Skip to content

Commit b34d7e2

Browse files
author
Luis Mengel
committed
Add JIT group membership support and fix directory role activation
1 parent 2e867ef commit b34d7e2

3 files changed

Lines changed: 151 additions & 15 deletions

File tree

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -183,7 +183,14 @@ function Invoke-ExecJITAdmin {
183183
'UserPrincipalName' = $Username
184184
}
185185
Roles = $Request.Body.AdminRoles.value
186-
Action = 'AddRoles'
186+
Groups = $Request.Body.GroupMemberships.value
187+
Action = if ($Request.Body.AdminRoles.value -and $Request.Body.GroupMemberships.value) {
188+
'AddRolesAndGroups'
189+
} elseif ($Request.Body.GroupMemberships.value) {
190+
'AddGroups'
191+
} else {
192+
'AddRoles'
193+
}
187194
Reason = $Request.Body.Reason
188195
Expiration = $Expiration
189196
StartDate = $Start
@@ -238,6 +245,7 @@ function Invoke-ExecJITAdmin {
238245
'UserPrincipalName' = $Username
239246
}
240247
Roles = $Request.Body.AdminRoles.value
248+
Groups = $Request.Body.GroupMemberships.value
241249
Reason = $Request.Body.Reason
242250
Action = $Request.Body.ExpireAction.value
243251
}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ListJITAdmin.ps1

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@
3232
$BulkRequests.Add(@{
3333
id = $User.id
3434
method = 'GET'
35-
url = "users/$($User.id)/memberOf/microsoft.graph.directoryRole/?`$select=id,displayName"
35+
url = "users/$($User.id)/memberOf?`$select=id,displayName"
3636
})
3737
}
3838
$RoleResults = New-GraphBulkRequest -tenantid $TenantFilter -Requests @($BulkRequests)

