WhiteboardAdmin.psm1
|
Set-Variable AdalClientId -option Constant -value '1950a258-227b-4e31-a9cf-717495945fc2' Set-Variable AdalRedirectUri -option Constant -value 'https://login.microsoftonline.com/common/oauth2/nativeclient' <# .SYNOPSIS Gets one or more Whiteboards from the Microsoft Whiteboard service and returns them as objects. .PARAMETER UserId The ID of the user account to query Whiteboards for. .PARAMETER WhiteboardId (Optional) The ID of a specific Whiteboard to query, if not specified all whiteboards are queried. .PARAMETER ForceAuthPrompt (Optional) Always prompt for auth. Use to ignore cached credentials. .EXAMPLE Get-Whiteboard -UserId 00000000-0000-0000-0000-000000000001 Get all of a user's Whiteboards. #> function Get-Whiteboard { [CmdletBinding()] param( [Parameter(Mandatory=$true)] [Guid]$UserId, [Parameter(Mandatory=$false)] [Guid]$WhiteboardId, [Parameter(Mandatory=$false)] [switch]$ForceAuthPrompt) $response = Invoke-WhiteboardRequest ` -Method GET ` -Endpoint "api/v1.0/users/$UserId/whiteboards" ` -ContentType 'application/json' ` -ForceAuthPrompt:$ForceAuthPrompt if ($null -eq $WhiteboardId) { return $response } # Filter client-side since there is no admin GET API that addresses a single whiteboard. return $response | Where-Object {$_.id -eq $WhiteboardId} } <# .SYNOPSIS Sets the owner for a Whiteboard. .PARAMETER WhiteboardId The Whiteboard for which the owner is being changed. .PARAMETER OldOwnerId The ID of the previous owner. .PARAMETER NewOwnerId The ID of the new owner. .PARAMETER ForceAuthPrompt (Optional) Always prompt for auth. Use to ignore cached credentials. .EXAMPLE Set-WhiteboardOwner -OldOwnerId 00000000-0000-0000-0000-000000000001 -NewOwnerId 00000000-0000-0000-0000-000000000002 Move a Whiteboard from one user to another. #> function Set-WhiteboardOwner { [CmdletBinding( SupportsShouldProcess = $true, ConfirmImpact='High')] param( [Parameter(Mandatory=$true)] [Guid]$WhiteboardId, [Parameter(Mandatory=$true)] [Guid]$OldOwnerId, [Parameter(Mandatory=$true)] [Guid]$NewOwnerId, [Parameter(Mandatory=$false)] [switch]$ForceAuthPrompt) if ($PSCmdlet.ShouldProcess("Whiteboard: $WhiteboardId")) { return Invoke-WhiteboardRequest ` -Method PATCH ` -Endpoint "api/v1.0/users/$OldOwnerId/whiteboards/$WhiteboardId" ` -ContentType 'application/json-patch+json' ` -Body (ConvertTo-Json -Compress @(@{"op"="replace"; "path"="/OwnerId"; "value"=$NewOwnerId })) ` -ForceAuthPrompt:$ForceAuthPrompt } } <# .SYNOPSIS Transfer ownership of all Whiteboards owned by a user to another user. .PARAMETER OldOwnerId The ID of the previous owner. .PARAMETER NewOwnerId The ID of the new owner. .PARAMETER WhatIf Execute the command without making any actual changes. Only calls read methods on the REST service. .PARAMETER ForceAuthPrompt (Optional) Always prompt for auth. Use to ignore cached credentials. .EXAMPLE Invoke-TransferAllWhiteboards -OldOwnerId 00000000-0000-0000-0000-000000000001 -NewOwnerId 00000000-0000-0000-0000-000000000002 -WhatIf Check how many Whiteboards will be transferred without transferring them. .EXAMPLE Invoke-TransferAllWhiteboards -OldOwnerId 00000000-0000-0000-0000-000000000001 -NewOwnerId 00000000-0000-0000-0000-000000000002 Transfer (and prompt before performing any write actions). #> function Invoke-TransferAllWhiteboards { [CmdletBinding( SupportsShouldProcess = $true, ConfirmImpact='High')] param( [Parameter(Mandatory=$true)] [Guid]$OldOwnerId, [Parameter(Mandatory=$true)] [Guid]$NewOwnerId, [Parameter(Mandatory=$false)] [switch]$ForceAuthPrompt) $whiteboards = Get-Whiteboard -UserId $OldOwnerId -ForceAuthPrompt:$ForceAuthPrompt # Only transfer Whiteboards actually owned by this Id $whiteboardsOwned = @($whiteboards | Where-Object { [Guid]::Parse($_.ownerId) -eq $OldOwnerId }) Write-Verbose "Found $($whiteboardsOwned.Length) Whiteboards for owner $($OldOwnerId)" if ($PSCmdlet.ShouldProcess("Whiteboards for Owner: $OldOwnerId")) { $whiteboardsOwned | ForEach-Object { Set-WhiteboardOwner -OldOwnerId $OldOwnerId -NewOwnerId $NewOwnerId -WhiteboardId $_.id -Confirm:$false } } } function Invoke-WhiteboardRequest( [Parameter(Mandatory=$true)] [Microsoft.PowerShell.Commands.WebRequestMethod]$Method, [Parameter(Mandatory=$true)] [string]$Endpoint, [Parameter(Mandatory=$false)] [string]$ContentType = $null, [Parameter(Mandatory=$false)] [string]$Body = $null, [Parameter(Mandatory=$false)] [switch]$ForceAuthPrompt) { # Make sure TLS 1.2 is a supported protocol since this is all the whiteboard service supports. [Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol, [Net.SecurityProtocolType]::Tls12 $invokeRestMethodArgs = @{ Method = $Method Uri = "https://$(Get-WhiteboardHostName -Environment $env:Environment)/$Endpoint" ContentType = $ContentType UserAgent = "WhiteboardAdminModule/$((Get-Module WhiteboardAdmin | Select-Object -First 1).Version)" Headers = @{ 'Authorization' = Get-WhiteboardAuthenticationHeader -ForceAuthPrompt:$ForceAuthPrompt } } if (-Not [string]::IsNullOrEmpty($Body)) { $invokeRestMethodArgs["Body"] = $Body } try { return Invoke-RestMethod @invokeRestMethodArgs } catch [System.Net.WebException] { $ex = $_.Exception if ($ex.Status -ne [System.Net.WebExceptionStatus]::ProtocolError) { # Rethrow the exception if the failure wasn't caused by a protocol error. throw $ex } $response = $ex.Response if ($response.StatusCode -ne [System.Net.HttpStatusCode]::Unauthorized) { # Rethrow the exception if the failure wasn't caused by a unauthroized response throw $ex } # Try to deserialize the adal claims challenge. # This can happen if the endpoint makes an onbehalf # of request that requires additional claims (like MFA) try { $stream = $response.GetResponseStream() $streamReader = [System.IO.StreamReader]::new($stream) $content = $streamReader.ReadToEnd() $claims = ($content | ConvertFrom-Json).claims if ([string]::IsNullOrEmpty($claims)) { throw $ex } } catch { throw $ex } $invokeRestMethodArgs['Headers']['Authorization'] = Get-WhiteboardAuthenticationHeader -Claims $claims -ForceAuthPrompt:$ForceAuthPrompt return Invoke-RestMethod @invokeRestMethodArgs } } function Get-WhiteboardAuthenticationHeader( [Parameter(Mandatory=$false)] [string]$Claims, [Parameter(Mandatory=$false)] [switch]$ForceAuthPrompt) { $whiteboardResourceId = Get-WhiteboardResourceId -Environment $env:Environment $aadAuthority = Get-AadAuthority -Environment $env:Environment $authContext = [Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext]::new($aadAuthority) $promptBehavior = if ($ForceAuthPrompt -eq $true) { [Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Always } else { [Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Auto } $platformParameters = [Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters]::new($promptBehavior) $userIdentifier = [Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier]::AnyUser if (-Not ([string]::IsNullOrEmpty($Claims))) { $adalQueryString = "claims=$Claims" } $result = $authContext.AcquireTokenAsync($whiteboardResourceId, $AdalClientId, $AdalRedirectUri, $platformParameters, $userIdentifier, $adalQueryString).Result return $result.CreateAuthorizationHeader(); } function Get-WhiteboardHostName( [Parameter(Mandatory=$false)] [ValidateSet('Prod', 'Int', 'Dev', '')] [string] $Environment) { switch ($Environment) { 'Dev' { return "dev.whiteboard.microsoft.com"} 'Int' { return "int.whiteboard.microsoft.com"} default { return "whiteboard.microsoft.com" } } } function Get-WhiteboardResourceId( [Parameter(Mandatory=$false)] [ValidateSet('Prod', 'Int', 'Dev', '')] [string] $Environment) { switch ($Environment) { 'Int' { return "https://int.whiteboard.microsoft.com"} default { return "https://whiteboard.microsoft.com" } } } function Get-AadAuthority( [Parameter(Mandatory=$false)] [ValidateSet('Prod', 'Int', 'Dev', '')] [string] $Environment) { switch ($Environment) { 'Int' { return "https://login.windows-ppe.net/common"} default { return "https://login.microsoftonline.com/common" } } } |