managing agreement-resources. .PARAMETER ConditionalAccessPolicies Return all scopes required for managing conditionalAccessPolicy-resources. .PARAMETER ConditionalAccessPolicies Return all scopes required for managing administrativeUnit-resources. .EXAMPLE PS> Connect-MgGraph -Scopes (Get-TMFRequiredScope -Groups) Requests access to Microsoft Graph with all required scopes for changes to group-resources. .EXAMPLE PS> Connect-MgGraph -Scopes (Get-TMFRequiredScope -All) Requests access to Microsoft Graph with access to all resources the TMF can handle. #> [CmdletBinding(DefaultParameterSetName = 'All')] Param ( [Parameter(ParameterSetName = "SpecifiedComponents")] [switch] $AccessReviews, [Parameter(ParameterSetName = "SpecifiedComponents")] [switch] $AdministrativeUnits, [Parameter(ParameterSetName = "SpecifiedComponents")] [switch] $Agreements, [Parameter(ParameterSetName = "SpecifiedComponents")] [switch] $AuthenticationContextClassReferences, [Parameter(ParameterSetName = "SpecifiedComponents")] [switch] $ConditionalAccessPolicies, [Parameter(ParameterSetName = "SpecifiedComponents")] [switch] $CrossTenantAccess, [Parameter(ParameterSetName = "SpecifiedComponents")] [switch] $CustomSecurityAttributes, [Parameter(ParameterSetName = "SpecifiedComponents")] [switch] $DirectoryRoles, [Parameter(ParameterSetName = "SpecifiedComponents")] [switch] $DirectorySettings, [Parameter(ParameterSetName = "SpecifiedComponents")] [switch] $EntitlementManagement, [Parameter(ParameterSetName = "SpecifiedComponents")] [switch] $Groups, [Parameter(ParameterSetName = "SpecifiedComponents")] [switch] $NamedLocations, [Parameter(ParameterSetName = "SpecifiedComponents")] [switch] $OrganizationalBrandings, [Parameter(ParameterSetName = "SpecifiedComponents")] [switch] $Policies, [Parameter(ParameterSetName = "SpecifiedComponents")] [switch] $RoleManagement, [Parameter(ParameterSetName = "SpecifiedComponents")] [switch] $Users, [Parameter(ParameterSetName = "All")] [switch] $All ) begin { [string[]] $scopes = @() } process { if($AccessReviews -or $All) { $scopes += "Group.Read.All", "AccessReview.ReadWrite.All", "RoleManagement.Read.Directory", "Directory.Read.All", "Directory.AccessAsUser.All" } if ($AdministrativeUnits -or $All) { $scopes += "AdministrativeUnit.ReadWrite.All", "Directory.AccessAsUser.All", "RoleManagement.ReadWrite.Directory" } if ($Agreements -or $All) { $scopes += "Agreement.ReadWrite.All" } if ($AuthenticationContextClassReferences -or $All) { $scopes += "AuthenticationContext.ReadWrite.All" } if ($ConditionalAccessPolicies -or $All) { $scopes += "Policy.ReadWrite.ConditionalAccess", "Policy.Read.All", "RoleManagement.Read.Directory", "Application.Read.All", "Agreement.Read.All", "Group.Read.All" } if ($CrossTenantAccess -or $All) { $scopes += "Policy.ReadWrite.CrossTenantAccess" } if ($CustomSecurityAttributes -or $All) { $scopes += "CustomSecAttributeDefinition.ReadWrite.All" } if ($DirectoryRoles -or $All) { $scopes += "RoleManagement.ReadWrite.Directory" } if ($DirectorySettings -or $All) { $scopes += "Directory.ReadWrite.All" } if ($EntitlementManagement -or $All) { $scopes += "EntitlementManagement.ReadWrite.All" } if ($Groups -or $All) { $scopes += "Group.ReadWrite.All", "GroupMember.ReadWrite.All", "Directory.ReadWrite.All", "Directory.AccessAsUser.All" } if ($NamedLocations -or $All) { $scopes += "Policy.ReadWrite.ConditionalAccess" } if ($OrganizationalBrandings -or $All) { $scopes += "OrganizationalBranding.ReadWrite.All" } if ($Policies -or $All) { $scopes += "Policy.ReadWrite.AuthenticationMethod", "Policy.ReadWrite.Authorization", "Policy.ReadWrite.AuthenticationFlows" } if($RoleManagement -or $All) { $scopes += "RoleManagement.ReadWrite.Directory", "Directory.AccessAsUser.All", "RoleEligibilitySchedule.ReadWrite.Directory", "RoleAssignmentSchedule.ReadWrite.Directory", "RoleManagementPolicy.ReadWrite.Directory","RoleManagementPolicy.ReadWrite.AzureADGroup" } if ($Users -or $All) { $scopes += "User.ReadWrite.All" } return ($scopes | Sort-Object -Unique) } } |