-
Notifications
You must be signed in to change notification settings - Fork 0
/
entraidroles.bicep
94 lines (87 loc) · 3.2 KB
/
entraidroles.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
//This bicep deploys the Entra ID roles for the ADXFlowmaster UMI.
//Scope
targetScope = 'resourceGroup'
//Variables
var tenantid = tenant().tenantId
//Parameters
param location string
param umirid string
param uminame string
param spnid string
@secure()
param spnsecret string
//Resources
resource entraidexchangescript 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
name: 'deployscript-ADXFlowmaster-exchange'
location: location
kind: 'AzurePowerShell'
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${umirid}' : {}
}
}
properties: {
azPowerShellVersion: '12.3.0'
retentionInterval: 'P1D'
scriptContent: '''
param(
[Parameter(Mandatory=$true)]
[string]$uminame,
[Parameter(Mandatory=$true)]
[string]$spnid,
[Parameter(Mandatory=$true)]
[string]$spnsecret,
[Parameter(Mandatory=$true)]
[string]$tenantid
)
Install-Module -Name "Microsoft.Graph" -Force
$SecuredPassword = ConvertTo-SecureString -String $spnsecret -AsPlainText -Force
$ClientSecretCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $spnid, $SecuredPassword
Connect-MgGraph -TenantId $tenantid -Credential $ClientSecretCredential -NoWelcome
$MIID = (Get-AzADServicePrincipal -DisplayName $uminame).Id
$AppRoleID = "dc50a0fb-09a3-484d-be87-e023b12c6440"
$ResourceID = (Get-MgServicePrincipal -Filter "AppId eq '00000002-0000-0ff1-ce00-000000000000'").Id
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $MIID -PrincipalId $MIID -AppRoleId $AppRoleID -ResourceId $ResourceID
'''
arguments: '-uminame ${uminame} -spnid ${spnid} -spnsecret ${spnsecret} -tenantId ${tenantid}'
}
}
resource entraidexchangeadminscript 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
name: 'deployscript-ADXFlowmaster-exchangeadmin'
location: location
kind: 'AzurePowerShell'
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${umirid}' : {}
}
}
properties: {
azPowerShellVersion: '12.3.0'
retentionInterval: 'P1D'
scriptContent: '''
param(
[Parameter(Mandatory=$true)]
[string]$uminame,
[Parameter(Mandatory=$true)]
[string]$spnid,
[Parameter(Mandatory=$true)]
[string]$spnsecret,
[Parameter(Mandatory=$true)]
[string]$tenantid
)
Install-Module -Name "Microsoft.Graph" -Force
$SecuredPassword = ConvertTo-SecureString -String $spnsecret -AsPlainText -Force
$ClientSecretCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $spnid, $SecuredPassword
Connect-MgGraph -TenantId $tenantid -Credential $ClientSecretCredential -NoWelcome
$RoleID = (Get-MgRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq 'Exchange Administrator'").Id
$MIID = (Get-AzADServicePrincipal -DisplayName $uminame).Id
New-MgRoleManagementDirectoryRoleAssignment -PrincipalId $MIID -RoleDefinitionId $RoleID -DirectoryScopeId "/"
'''
arguments: '-uminame ${uminame} -spnid ${spnid} -spnsecret ${spnsecret} -tenantId ${tenantid}'
}
dependsOn: [
entraidexchangescript
]
}