-
Notifications
You must be signed in to change notification settings - Fork 14
Expand file tree
/
Copy pathGDAPChecker.ps1
More file actions
272 lines (244 loc) · 9.98 KB
/
GDAPChecker.ps1
File metadata and controls
272 lines (244 loc) · 9.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
# Import required modules
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Identity.DirectoryManagement
Import-Module Microsoft.Graph.Groups
Import-Module PartnerCenter
# Function to ensure authentication
function Ensure-GraphAuthentication {
try {
$context = Get-MgContext
if (-not $context) {
Write-Host "Not authenticated to Microsoft Graph. Attempting to connect..." -ForegroundColor Yellow
Connect-MgGraph -Scopes "Directory.ReadWrite.All", "Group.ReadWrite.All"
}
else {
Write-Host "Already authenticated to Microsoft Graph." -ForegroundColor Green
}
}
catch {
Write-Host "Failed to authenticate to Microsoft Graph: $_" -ForegroundColor Red
exit
}
}
function Ensure-PartnerCenterAuthentication {
try {
$partner = Get-PartnerContext
if (-not $partner) {
Write-Host "Not authenticated to Partner Center. Attempting to connect..." -ForegroundColor Yellow
Connect-PartnerCenter
}
else {
Write-Host "Already authenticated to Partner Center." -ForegroundColor Green
}
}
catch {
Write-Host "Failed to authenticate to Partner Center: $_" -ForegroundColor Red
exit
}
}
# Ensure authentication before proceeding
Ensure-GraphAuthentication
Ensure-PartnerCenterAuthentication
# Function to categorize roles
function Get-RoleCategories($roles) {
$categories = @{
"Identity and Access" = @(
"Global Administrator", "Authentication Administrator", "Conditional Access Administrator",
"Password Administrator", "Privileged Authentication Administrator", "User Administrator"
)
"Security and Compliance" = @(
"Security Administrator", "Compliance Administrator", "Compliance Data Administrator",
"Cloud App Security Administrator", "Attack Simulation Administrator"
)
"Microsoft 365 Services" = @(
"Exchange Administrator", "SharePoint Administrator", "Teams Administrator",
"Power Platform Administrator", "Dynamics 365 Administrator", "Intune Administrator"
)
"Azure and DevOps" = @(
"Azure DevOps Administrator", "Azure Information Protection Administrator",
"Cloud Device Administrator", "Hybrid Identity Administrator"
)
"Specialized Roles" = @()
}
$roles | ForEach-Object {
$role = $_
$categorized = $false
foreach ($category in $categories.Keys) {
if ($categories[$category] -contains $role) {
$categorized = $true
break
}
}
if (-not $categorized) {
$categories["Specialized Roles"] += $role
}
}
return $categories
}
# Function to get or create assignable groups
function New-OrGetAssignableGroup($groupName, $description) {
$existingGroup = Get-MgGroup -Filter "displayName eq '$groupName'"
if ($existingGroup) {
Write-Host "Group '$groupName' already exists with ID: $($existingGroup.Id)" -ForegroundColor Yellow
return $existingGroup.Id
}
$params = @{
DisplayName = $groupName
Description = $description
MailEnabled = $false
MailNickname = ($groupName -replace '[^a-zA-Z0-9]', '').ToLower()
SecurityEnabled = $true
IsAssignableToRole = $true
}
try {
$newGroup = New-MgGroup -BodyParameter $params
Write-Host "New assignable group '$groupName' created with ID: $($newGroup.Id)" -ForegroundColor Green
return $newGroup.Id
}
catch {
Write-Host "Failed to create new assignable group '$groupName': $_" -ForegroundColor Red
return $null
}
}
# Function to assign GDAP role to group
function New-GDAPRoleAssignment($groupId, $roleId, $customerId) {
try {
Add-PartnerCustomerUserRoleMember -CustomerId $customerId -RoleId $roleId -GroupId $groupId
Write-Host "GDAP role assignment created for group $groupId and role $roleId" -ForegroundColor Green
return $true
}
catch {
Write-Host "Failed to create GDAP role assignment: $_" -ForegroundColor Red
return $false
}
}
# Function to check prerequisites
function Check-Prerequisites($customerId) {
$prerequisites = @{
"Connected to Partner Center" = $false
"GDAP relationship exists" = $false
}
# Check Partner Center connection
try {
Get-PartnerCustomer -CustomerId $customerId -ErrorAction Stop
