functions/directoryRoles/Invoke-TmfDirectoryRole.ps1
|
function Invoke-TmfDirectoryRole { <# .SYNOPSIS Performs the required actions for a resource type against the connected Tenant. #> [CmdletBinding()] Param ( [string[]] $SpecificResources, [string[]] $SourceFile, [string[]] $SourceConfig, [switch] $Confirm = $false, [System.Management.Automation.PSCmdlet] $Cmdlet = $PSCmdlet ) begin { $resourceName = "DirectoryRoles" if (!$script:desiredConfiguration[$resourceName]) { Stop-PSFFunction -String "TMF.NoDefinitions" -StringValues "directoryRole" return } Test-GraphConnection -Cmdlet $Cmdlet $tenant = (Invoke-MgGraphRequest -Method GET -Uri ("$script:graphBaseUrl/organization?`$select=displayname,id")).value if (($SpecificResources -and $SourceFile -and $SourceConfig) -or ($SpecificResources -and $SourceFile) -or ($SourceFile -and $SourceConfig)) { $exception = New-Object System.Data.DataException("Multiple filters are not supported. You can only filter by one type, sourceFile or sourceConfig or specificResources!") $errorID = "MultipleFiltersNotSupported" $category = [System.Management.Automation.ErrorCategory]::NotSpecified $recordObject = New-Object System.Management.Automation.ErrorRecord($exception, $errorID, $category, $Cmdlet) $cmdlet.ThrowTerminatingError($recordObject) } } process { if(Test-PSFFunctionInterrupt) {return} if (-not $Confirm) { Write-PSFMessage -Level Host -FunctionName "Invoke-TmfDirectoryRole" -String "TMF.TenantInformation" -StringValues $tenant.displayName, $tenant.Id if ((Read-Host "Is this the correct tenant? [y/n]") -notin @("y","Y")) { Write-PSFMessage -Level Error -String "TMF.UserCanceled" throw "Connected to the wrong tenant." } if ($SpecificResources) { Write-PSFMessage -Level Host -FunctionName "Invoke-TmfDirectoryRole" -String "TMF.Invoke.Confirmed" -StringValues "directoryRole configuration for resources: $($SpecificResources -join ",")" $testResults = Test-TmfDirectoryRole -SpecificResources $SpecificResources -RawOutput -Cmdlet $Cmdlet } elseif ($SourceFile) { Write-PSFMessage -Level Host -FunctionName "Invoke-TmfDirectoryRole" -String "TMF.Invoke.Confirmed" -StringValues "directoryRole configuration for SourceFile(s): $($SourceFile -join ",")" $testResults = Test-TmfDirectoryRole -SourceFile $SourceFile -RawOutput -Cmdlet $Cmdlet } elseif ($SourceConfig) { Write-PSFMessage -Level Host -FunctionName "Invoke-TmfDirectoryRole" -String "TMF.Invoke.Confirmed" -StringValues "directoryRole configuration for SourceConfig(s): $($SourceConfig -join ",")" $testResults = Test-TmfDirectoryRole -SourceConfig $SourceConfig -RawOutput -Cmdlet $Cmdlet } else { Write-PSFMessage -Level Host -FunctionName "Invoke-TmfDirectoryRole" -String "TMF.Invoke.Confirmed" -StringValues "all directoryRole configurations" $testResults = Test-TmfDirectoryRole -RawOutput -Cmdlet $Cmdlet } } else { if ($SpecificResources) { $testResults = Test-TmfDirectoryRole -SpecificResources $SpecificResources -RawOutput -Cmdlet $Cmdlet } elseif ($SourceFile) { $testResults = Test-TmfDirectoryRole -SourceFile $SourceFile -RawOutput -Cmdlet $Cmdlet } elseif ($SourceConfig) { $testResults = Test-TmfDirectoryRole -SourceConfig $SourceConfig -RawOutput -Cmdlet $Cmdlet } else { $testResults = Test-TmfDirectoryRole -RawOutput -Cmdlet $Cmdlet } } foreach ($result in $testResults) { switch ($result.ActionType) { "Change members" { $roleMembers = (Invoke-MgGraphRequest -Method GET -Uri ("$script:graphBaseUrl/directoryRoles/{0}/members" -f $result.DesiredConfiguration.roleID)).Value if ($roleMembers) { Compare-Object $result.DesiredConfiguration.memberIDs $roleMembers.id | ForEach-Object { $item = $_ switch ($item.SideIndicator) { "<=" { $requestUrl = "$script:graphBaseUrl/directoryRoles/$($result.DesiredConfiguration.roleID)/members/`$ref" $requestMethod = "POST" $requestBody = @{ "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$($item.InputObject)" } try { $requestBody = $requestBody | ConvertTo-Json Write-PSFMessage -Level Verbose -String "TMF.Invoke.SendingRequestWithBody" -StringValues $requestMethod, $requestUrl, $requestBody Invoke-MgGraphRequest -Method $requestMethod -Uri $requestUrl -Body $requestBody | Out-Null } catch { Write-PSFMessage -Level Error -String "TMF.Invoke.ActionFailed" -StringValues $result.Tenant, $result.ResourceType, $result.ResourceName, $result.ActionType throw $_ } } "=>" { $requestUrl = "$script:graphBaseUrl/directoryRoles/$($result.DesiredConfiguration.roleID)/members/$($item.InputObject)/`$ref" $requestMethod = "DELETE" try { Write-PSFMessage -Level Verbose -String "TMF.Invoke.SendingRequest" -StringValues $requestMethod, $requestUrl Invoke-MgGraphRequest -Method $requestMethod -Uri $requestUrl -Body $requestBody | Out-Null } catch { Write-PSFMessage -Level Error -String "TMF.Invoke.ActionFailed" -StringValues $result.Tenant, $result.ResourceType, $result.ResourceName, $result.ActionType throw $_ } } } } } else { foreach ($item in $result.DesiredConfiguration.memberIDs) { $requestUrl = "$script:graphBaseUrl/directoryRoles/$($result.DesiredConfiguration.roleID)/members/`$ref" $requestMethod = "POST" $requestBody = @{ "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$($item)" } try { $requestBody = $requestBody | ConvertTo-Json Write-PSFMessage -Level Verbose -String "TMF.Invoke.SendingRequestWithBody" -StringValues $requestMethod, $requestUrl, $requestBody Invoke-MgGraphRequest -Method $requestMethod -Uri $requestUrl -Body $requestBody | Out-Null } catch { Write-PSFMessage -Level Error -String "TMF.Invoke.ActionFailed" -StringValues $result.Tenant, $result.ResourceType, $result.ResourceName, $result.ActionType throw $_ } } } } "Activate" { $roleTemplateID = Resolve-DirectoryRoleTemplate -InputReference $result.DesiredConfiguration.displayName -Cmdlet $PSCmdlet $requestUrl = "$script:graphBaseUrl/directoryRoles" $requestMethod = "POST" $requestBody = @{ "roleTemplateId"= $roleTemplateID } try { $requestBody = $requestBody | ConvertTo-Json Write-PSFMessage -Level Verbose -String "TMF.Invoke.SendingRequestWithBody" -StringValues $requestMethod, $requestUrl, $requestBody Invoke-MgGraphRequest -Method $requestMethod -Uri $requestUrl -Body $requestBody | Out-Null } catch { Write-PSFMessage -Level Error -String "TMF.Invoke.ActionFailed" -StringValues $result.Tenant, $result.ResourceType, $result.ResourceName, $result.ActionType throw $_ } if ($result.DesiredConfiguration.memberIDs) { $roleID = Resolve-DirectoryRole -InputReference $result.DesiredConfiguration.displayName -Cmdlet $PSCmdlet foreach ($item in $result.DesiredConfiguration.memberIDs) { $requestUrl = "$script:graphBaseUrl/directoryRoles/$($roleID)/members/`$ref" $requestMethod = "POST" $requestBody = @{ "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$($item)" } try { $requestBody = $requestBody | ConvertTo-Json Write-PSFMessage -Level Verbose -String "TMF.Invoke.SendingRequestWithBody" -StringValues $requestMethod, $requestUrl, $requestBody Invoke-MgGraphRequest -Method $requestMethod -Uri $requestUrl -Body $requestBody | Out-Null } catch { Write-PSFMessage -Level Error -String "TMF.Invoke.ActionFailed" -StringValues $result.Tenant, $result.ResourceType, $result.ResourceName, $result.ActionType throw $_ } } } } "NoActionRequired" {} default { Write-PSFMessage -Level Warning -String "TMF.Invoke.ActionTypeUnknown" -StringValues $result.Tenant, $result.ResourceType, $result.ResourceName, (Get-ActionColor -Action $result.ActionType), $result.ActionType } } Write-PSFMessage -Level Host -String "TMF.Invoke.ActionCompleted" -StringValues $result.Tenant, $result.ResourceType, $result.ResourceName, (Get-ActionColor -Action $result.ActionType), $result.ActionType } } } |