cqrenet/macOS_IntuneManagement
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity

Removed support for AzureRM

Browse Source 
Az module is required for Native Azure objects (Conditional access, Azure branding and MDM/MAM settings)
Fixed limit on Conditional Access objects
Remove properties before import (date etc.)
Added WIP policies
Added support for installing Intune module for user only
This commit is contained in:
Micke
2021-02-03 12:50:22 +11:00
parent bcc178ac99
commit b4c737dd6d
15 changed files with 340 additions and 140 deletions
Download Patch File Download Diff File Expand all files Collapse all files

196
Extensions/AzureNative.psm1
View File

@@ -1,6 +1,82 @@
#Requires -module Az.Accounts
function Invoke-InitializeModule
{
if(-not $global:AzToken)
{
# Only allow re-logging if it failed the first time
$global:AuthenticatedToAzure = $false
}
#!!! - Used for testing login
#Disconnect-AzAccount -Username admin@delematelab2.onmicrosoft.com
}
function Connect-AzureNative
{
<#
.SYNOPSIS
Tries to connect to Azure with existing token
Uses Connect-AZAccount if no token found in cache
#>
param($user)
Write-Log "Authenticate to Azure (Az module). Try from cache with user $user"
$Context = (Get-AzContext -ListAvailable | Where { $_.Account.Id -eq $user } | select -first 1)
if (-not $Context)
{
$user | Clip # Copy login id to clipboard
# Run Connect-AZAccount in a separate runspace or it will hang
$Runspace = [runspacefactory]::CreateRunspace()
$PowerShell = [powershell]::Create()
$PowerShell.Runspace = $Runspace
$Runspace.Open()
$PowerShell.AddScript({Connect-AZAccount})
$PowerShell.Invoke()
[System.Windows.Forms.Application]::DoEvents()
$Context = (Get-AzContext -ListAvailable | Where { $_.Account.Id -eq $user } | select -first 1)
}
$global:AzToken = ""
try
{
$Resource = '74658136-14ec-4630-ad9b-26e160ff0fc6'
$global:AzToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id, $null, "Never", $null, $Resource)
}
catch
{
Write-LogError "Failed to authenticate with Instance.AuthenticationFactory.Authenticate" $_.Exception
}
if(-not $global:AzToken)
{
Write-Log "Failed to authenticate" 3
}
else
{
Write-Log "Authenticated as $($global:AzToken.UserId)"
}
$global:AuthenticatedToAzure = $true
Set-MainTitle
}
# Invoke-AzureNativeRequest is based on the following project
# https://github.com/JustinGrote/Az.PortalAPI/tree/master/Az.PortalAPI
#
# Azure functions are based on: ???
#
# Some small changes:
# - Get-AzContext is based on the same user as Intune user
# - Renamed Invoke-Request to Invoke-AzureNativeRequest
# - Added support for HTTP Method PATCH
# - Added support for paging with nextLink (Lazy solution...not fully tested but looks like it is working)
# - Removed Token parameter. Created the Connect-AzureNative to get token
# - Removed Context parameter
function Invoke-AzureNativeRequest {
<#
.SYNOPSIS
@@ -19,7 +95,7 @@ function Invoke-AzureNativeRequest {
$Body,
#Specify the HTTP Method you wish to use. Defaults to GET
[ValidateSet("GET","POST","OPTIONS","DELETE", "PATCH", "PUT")]
[ValidateSet("GET","POST","OPTIONS","DELETE","PATCH")]
$Method = "GET",
#The base URI for the Portal API. Typically you don't need to change this
@@ -29,101 +105,76 @@ function Invoke-AzureNativeRequest {
#The request ID for the session. You can generate one with [guid]::NewGuid().guid.
#Typically you only specify this if you're trying to retry an operation and don't want to duplicate the request, such as for a POST operation
$requestID = [guid]::NewGuid().guid
$requestID = [guid]::NewGuid().guid,
[switch]$allowPaging
)
if(-not $global:AzToken -and $global:AuthenticatedToAzure -eq $false)
{
Connect-AzureNative $global:me.userPrincipalName
}
if(-not $global:AzToken)
{
return
}
#Combine the BaseURI and Target