Modules/CIPPCore/Public/Set-CIPPUserJITAdmin.ps1

Lines changed: 141 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,9 @@ function Set-CIPPUserJITAdmin {
1515
.PARAMETER Roles
1616
List of Role GUIDs to add or remove
1717
18+
.PARAMETER Groups
19+
List of Group GUIDs to add or remove
20+
1821
.PARAMETER Action
1922
Action to perform: Create, AddRoles, RemoveRoles, DeleteUser, DisableUser
2023
@@ -38,8 +41,9 @@ function Set-CIPPUserJITAdmin {
3841
[Parameter(Mandatory = $true)]
3942
[hashtable]$User,
4043
[string[]]$Roles,
44+
[string[]]$Groups,
4145
[Parameter(Mandatory = $true)]
42-
[ValidateSet('Create', 'AddRoles', 'RemoveRoles', 'DeleteUser', 'DisableUser')]
46+
[ValidateSet('Create', 'AddRoles', 'AddGroups', 'AddRolesAndGroups', 'RemoveRoles', 'RemoveGroups', 'RemoveRolesAndGroups', 'DeleteUser', 'DisableUser')]
4347
[string]$Action,
4448
[datetime]$Expiration,
4549
[datetime]$StartDate,
@@ -108,14 +112,22 @@ function Set-CIPPUserJITAdmin {
108112
}
109113
}
110114
'AddRoles' {
111-
$Roles = $Roles | ForEach-Object {
112-
try {
113-
$Body = @{
114-
'@odata.id' = "https://graph.microsoft.com/v1.0/directoryObjects/$($UserObj.id)"
115+
if ($Roles) {
116+
$Roles | ForEach-Object {
117+
try {
118+
# Activate the directory role if not already active
119+
try {
120+
$null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/directoryRoles" -tenantid $TenantFilter -body (@{ roleTemplateId = $_ } | ConvertTo-Json) -ErrorAction SilentlyContinue
121+
} catch {}
122+
$Body = @{
123+
'@odata.id' = "https://graph.microsoft.com/v1.0/directoryObjects/$($UserObj.id)"
124+
}
125+
$Json = ConvertTo-Json -Depth 5 -InputObject $Body
126+
$null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/directoryRoles(roleTemplateId='$($_)')/members/`$ref" -tenantid $TenantFilter -body $Json -ErrorAction SilentlyContinue
127+
} catch {
128+
Write-LogMessage -API $APIName -tenant $TenantFilter -message "Failed to add role $($_) to user $($UserObj.userPrincipalName): $($_.Exception.Message)" -Sev 'Error'
115129
}
116-
$Json = ConvertTo-Json -Depth 5 -InputObject $Body
117-
$null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/directoryRoles(roleTemplateId='$($_)')/members/`$ref" -tenantid $TenantFilter -body $Json -ErrorAction SilentlyContinue
118-
} catch {}
130+
}
119131
}
120132
$UserEnabled = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($UserObj.id)?`$select=accountEnabled" -tenantid $TenantFilter).accountEnabled
121133
if (-not $UserEnabled) {
@@ -125,7 +137,9 @@ function Set-CIPPUserJITAdmin {
125137
$Json = ConvertTo-Json -Depth 5 -InputObject $Body
126138
try {
127139
New-GraphPOSTRequest -type PATCH -uri "https://graph.microsoft.com/beta/users/$($UserObj.id)" -tenantid $TenantFilter -body $Json | Out-Null
128-
} catch {}
140+
} catch {
141+
Write-LogMessage -API $APIName -tenant $TenantFilter -message "Failed to enable user $($UserObj.userPrincipalName): $($_.Exception.Message)" -Sev 'Error'
142+
}
129143
}
130144
$CreatedBy = if ($Headers) {
131145
([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Headers.'x-ms-client-principal')) | ConvertFrom-Json).userDetails
@@ -148,17 +162,131 @@ function Set-CIPPUserJITAdmin {
148162
Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message $Message -Sev 'Info' -LogData $LogData
149163
return "Added admin roles to user $($UserObj.displayName) ($($UserObj.userPrincipalName))"
150164
}
151-
'RemoveRoles' {
152-
$Roles = $Roles | ForEach-Object {
165+
'AddGroups' {
166+
if ($Groups) {
167+
foreach ($GroupId in $Groups) {
168+
try {
169+
$Body = @{
170+
'@odata.id' = "https://graph.microsoft.com/v1.0/directoryObjects/$($UserObj.id)"
171+
}
172+
$Json = ConvertTo-Json -Depth 5 -InputObject $Body
173+
$null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/groups/$GroupId/members/`$ref" -tenantid $TenantFilter -body $Json -ErrorAction SilentlyContinue
174+
} catch {
175+
Write-LogMessage -API $APIName -tenant $TenantFilter -message "Failed to add user $($UserObj.userPrincipalName) to group $GroupId`: $($_.Exception.Message)" -Sev 'Error'
176+
}
177+
}
178+
}
179+
$CreatedBy = if ($Headers) { ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Headers.'x-ms-client-principal')) | ConvertFrom-Json).userDetails } else { 'Unknown' }
180+
Set-CIPPUserJITAdminProperties -TenantFilter $TenantFilter -UserId $UserObj.id -Enabled -Expiration $Expiration -StartDate $StartDate -Reason $Reason -CreatedBy $CreatedBy | Out-Null
181+
$Message = "Added group memberships for user $($UserObj.displayName) ($($UserObj.userPrincipalName)). Reason: $Reason"
182+
Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message $Message -Sev 'Info'
183+
return $Message
184+
}
185+
'AddRolesAndGroups' {
186+
# Add roles
187+
if ($Roles) {
188+
$Roles | ForEach-Object {
189+
try {
190+
# Activate the directory role if not already active
191+
try {
192+
$null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/directoryRoles" -tenantid $TenantFilter -body (@{ roleTemplateId = $_ } | ConvertTo-Json) -ErrorAction SilentlyContinue
193+
} catch {}
194+
$Body = @{
195+
'@odata.id' = "https://graph.microsoft.com/v1.0/directoryObjects/$($UserObj.id)"
196+
}
197+
$Json = ConvertTo-Json -Depth 5 -InputObject $Body
198+
$null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/directoryRoles(roleTemplateId='$($_)')/members/`$ref" -tenantid $TenantFilter -body $Json -ErrorAction SilentlyContinue
199+
} catch {
