public static PSRoleAssignment ToPSRoleAssignment(this RoleAssignment assignment, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals = true)
{
List<PSRoleDefinition> roleDefinitions = null;
try
{
roleDefinitions = new List<PSRoleDefinition> { policyClient.GetRoleDefinition(assignment.Properties.RoleDefinitionId) };
}
catch (CloudException ce)
{
if (ce.Response.StatusCode == HttpStatusCode.Unauthorized)
{
//Swallow unauthorized errors on RoleDefinition when displaying RoleAssignments
roleDefinitions = new List<PSRoleDefinition>();
}
else
{
throw;
}
}
IEnumerable<RoleAssignment> assignments = new List<RoleAssignment> { assignment };
return assignments.ToPSRoleAssignments(roleDefinitions, policyClient, activeDirectoryClient, excludeAssignmentsForDeletedPrincipals).SingleOrDefault();
}
public PSRoleDefinition CreateRoleDefinition(PSRoleDefinition roleDefinition)
{
AuthorizationClient.ValidateRoleDefinition(roleDefinition);
Guid newRoleDefinitionId = RoleDefinitionNames.Count == 0 ? Guid.NewGuid() : RoleDefinitionNames.Dequeue();
RoleDefinitionCreateOrUpdateParameters parameters = new RoleDefinitionCreateOrUpdateParameters()
{
RoleDefinition = new RoleDefinition()
{
Name = newRoleDefinitionId,
Properties = new RoleDefinitionProperties()
{
AssignableScopes = roleDefinition.AssignableScopes,
Description = roleDefinition.Description,
Permissions = new List <Permission>()
{
new Permission()
{
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions
}
},
RoleName = roleDefinition.Name,
Type = "CustomRole"
}
}
};
PSRoleDefinition roleDef = null;
try
{
roleDef = AuthorizationManagementClient.RoleDefinitions.CreateOrUpdate(newRoleDefinitionId, roleDefinition.AssignableScopes.First(), parameters).RoleDefinition.ToPSRoleDefinition();
}
catch (CloudException ce)
{
if (ce.Response.StatusCode == HttpStatusCode.Unauthorized && ce.Error.Code.Equals("TenantNotAllowed", StringComparison.InvariantCultureIgnoreCase))
{
throw new InvalidOperationException("The tenant is not currently authorized to create Custom role definition. Please refer to http://aka.ms/customrolespreview for more details");
}
throw;
}
return(roleDef);
}
public static IEnumerable<PSRoleAssignment> ToPSRoleAssignments(this IEnumerable<RoleAssignment> assignments, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, string scopeForRoleDefinitions, bool excludeAssignmentsForDeletedPrincipals = true)
{
List<PSRoleDefinition> roleDefinitions = null;
try
{
roleDefinitions = policyClient.GetAllRoleDefinitionsAtScopeAndBelow(scopeForRoleDefinitions);
}
catch (CloudException ce)
{
if (ce.Response.StatusCode == HttpStatusCode.Unauthorized)
{
//Swallow unauthorized errors on RoleDefinition when displaying RoleAssignments
roleDefinitions = new List<PSRoleDefinition>();
}
else
{
throw;
}
}
return assignments.ToPSRoleAssignments(roleDefinitions, policyClient, activeDirectoryClient, excludeAssignmentsForDeletedPrincipals);
}
public static IEnumerable <PSRoleAssignment> ToPSRoleAssignments(this IEnumerable <RoleAssignment> assignments, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, string scopeForRoleDefinitions, bool excludeAssignmentsForDeletedPrincipals = true)
{
List <PSRoleDefinition> roleDefinitions = null;
try
{
roleDefinitions = policyClient.GetAllRoleDefinitionsAtScopeAndBelow(scopeForRoleDefinitions);
}
