From 19799ec0730dd57cea610b0a4b7088d4b33dfeaa Mon Sep 17 00:00:00 2001 From: Rakhesh Sasidharan Date: Fri, 18 Oct 2024 13:29:04 +0100 Subject: [PATCH] README update + slight change to module --- Graph.EasyPIM/Graph.EasyPIM.psd1 | 8 +++----- Graph.EasyPIM/Graph.EasyPIM.psm1 | 14 ++++++++------ README.md | 9 +++++++-- 3 files changed, 18 insertions(+), 13 deletions(-) diff --git a/Graph.EasyPIM/Graph.EasyPIM.psd1 b/Graph.EasyPIM/Graph.EasyPIM.psd1 index 6319a4b..528d07f 100644 --- a/Graph.EasyPIM/Graph.EasyPIM.psd1 +++ b/Graph.EasyPIM/Graph.EasyPIM.psd1 @@ -12,7 +12,7 @@ RootModule = 'Graph.EasyPIM.psm1' # Version number of this module. - ModuleVersion = '0.0.12' + ModuleVersion = '0.0.13' # Supported PSEditions # CompatiblePSEditions = @() @@ -118,7 +118,7 @@ # IconUri = '' # ReleaseNotes of this module - ReleaseNotes = 'Minor changes.' + ReleaseNotes = 'Changed the default justification. No other changes.' # Prerelease string of this module # Prerelease = '' @@ -138,6 +138,4 @@ # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. # DefaultCommandPrefix = '' -} - - \ No newline at end of file +} \ No newline at end of file diff --git a/Graph.EasyPIM/Graph.EasyPIM.psm1 b/Graph.EasyPIM/Graph.EasyPIM.psm1 index 66f494a..b497c10 100644 --- a/Graph.EasyPIM/Graph.EasyPIM.psm1 +++ b/Graph.EasyPIM/Graph.EasyPIM.psm1 @@ -61,10 +61,10 @@ function Enable-PIMRole { .DESCRIPTION Enable Entra ID PIM roles via an easy to use TUI (Text User Interface). Only supports enabling; not disabling. Use Disable-PIMRole to disable. - If a role needs a reason/ justification you can either enter one, or press enter to go with a randomly generated 12 character string, or type something and end with * to use it for all the activations. + If a role needs a reason/ justification you can either enter one, or press enter to go with a default "need for work", or type something and end with * to use it for all the activations. .PARAMETER SkipJustification - Optional. If specified, it sets the reason/ justifaction for activation to be a randomly generated 12 character string. + Optional. If specified, it sets the reason/ justifaction for activation to be a default "need for work". .PARAMETER Justification Optional. If specified, it sets the reason/ justifaction for activation to whatever is input. @@ -269,7 +269,8 @@ function Enable-PIMRole { $roleDefinitionsCache = @{} # Random 12 lower case characters - $defaultJustification = -join ((97..122) | Get-Random -Count 12 | ForEach-Object {[char]$_}) + # $defaultJustification = -join ((97..122) | Get-Random -Count 12 | ForEach-Object {[char]$_}) + $defaultJustification = "need for work" # I use these for showing progress [int]$counter = 0 @@ -1018,10 +1019,10 @@ function Enable-PIMGroup { .DESCRIPTION Enable Entra ID PIM groups via an easy to use TUI (Text User Interface). Only supports enabling; not disabling. Use Disable-PIMGroup to disable. - If a group needs a reason/ justification you can either enter one, or press enter to go with a randomly generated 12 character string, or type something and end with * to use it for all the activations. + If a group needs a reason/ justification you can either enter one, or press enter to go with a default "need for work", or type something and end with * to use it for all the activations. .PARAMETER SkipJustification - Optional. If specified, it sets the reason/ justifaction for activation to be a randomly generated 12 character string". + Optional. If specified, it sets the reason/ justifaction for activation to be a default "need for work". .PARAMETER Justification Optional. If specified, it sets the reason/ justifaction for activation to whatever is input. @@ -1205,7 +1206,8 @@ function Enable-PIMGroup { Write-Host "" # Random 12 lower case characters - $defaultJustification = -join ((97..122) | Get-Random -Count 12 | ForEach-Object {[char]$_}) + # $defaultJustification = -join ((97..122) | Get-Random -Count 12 | ForEach-Object {[char]$_}) + $defaultJustification = "need for work" # I use these for showing progress [int]$counter = 0 diff --git a/README.md b/README.md index a6647af..bc7ca7c 100644 --- a/README.md +++ b/README.md @@ -21,10 +21,15 @@ Tested on Windows, macOS, and Linux with PowerShell 7.4. It currently has the fo - Faster than Entra ID portal in my opinion. There is an initial delay as it pulls all the info, but after that it's pretty fast. - It always activates the role or group for the maximum allowed duration. - When selecting roles or groups, if the role or group is already active (and it's been active for more than 5 mins) it will deactivate and activate the role or group. Very useful when you can see a role or group activation is going to expire soon! -- You can skip offering a reason, either via the `-SkipJustification` switch or pressing `ENTER` when asked for one. This will generate a random 12 character string. +- You can skip offering a reason, either via the `-SkipJustification` switch or pressing `ENTER` when asked for one. This will set the reason as "need for work". - You can provide a justification before hand via the `-Justification` switch, or by entering one when prompted and adding an asterisk `*` at the end. This will set the same justification for all other roles or groups enabled in that round. - The [Norton Commander](https://en.wikipedia.org/wiki/Norton_Commander)-ish TUI is a nice trip down memory lane. 🙂 +## Good to know +- The first time you run one of these cmdlets it will open up a browser window to authenticate. But if you are already connected to Graph, this might not happen and the cmdlets may not work. Do a `Disconnect-MgGraph` and then try the cmdlets again. +- The list of eligible PIM roles are cached for 30 mins. The list of eligible PIM groups are cached for 8 hours. The cmdlets can be run with the `-RefreshEligibleGroup` to force a refresh. +- You might need to involve a Global Admin to do some consents on the `Microsoft Graph Command Line Tools` service principal. To do an admin consent on behalf of the organization, a Global Admin is required; but an Application Admin can do consent for themselves. This URL should help (replace `{tenantId}`): `https://login.microsoftonline.com/{tenantId}}/v2.0/adminconsent?client_id=14d82eec-204b-4c2f-b7e8-296a70dab67e&scope=RoleEligibilitySchedule.Read.Directory RoleEligibilitySchedule.ReadWrite.Directory RoleManagement.Read.Directory RoleManagement.Read.All RoleManagement.ReadWrite.Directory RoleAssignmentSchedule.ReadWrite.Directory RoleAssignmentSchedule.Remove.Directory PrivilegedEligibilitySchedule.Read.AzureADGroup PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup PrivilegedAccess.Read.AzureADGroup PrivilegedAccess.ReadWrite.AzureADGroup RoleManagementPolicy.Read.AzureADGroup` + ## Pre-requisite modules This modules depends upon the following. @@ -61,4 +66,4 @@ Way faster than the Entra ID portal. And you can select more than 1 role at a go ## API reference - [PIM for Entra roles](https://learn.microsoft.com/en-us/graph/api/resources/privilegedidentitymanagementv3-overview?view=graph-rest-1.0) -- [PIM for Groups](https://learn.microsoft.com/en-us/graph/api/resources/privilegedidentitymanagement-for-groups-api-overview?view=graph-rest-1.0). \ No newline at end of file +- [PIM for Groups](https://learn.microsoft.com/en-us/graph/api/resources/privilegedidentitymanagement-for-groups-api-overview?view=graph-rest-1.0) \ No newline at end of file