$prerequisites["Connected to Partner Center"] = $true
}
catch {
Write-Host "Not connected to Partner Center or issue with customer access. Error: $_" -ForegroundColor Red
}
# Check GDAP relationship
try {
$customer = Get-PartnerCustomer -CustomerId $customerId
if ($customer.RelationshipToPartner -eq "Reseller") {
$prerequisites["GDAP relationship exists"] = $true
}
else {
Write-Host "No reseller relationship found for customer $customerId. GDAP might not be established." -ForegroundColor Yellow
}
}
catch {
Write-Host "Failed to check customer relationship: $_" -ForegroundColor Red
}
return $prerequisites
}
# Main script execution
$categories = Get-RoleCategories $gdapRoles
$groupIds = @{}
foreach ($category in $categories.Keys) {
$groupName = "GDAP - $category Administrators"
$description = "GDAP group for $category roles: $($categories[$category] -join ', ')"
$groupId = New-OrGetAssignableGroup $groupName $description
if ($groupId) {
$groupIds[$category] = $groupId
}
}
# Get list of customers based on whether a single customer tenant ID is specified
$singleCustomerTenantId = "" # Replace with customer tenant ID to test with a single customer, leave empty for all customers
if ($singleCustomerTenantId -ne "") {
$customers = Get-PartnerCustomer | Where-Object { $_.CustomerId -eq $singleCustomerTenantId }
if (-not $customers) {
Write-Host "No customer found with the specified Tenant ID: $singleCustomerTenantId" -ForegroundColor Red
exit
}
}
else {
$customers = Get-PartnerCustomer
}
$summary = @()
foreach ($customer in $customers) {
$customerName = $customer.Name
$customerId = $customer.CustomerId
Write-Host "Processing customer: $customerName ($customerId)" -ForegroundColor Cyan
# Check prerequisites
$prereqCheck = Check-Prerequisites -CustomerId $customerId
if ($prereqCheck.Values -contains $false) {
Write-Host "Prerequisites not met for customer $customerName. Skipping..." -ForegroundColor Yellow
foreach ($prereq in $prereqCheck.GetEnumerator()) {
if (-not $prereq.Value) {
$summary += [PSCustomObject]@{
CustomerName = $customerName
CustomerId = $customerId
Action = "Skipped"
Reason = "Prerequisite not met: $($prereq.Key)"
}
}
}
continue
}
Write-Host "All prerequisites met. Proceeding with role assignments." -ForegroundColor Green
# Get available roles for the customer
$availableRoles = Get-PartnerCustomerUserRole -CustomerId $customerId
Write-Host "Available roles for $customerName :" -ForegroundColor Green
$availableRoles | ForEach-Object {
Write-Host "- $($_.Name) (ID: $($_.Id))" -ForegroundColor Yellow
}
# Prompt user for role assignments
Write-Host "Do you want to assign roles for this customer? (Y/N)" -ForegroundColor Cyan
$response = Read-Host
if ($response -eq "Y" -or $response -eq "y") {
foreach ($category in $categories.Keys) {
$groupId = $groupIds[$category]
foreach ($role in $categories[$category]) {
$availableRole = $availableRoles | Where-Object { $_.Name -eq $role }
if ($availableRole) {
Write-Host "Do you want to assign the role '$role' to the GDAP group '$category'? (Y/N)" -ForegroundColor Cyan
$assignRole = Read-Host
if ($assignRole -eq "Y" -or $assignRole -eq "y") {
$result = New-GDAPRoleAssignment $groupId $availableRole.Id $customerId
if ($result) {
$summary += [PSCustomObject]@{
CustomerName = $customerName
CustomerId = $customerId
Action = "Assigned"
Role = $role
Category = $category
}
}
else {
$summary += [PSCustomObject]@{
CustomerName = $customerName
CustomerId = $customerId
Action = "Failed"
Role = $role
Category = $category
Reason = "GDAP assignment failed"
}
}
}
}
else {
Write-Host "Role '$role' not available for this customer. Skipping..." -ForegroundColor Yellow
}
}
}
}
Write-Host "Completed processing for customer: $customerName ($customerId)" -ForegroundColor Cyan
Write-Host "---------------------------------------------------------------------"
}
# Output summary
Write-Host "Summary of Actions:" -ForegroundColor Cyan
$summary | Format-Table -AutoSize
# Export summary to CSV
$csvPath = "GDAP_Roles_Summary_$(Get-Date -Format 'yyyyMMdd_HHmmss').csv"
$summary | Export-Csv -Path $csvPath -NoTypeInformation
Write-Host "Summary exported to CSV file: $csvPath" -ForegroundColor Green