catch (CloudException ce)
{
if (ce.Response.StatusCode == HttpStatusCode.Unauthorized)
{
//Swallow unauthorized errors on RoleDefinition when displaying RoleAssignments
roleDefinitions = new List <PSRoleDefinition>();
}
else
{
throw;
}
}
return(assignments.ToPSRoleAssignments(roleDefinitions, policyClient, activeDirectoryClient, excludeAssignmentsForDeletedPrincipals));
}
public static PSRoleAssignment ToPSRoleAssignment(this RoleAssignment assignment, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals = true)
{
List <PSRoleDefinition> roleDefinitions = null;
try
{
roleDefinitions = new List <PSRoleDefinition> {
policyClient.GetRoleDefinition(assignment.Properties.RoleDefinitionId)
};
}
catch (CloudException ce)
{
if (ce.Response.StatusCode == HttpStatusCode.Unauthorized)
{
//Swallow unauthorized errors on RoleDefinition when displaying RoleAssignments
roleDefinitions = new List <PSRoleDefinition>();
}
else
{
throw;
}
}
IEnumerable <RoleAssignment> assignments = new List <RoleAssignment> {
assignment
};
return(assignments.ToPSRoleAssignments(roleDefinitions, policyClient, activeDirectoryClient, excludeAssignmentsForDeletedPrincipals).SingleOrDefault());
}
private static IEnumerable <PSRoleAssignment> ToPSRoleAssignments(this IEnumerable <RoleAssignment> assignments, List <PSRoleDefinition> roleDefinitions, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals)
{
List <PSRoleAssignment> psAssignments = new List <PSRoleAssignment>();
if (assignments == null || !assignments.Any())
{
return(psAssignments);
}
List <string> objectIds = new List <string>();
objectIds.AddRange(assignments.Select(r => r.Properties.PrincipalId.ToString()));
List <PSADObject> adObjects = activeDirectoryClient.GetObjectsByObjectId(objectIds);
foreach (RoleAssignment assignment in assignments)
{
assignment.Properties.RoleDefinitionId = assignment.Properties.RoleDefinitionId.GuidFromFullyQualifiedId();
Guid pid;
PSADObject adObject;
if (Guid.TryParse(assignment.Properties.PrincipalId, out pid))
{
adObject = adObjects.SingleOrDefault(o => o.Id == Guid.Parse(assignment.Properties.PrincipalId)) ??
new PSADObject()
{
Id = Guid.Parse(assignment.Properties.PrincipalId)
};
}
else
{
adObject = adObjects.SingleOrDefault(o => o.AdfsId == assignment.Properties.PrincipalId) ??
new PSADObject()
{
AdfsId = assignment.Properties.PrincipalId
};
}
PSRoleDefinition roleDefinition = roleDefinitions.SingleOrDefault(r => r.Id == assignment.Properties.RoleDefinitionId) ??
new PSRoleDefinition()
{
Id = assignment.Properties.RoleDefinitionId
};
if (adObject is PSADUser)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
SignInName = ((PSADUser)adObject).UserPrincipalName,
ObjectId = string.IsNullOrEmpty(adObject.AdfsId) ? adObject.Id.ToString() : adObject.AdfsId,
ObjectType = adObject.Type
});
}
else if (adObject is PSADGroup)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
ObjectId = string.IsNullOrEmpty(adObject.AdfsId) ? adObject.Id.ToString() : adObject.AdfsId,
ObjectType = adObject.Type
});
}
else if (adObject is PSADServicePrincipal)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
ObjectId = string.IsNullOrEmpty(adObject.AdfsId) ? adObject.Id.ToString() : adObject.AdfsId,
ObjectType = adObject.Type
});
}
else if (!excludeAssignmentsForDeletedPrincipals)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