200+
Write-LogMessage -API $APIName -tenant $TenantFilter -message "Failed to add role $($_) to user $($UserObj.userPrincipalName): $($_.Exception.Message)" -Sev 'Error'
201+
}
202+
}
203+
}
204+
# Add groups
205+
if ($Groups) {
206+
foreach ($GroupId in $Groups) {
207+
try {
208+
$Body = @{
209+
'@odata.id' = "https://graph.microsoft.com/v1.0/directoryObjects/$($UserObj.id)"
210+
}
211+
$Json = ConvertTo-Json -Depth 5 -InputObject $Body
212+
$null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/groups/$GroupId/members/`$ref" -tenantid $TenantFilter -body $Json -ErrorAction SilentlyContinue
213+
} catch {
214+
Write-LogMessage -API $APIName -tenant $TenantFilter -message "Failed to add group $GroupId to user $($UserObj.userPrincipalName): $($_.Exception.Message)" -Sev 'Error'
215+
}
216+
}
217+
}
218+
$UserEnabled = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($UserObj.id)?`$select=accountEnabled" -tenantid $TenantFilter).accountEnabled
219+
if (-not $UserEnabled) {
220+
$Body = @{ accountEnabled = $true }
221+
$Json = ConvertTo-Json -Depth 5 -InputObject $Body
153222
try {
154-
$null = New-GraphPOSTRequest -type DELETE -uri "https://graph.microsoft.com/beta/directoryRoles(roleTemplateId='$($_)')/members/$($UserObj.id)/`$ref" -tenantid $TenantFilter
155-
} catch {}
223+
New-GraphPOSTRequest -type PATCH -uri "https://graph.microsoft.com/beta/users/$($UserObj.id)" -tenantid $TenantFilter -body $Json | Out-Null
224+
} catch {
225+
Write-LogMessage -API $APIName -tenant $TenantFilter -message "Failed to enable user $($UserObj.userPrincipalName): $($_.Exception.Message)" -Sev 'Error'
226+
}
227+
}
228+
$CreatedBy = if ($Headers) { ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Headers.'x-ms-client-principal')) | ConvertFrom-Json).userDetails } else { 'Unknown' }
229+
Set-CIPPUserJITAdminProperties -TenantFilter $TenantFilter -UserId $UserObj.id -Enabled -Expiration $Expiration -StartDate $StartDate -Reason $Reason -CreatedBy $CreatedBy | Out-Null
230+
$Message = "Added admin roles and group memberships for user $($UserObj.displayName) ($($UserObj.userPrincipalName)). Reason: $Reason"
231+
Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message $Message -Sev 'Info'
232+
return $Message
233+
}
234+
'RemoveRoles' {
235+
if ($Roles) {
236+
$Roles | ForEach-Object {
237+
try {
238+
$null = New-GraphPOSTRequest -type DELETE -uri "https://graph.microsoft.com/beta/directoryRoles(roleTemplateId='$($_)')/members/$($UserObj.id)/`$ref" -tenantid $TenantFilter
239+
} catch {
240+
Write-LogMessage -API $APIName -tenant $TenantFilter -message "Failed to remove role $($_) from user $($UserObj.userPrincipalName): $($_.Exception.Message)" -Sev 'Error'
241+
}
242+
}
156243
}
157244
Set-CIPPUserJITAdminProperties -TenantFilter $TenantFilter -UserId $UserObj.id -Clear | Out-Null
158245
$Message = "Removed admin roles from user $($UserObj.displayName) ($($UserObj.userPrincipalName))"
159246
Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message $Message -Sev 'Info'
160247
return "Removed admin roles from user $($UserObj.displayName)"
161248
}
249+
'RemoveGroups' {
250+
if ($Groups) {
251+
foreach ($GroupId in $Groups) {
252+
try {
253+
$null = New-GraphPOSTRequest -type DELETE -uri "https://graph.microsoft.com/beta/groups/$GroupId/members/$($UserObj.id)/`$ref" -tenantid $TenantFilter
254+
} catch {
255+
Write-LogMessage -API $APIName -tenant $TenantFilter -message "Failed to remove user $($UserObj.userPrincipalName) from group $GroupId`: $($_.Exception.Message)" -Sev 'Error'
256+
}
257+
}
258+
}
259+
Set-CIPPUserJITAdminProperties -TenantFilter $TenantFilter -UserId $UserObj.id -Clear | Out-Null
260+
$Message = "Removed group memberships from user $($UserObj.displayName) ($($UserObj.userPrincipalName))"
261+
Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message $Message -Sev 'Info'
262+
return $Message
263+
}
264+
'RemoveRolesAndGroups' {
265+
# Remove roles
266+
if ($Roles) {
267+
$Roles | ForEach-Object {
268+
try {
269+
$null = New-GraphPOSTRequest -type DELETE -uri "https://graph.microsoft.com/beta/directoryRoles(roleTemplateId='$($_)')/members/$($UserObj.id)/`$ref" -tenantid $TenantFilter
270+
} catch {
271+
Write-LogMessage -API $APIName -tenant $TenantFilter -message "Failed to remove role $($_) from user $($UserObj.userPrincipalName): $($_.Exception.Message)" -Sev 'Error'
272+
}
273+
}
274+
}
275+
# Remove groups
276+
if ($Groups) {
277+
foreach ($GroupId in $Groups) {
278+
try {
279+
$null = New-GraphPOSTRequest -type DELETE -uri "https://graph.microsoft.com/beta/groups/$GroupId/members/$($UserObj.id)/`$ref" -tenantid $TenantFilter
280+
} catch {
281+
Write-LogMessage -API $APIName -tenant $TenantFilter -message "Failed to remove user $($UserObj.userPrincipalName) from group $GroupId`: $($_.Exception.Message)" -Sev 'Error'
282+
}
283+
}
284+
}
285+
Set-CIPPUserJITAdminProperties -TenantFilter $TenantFilter -UserId $UserObj.id -Clear | Out-Null
286+
$Message = "Removed admin roles and group memberships from user $($UserObj.displayName) ($($UserObj.userPrincipalName))"
287+
Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message $Message -Sev 'Info'
288+
return $Message
289+
}
162290
'DeleteUser' {
163291
try {
164292
$null = New-GraphPOSTRequest -type DELETE -uri "https://graph.microsoft.com/beta/users/$($UserObj.userPrincipalName)" -tenantid $TenantFilter

0 commit comments

Comments
 (0)