initial

AZ Automation & Managed Identities

Automations/AZ Automation with Managed Identity/MgId_Authentificatin.ps1

@@ -0,0 +1,11 @@
+try {
+    # Logging in to Azure.
+    Connect-AzAccount -Identity
+
+    # Get token and connect to MgGraph
+    Connect-MgGraph -AccessToken ((Get-AzAccessToken -ResourceTypeName MSGraph).token)
+} catch {
+    Write-Error -Message $_.Exception
+    throw $_.Exception
+}
+

Automations/AZ Automation with Managed Identity/MgId_addPermissions.ps1

@@ -0,0 +1,41 @@
+# Install Microft Graph Module
+Install-Module Microsoft.Graph -Scope CurrentUser
+
+
+# Connect to Microsoft Graph
+Connect-MgGraph -Scopes "Application.Read.All","AppRoleAssignment.ReadWrite.All,RoleManagement.ReadWrite.Directory"
+
+# Select beta profile
+Select-MgProfile Beta
+
+
+# Change this to your Managed Identity app name:
+$managedIdentityName = "scloud"
+$managedIdentityId = (Get-MgServicePrincipal -Filter "displayName eq $managedIdentityName").id
+
+
+# Adding Microsoft Graph permissions
+$graphApp = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
+
+# Add the required Graph scopes
+$graphScopes = @(
+  'UserAuthenticationMethod.Read.All',
+  'Group.ReadWrite.All',
+  'Directory.Read.All',
+  'User.ReadWrite.All'
+)
+ForEach($scope in $graphScopes){
+  $appRole = $graphApp.AppRoles | Where-Object {$_.Value -eq $scope}
+
+  if ($null -eq $appRole) { Write-Warning "Unable to find App Role for scope $scope"; continue; }
+
+  # Check if permissions isn't already assigned
+  $assignedAppRole = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $managedIdentityId | Where-Object { $_.AppRoleId -eq $appRole.Id -and $_.ResourceDisplayName -eq "Microsoft Graph" }
+
+  if ($null -eq $assignedAppRole) {
+    New-MgServicePrincipalAppRoleAssignment -PrincipalId $managedIdentityId -ServicePrincipalId $managedIdentityId -ResourceId $graphApp.Id -AppRoleId $appRole.Id
+  }else{
+    write-host "Scope $scope already assigned"
+  }
+}
+

Automations/AZ Automation with Managed Identity/MgId_getOldDevices.ps1

@@ -0,0 +1,61 @@
+# Conenction with Managed Identity
+Connect-MgGraph -Identity
+
+Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"
+
+# Define device age to include
+$inactiveDays = "180"
+
+# Construct the Graph API request URI
+$graphUri = "https://graph.microsoft.com/beta/deviceManagement/managedDevices"
+$filter = "lastSyncDateTime le $((Get-Date).AddDays(-$inactiveDays).ToString('yyyy-MM-ddTHH:mm:ssZ'))"
+$uri = "$($graphUri)?`$filter=$filter"
+$Method = "GET"
+
+# Send the request and retrieve the devices
+$response = Invoke-MgGraphRequest -Method $Method -uri $uri
+
+# Create a report variable
+$report = @()
+
+# Build the report
+foreach ($device in $response.value) {
+    $deviceName = $device.deviceName
+    $lastSyncDateTime = $device.lastSyncDateTime
+    $deviceInfo = [PSCustomObject]@{
+        DeviceName = $deviceName
+        LastSyncDateTime = $lastSyncDateTime
+    }
+    $report += $deviceInfo
+}
+
+# Output the report
+$report
+
+
+###############################################################################
+
+# YOUR Webhook URL
+$WebHookURL = "https://xxxx.webhook.office.com/someID..."
+
+
+# Message JSON 
+$Message_Json = [PSCustomObject][Ordered]@{
+    "@type" = "MessageCard"
+    "@context" = "<http://schema.org/extensions>"
+    "summary" = "You have $($report.count) Inactive Devices which haven't have contatc in the last $inactiveDays"
+    "themeColor" = '0078D7'
+	"title" = "Inactive Devices ($($report.count))"
+    "text" = "<h1>Inactive Devices for $inactiveDays+ days</h1>
+    <pre>$($report | Format-Table DeviceName, LastSyncDateTime | Out-String)</pre>"
+} | ConvertTo-Json
+
+
+$parameters = @{
+	"URI" = $WebHookURL
+	"Method" = 'POST'
+	"Body" = $Message_Json
+	"ContentType" = 'application/json'
+}
+
+Invoke-RestMethod @parameters