ObjectId = string.IsNullOrEmpty(adObject.AdfsId) ? adObject.Id.ToString() : adObject.AdfsId,
});
}
// Ignore the assignment if principal does not exists and excludeAssignmentsForDeletedPrincipals is set to true
}
return(psAssignments);
}
public static PSRoleAssignment ToPSRoleAssignment(this RoleAssignment assignment, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, string scopeForRoleDefinition = null)
{
PSRoleDefinition roleDefinition = null;
PSADObject adObject = null;
// Get role definition name information by role definition ID
try
{
if (string.IsNullOrEmpty(scopeForRoleDefinition))
{
roleDefinition = policyClient.GetRoleDefinition(assignment.RoleDefinitionId);
}
else
{
roleDefinition = policyClient.GetRoleDefinition(assignment.RoleDefinitionId.GetGuidFromId(), scopeForRoleDefinition);
}
}
catch (CloudException ce) when(ce.Response.StatusCode == HttpStatusCode.Unauthorized)
{
//Swallow unauthorized errors on RoleDefinition when displaying RoleAssignments
}
// Get ab object
try
{
adObject = activeDirectoryClient.GetObjectByObjectId(assignment.PrincipalId);
}
catch (Common.MSGraph.Version1_0.DirectoryObjects.Models.OdataErrorException oe)
{
if (oe.IsAuthorizationDeniedException() || oe.IsNotFoundException())
{
adObject = new PSADObject()
{
Id = assignment.PrincipalId, Type = UnknownType
};
}
//Swallow exceptions when displaying active directive object
}
return(new PSRoleAssignment()
{
RoleAssignmentName = assignment.Name,
RoleAssignmentId = assignment.Id,
Scope = assignment.Scope,
DisplayName = adObject?.DisplayName,
SignInName = adObject is PSADUser user ? user.UserPrincipalName : null,
RoleDefinitionName = roleDefinition?.Name,
RoleDefinitionId = assignment.RoleDefinitionId.GuidFromFullyQualifiedId(),
ObjectId = assignment.PrincipalId,
// Use information from adObject first, assignment.PrincipalType is a cached information
ObjectType = adObject?.Type ?? assignment.PrincipalType,
// CanDelegate's value is absent from RoleAssignment
// CanDelegate = null,
Description = assignment.Description,
ConditionVersion = assignment.ConditionVersion,
Condition = assignment.Condition
});
private static IEnumerable <PSRoleAssignment> ToPSRoleAssignments(this IEnumerable <RoleAssignment> assignments, IEnumerable <PSRoleDefinition> roleDefinitions, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals)
{
List <PSRoleAssignment> psAssignments = new List <PSRoleAssignment>();
if (assignments == null || !assignments.Any())
{
return(psAssignments);
}
List <string> objectIds = new List <string>();
objectIds.AddRange(assignments.Select(r => r.PrincipalId.ToString()));
objectIds = objectIds.Distinct().ToList();
List <PSADObject> adObjects = null;
try
{
adObjects = activeDirectoryClient.GetObjectsByObjectId(objectIds);
}
catch (CloudException ce) when(IsAuthorizationDeniedException(ce))
{
throw new InvalidOperationException(ProjectResources.InSufficientGraphPermission);
}
foreach (RoleAssignment assignment in assignments)
{
assignment.RoleDefinitionId = assignment.RoleDefinitionId.GuidFromFullyQualifiedId();
PSADObject adObject = adObjects.SingleOrDefault(o => o.Id == assignment.PrincipalId) ??
new PSADObject()
{
Id = assignment.PrincipalId
};
PSRoleDefinition roleDefinition = roleDefinitions.SingleOrDefault(r => r.Id == assignment.RoleDefinitionId) ??