[String]$ApiAction = $Target.TrimStart('/')
if ($Action)
{
if ($Action) {
$ApiAction = $ApiAction + '/' + $Action
}
if($global:tokresponse -and [DateTimeOffset]::Now.ToUnixTimeSeconds() -gt $global:tokresponse.expires_on)
$uriStr = "$baseURI$ApiAction"
if($allowPaging)
{
$global:tokresponse = $null
$uri = [Uri]::New("$uriStr&nextLink=null")
}
else
{
$uri = [Uri]::New($baseURI,$ApiAction)
}
$Context = Get-AzureRmContext
if(-not $context -or -not $global:tokresponse)
if(-not $global:AzToken.AccessToken.tostring())
{
if($Context)
{
if($global:Me -and $global:Organization)
{
$refreshToken = ($Context.TokenCache.ReadItems() | Where { $_.DisplayableId -eq $global:Me.userPrincipalName -and $_.TenantId -eq $global:Organization.Id }).RefreshToken
if($refreshToken -and $refreshToken.ExpiresOn -lt (Get-Date))
{
# Expired...force login
# $refreshToken = $null
}
}
}
if(-not $refreshToken)
{
$user = Connect-AzureRmAccount
if(-not $user) { return }
$Context = Get-AzureRmContext
if(-not $Context) { return }
}
}
#
if(-not $global:tokresponse)
{
$refreshToken = $null # Fore read again in case of login
if($global:Me -and $global:Organization)
{
$refreshToken = ($Context.TokenCache.ReadItems() | Where { $_.DisplayableId -eq $global:Me.userPrincipalName -and $_.TenantId -eq $global:Organization.Id }).RefreshToken
}
# Make sure we are using the same user as Intune login
if(-not $refreshToken)
{
[System.Windows.MessageBox]::Show("Failed to find login token for AzureRM", "Invalid AzureRM login!", "OK", "Error")
return $global:tokresponse
}
$curToken = $Context.TokenCache.ReadItems() | Where { $_.DisplayableId -eq $global:Me.userPrincipalName -and $_.TenantId -eq $global:Organization.Id }
$tenantid = $curToken.TenantId
$refreshToken = $curToken.RefreshToken
$loginUrl = "https://login.windows.net/$tenantid/oauth2/token"
$bodyTmp = "grant_type=refresh_token&refresh_token=$($refreshToken)" #&resource=74658136-14ec-4630-ad9b-26e160ff0fc6"
$response = Invoke-RestMethod $loginUrl -Method POST -Body $bodyTmp -ContentType 'application/x-www-form-urlencoded'
$global:tokresponse = Invoke-RestMethod $loginUrl -Method POST -Body ($bodyTmp + "&resource=74658136-14ec-4630-ad9b-26e160ff0fc6")
if(-not $global:tokresponse) { return }
Write-Log "No access token available" 3
return
}
$InvokeRestMethodParams = @{
Uri = [Uri]::New($baseURI,$ApiAction)
Uri = $uri
Method = $Method
Header = [ordered]@{
Authorization = 'Bearer ' + $global:tokresponse.access_token
Authorization = 'Bearer ' + $global:AzToken.AccessToken.tostring()
'Content-Type' = 'application/json'
'x-ms-client-request-id' = $requestID
'Host' = $baseURI.Host
'Origin' = $requestOrigin
'Origin' = 'https://iam.hosting.portal.azure.net'
}
Body = $Body
}
try
$max = 100
$cur = 0
$retObj = Invoke-RestMethod @InvokeRestMethodParams
if(($retObj | GM -MemberType NoteProperty -Name "nextLink"))
{
Invoke-RestMethod @InvokeRestMethodParams
if($? -eq $false)
while($retObj.nextLink)
{
throw $global:error[0]
}
# Get more objects
$InvokeRestMethodParams["Uri"] = [Uri]::New($uriStr + "&nextLink=" + $retObj.nextLink)
$retObj = Invoke-RestMethod @InvokeRestMethodParams
if($cur -ge $max) { break }
$cur++ # Loop gets stuck if nextLink=null is added to the command line so make sure it doesn't hang forever
}
}
catch
{
Write-LogError "Failed to invoke Invoke-RestMethod for Azure" $_.Exception
}
$retObj
}
function Get-AzureNativeObjects
@@ -135,10 +186,11 @@ function Get-AzureNativeObjects
$property,
[Array]
$exclude,
$SortProperty = "")
$SortProperty = "",
[switch]$allowPaging)
$objects = @()
$nativeObjects =Invoke-AzureNativeRequest $Target
$nativeObjects = Invoke-AzureNativeRequest $Target -allowPaging:($allowPaging -eq $true)
if(($nativeObjects | GM -Name "items"))
{