diff --git a/Automations/AZ Automation with Managed Identity/MgId_Authentificatin.ps1 b/Automations/AZ Automation with Managed Identity/MgId_Authentificatin.ps1 new file mode 100644 index 0000000..930ec7e --- /dev/null +++ b/Automations/AZ Automation with Managed Identity/MgId_Authentificatin.ps1 @@ -0,0 +1,11 @@ +try { + # Logging in to Azure. + Connect-AzAccount -Identity + + # Get token and connect to MgGraph + Connect-MgGraph -AccessToken ((Get-AzAccessToken -ResourceTypeName MSGraph).token) +} catch { + Write-Error -Message $_.Exception + throw $_.Exception +} + diff --git a/Automations/AZ Automation with Managed Identity/MgId_addPermissions.ps1 b/Automations/AZ Automation with Managed Identity/MgId_addPermissions.ps1 new file mode 100644 index 0000000..d641e4d --- /dev/null +++ b/Automations/AZ Automation with Managed Identity/MgId_addPermissions.ps1 @@ -0,0 +1,41 @@ +# Install Microft Graph Module +Install-Module Microsoft.Graph -Scope CurrentUser + + +# Connect to Microsoft Graph +Connect-MgGraph -Scopes "Application.Read.All","AppRoleAssignment.ReadWrite.All,RoleManagement.ReadWrite.Directory" + +# Select beta profile +Select-MgProfile Beta + + +# Change this to your Managed Identity app name: +$managedIdentityName = "scloud" +$managedIdentityId = (Get-MgServicePrincipal -Filter "displayName eq $managedIdentityName").id + + +# Adding Microsoft Graph permissions +$graphApp = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'" + +# Add the required Graph scopes +$graphScopes = @( + 'UserAuthenticationMethod.Read.All', + 'Group.ReadWrite.All', + 'Directory.Read.All', + 'User.ReadWrite.All' +) +ForEach($scope in $graphScopes){ + $appRole = $graphApp.AppRoles | Where-Object {$_.Value -eq $scope} + + if ($null -eq $appRole) { Write-Warning "Unable to find App Role for scope $scope"; continue; } + + # Check if permissions isn't already assigned + $assignedAppRole = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $managedIdentityId | Where-Object { $_.AppRoleId -eq $appRole.Id -and $_.ResourceDisplayName -eq "Microsoft Graph" } + + if ($null -eq $assignedAppRole) { + New-MgServicePrincipalAppRoleAssignment -PrincipalId $managedIdentityId -ServicePrincipalId $managedIdentityId -ResourceId $graphApp.Id -AppRoleId $appRole.Id + }else{ + write-host "Scope $scope already assigned" + } +} + diff --git a/Automations/AZ Automation with Managed Identity/MgId_getOldDevices.ps1 b/Automations/AZ Automation with Managed Identity/MgId_getOldDevices.ps1 new file mode 100644 index 0000000..1ffec76 --- /dev/null +++ b/Automations/AZ Automation with Managed Identity/MgId_getOldDevices.ps1 @@ -0,0 +1,61 @@ +# Conenction with Managed Identity +Connect-MgGraph -Identity + +Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All" + +# Define device age to include +$inactiveDays = "180" + +# Construct the Graph API request URI +$graphUri = "https://graph.microsoft.com/beta/deviceManagement/managedDevices" +$filter = "lastSyncDateTime le $((Get-Date).AddDays(-$inactiveDays).ToString('yyyy-MM-ddTHH:mm:ssZ'))" +$uri = "$($graphUri)?`$filter=$filter" +$Method = "GET" + +# Send the request and retrieve the devices +$response = Invoke-MgGraphRequest -Method $Method -uri $uri + +# Create a report variable +$report = @() + +# Build the report +foreach ($device in $response.value) { + $deviceName = $device.deviceName + $lastSyncDateTime = $device.lastSyncDateTime + $deviceInfo = [PSCustomObject]@{ + DeviceName = $deviceName + LastSyncDateTime = $lastSyncDateTime + } + $report += $deviceInfo +} + +# Output the report +$report + + +############################################################################### + +# YOUR Webhook URL +$WebHookURL = "https://xxxx.webhook.office.com/someID..." + + +# Message JSON +$Message_Json = [PSCustomObject][Ordered]@{ + "@type" = "MessageCard" + "@context" = "" + "summary" = "You have $($report.count) Inactive Devices which haven't have contatc in the last $inactiveDays" + "themeColor" = '0078D7' + "title" = "Inactive Devices ($($report.count))" + "text" = "

Inactive Devices for $inactiveDays+ days

+ 
$($report | Format-Table DeviceName, LastSyncDateTime | Out-String)
" +} | ConvertTo-Json + + +$parameters = @{ + "URI" = $WebHookURL + "Method" = 'POST' + "Body" = $Message_Json + "ContentType" = 'application/json' +} + +Invoke-RestMethod @parameters