new PSRoleDefinition()
{
Id = assignment.RoleDefinitionId
};
bool delegationFlag = assignment.CanDelegate.HasValue ? (bool)assignment.CanDelegate : false;
if (adObject is PSADUser)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Scope,
SignInName = ((PSADUser)adObject).UserPrincipalName,
ObjectId = adObject.Id,
ObjectType = adObject.Type,
CanDelegate = delegationFlag
});
}
else if (adObject is PSADGroup)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Scope,
ObjectId = adObject.Id,
ObjectType = adObject.Type,
CanDelegate = delegationFlag
});
}
else if (adObject is PSADServicePrincipal)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Scope,
ObjectId = adObject.Id,
ObjectType = adObject.Type,
CanDelegate = delegationFlag
});
}
else if (!excludeAssignmentsForDeletedPrincipals)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Scope,
ObjectId = adObject.Id,
CanDelegate = delegationFlag,
ObjectType = DeletedObject
});
}
// Ignore the assignment if principal does not exists and excludeAssignmentsForDeletedPrincipals is set to true
}
return(psAssignments);
}
public static PSRoleAssignment ToPSRoleAssignment(this RoleAssignment role, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient)
{
PSRoleDefinition roleDefinition = policyClient.GetRoleDefinition(role.Properties.RoleDefinitionId);
PSADObject adObject = activeDirectoryClient.GetADObject(new ADObjectFilterOptions {
Id = role.Properties.PrincipalId.ToString()
}) ?? new PSADObject()
{
Id = role.Properties.PrincipalId
};
if (adObject is PSADUser)
{
return(new PSUserRoleAssignment()
{
RoleAssignmentId = role.Id,
DisplayName = adObject.DisplayName,
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions,
RoleDefinitionName = roleDefinition.Name,
Scope = role.Properties.Scope,
UserPrincipalName = ((PSADUser)adObject).UserPrincipalName,
Mail = ((PSADUser)adObject).Mail,
ObjectId = adObject.Id
});
}
else if (adObject is PSADGroup)
{
return(new PSGroupRoleAssignment()
{
RoleAssignmentId = role.Id,
DisplayName = adObject.DisplayName,
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions,
RoleDefinitionName = roleDefinition.Name,
Scope = role.Properties.Scope,
Mail = ((PSADGroup)adObject).Mail,
ObjectId = adObject.Id
});
}
else if (adObject is PSADServicePrincipal)
{
return(new PSServiceRoleAssignment()
{
RoleAssignmentId = role.Id,
DisplayName = adObject.DisplayName,
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions,
RoleDefinitionName = roleDefinition.Name,
Scope = role.Properties.Scope,
ServicePrincipalName = ((PSADServicePrincipal)adObject).ServicePrincipalName,
ObjectId = adObject.Id
});
}
else
{
return(new PSRoleAssignment()
{
RoleAssignmentId = role.Id,
DisplayName = adObject.DisplayName,
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions,
RoleDefinitionName = roleDefinition.Name,
Scope = role.Properties.Scope,
ObjectId = adObject.Id
});
}
}
public static IEnumerable<PSRoleAssignment> ToPSRoleAssignments(this IEnumerable<RoleAssignment> assignments, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals = true)
{
List<PSRoleAssignment> psAssignments = new List<PSRoleAssignment>();
if(assignments ==null || !assignments.Any())
{
return psAssignments;
}
List<string> objectIds = new List<string>();
objectIds.AddRange(assignments.Select(r => r.Properties.PrincipalId.ToString()));
List<PSADObject> adObjects = activeDirectoryClient.GetObjectsByObjectId(objectIds);
List<PSRoleDefinition> roleDefinitions;
if (assignments.Count() == 1)
{
roleDefinitions = new List<PSRoleDefinition> { policyClient.GetRoleDefinition(assignments.Single().Properties.RoleDefinitionId) };
}
else
{
roleDefinitions = policyClient.GetRoleDefinitions();
}
foreach (RoleAssignment assignment in assignments)
{
assignment.Properties.RoleDefinitionId = assignment.Properties.RoleDefinitionId.GuidFromFullyQualifiedId();
PSADObject adObject = adObjects.SingleOrDefault(o => o.Id == assignment.Properties.PrincipalId) ?? new PSADObject() { Id = assignment.Properties.PrincipalId };
PSRoleDefinition roleDefinition = roleDefinitions.SingleOrDefault(r => r.Id == assignment.Properties.RoleDefinitionId) ?? new PSRoleDefinition() { Id = assignment.Properties.RoleDefinitionId };
if (adObject is PSADUser)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
SignInName = ((PSADUser)adObject).SignInName,
ObjectId = adObject.Id,
ObjectType = adObject.Type
});
}
else if (adObject is PSADGroup)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
ObjectId = adObject.Id,
ObjectType = adObject.Type
});
}
else if (adObject is PSADServicePrincipal)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
ObjectId = adObject.Id,
ObjectType = adObject.Type
});
}
else if (!excludeAssignmentsForDeletedPrincipals)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
ObjectId = adObject.Id,
});
}
// Ignore the assignment if principal does not exists and excludeAssignmentsForDeletedPrincipals is set to true
}
return psAssignments;
}
public static PSRoleAssignment ToPSRoleAssignment(this RoleAssignment role, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient)
{
PSRoleDefinition roleDefinition = policyClient.GetRoleDefinition(role.Properties.RoleDefinitionId);
PSADObject adObject = activeDirectoryClient.GetADObject(new ADObjectFilterOptions { Id = role.Properties.PrincipalId.ToString() }) ?? new PSADObject() { Id = role.Properties.PrincipalId };
if (adObject is PSADUser)
{
return new PSUserRoleAssignment()
{
RoleAssignmentId = role.Id,
DisplayName = adObject.DisplayName,
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions,
RoleDefinitionName = roleDefinition.Name,
Scope = role.Properties.Scope,
UserPrincipalName = ((PSADUser)adObject).UserPrincipalName,
Mail = ((PSADUser)adObject).Mail,
ObjectId = adObject.Id
};
}
else if (adObject is PSADGroup)
{
return new PSGroupRoleAssignment()
{
RoleAssignmentId = role.Id,
DisplayName = adObject.DisplayName,
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions,
RoleDefinitionName = roleDefinition.Name,
Scope = role.Properties.Scope,
Mail = ((PSADGroup)adObject).Mail,
ObjectId = adObject.Id
};
}
else if (adObject is PSADServicePrincipal)
{
return new PSServiceRoleAssignment()
{
RoleAssignmentId = role.Id,
DisplayName = adObject.DisplayName,
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions,
RoleDefinitionName = roleDefinition.Name,
Scope = role.Properties.Scope,
ServicePrincipalName = ((PSADServicePrincipal)adObject).ServicePrincipalName,
ObjectId = adObject.Id
};
}
else
{
return new PSRoleAssignment()
{
RoleAssignmentId = role.Id,
DisplayName = adObject.DisplayName,
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions,
RoleDefinitionName = roleDefinition.Name,
Scope = role.Properties.Scope,
ObjectId = adObject.Id
};
}
}
public static PSRoleAssignment ToPSRoleAssignment(this RoleAssignment assignment, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, string scopeForRoleDefinition = null)
{
PSRoleDefinition roleDefinition = null;
PSADObject adObject = null;
// Get role definition name information by role definition ID
try
{
if (string.IsNullOrEmpty(scopeForRoleDefinition))
{
roleDefinition = policyClient.GetRoleDefinition(assignment.RoleDefinitionId);
}
else
{
roleDefinition = policyClient.GetRoleDefinition(assignment.RoleDefinitionId.GetGuidFromId(), scopeForRoleDefinition);
}
}
catch (CloudException ce) when(ce.Response.StatusCode == HttpStatusCode.Unauthorized)
{
//Swallow unauthorized errors on RoleDefinition when displaying RoleAssignments
}
// Get ab object
try
{
adObject = activeDirectoryClient.GetObjectByObjectId(assignment.PrincipalId);
}
catch
{
//Swallow exceptions when displaying active directive object
}
return(new PSRoleAssignment()
{
RoleAssignmentName = assignment.Name,
RoleAssignmentId = assignment.Id,
Scope = assignment.Scope,
DisplayName = adObject?.DisplayName,
SignInName = adObject is PSADUser user ? user.UserPrincipalName : null,
RoleDefinitionName = roleDefinition?.Name,
RoleDefinitionId = assignment.RoleDefinitionId,
ObjectId = assignment.PrincipalId,
ObjectType = string.IsNullOrEmpty(assignment.PrincipalType) ? adObject?.Type ?? UnknownType : assignment.PrincipalType,
// CanDelegate's value is absent from RoleAssignment
// CanDelegate = null,
Description = assignment.Description,
ConditionVersion = assignment.ConditionVersion,
Condition = assignment.Condition
});
