public static (string, string) GetDetailsFromADObjectId(string objectId, ActiveDirectoryClient adClient)
{
var displayName = "";
var upnOrSpn = "";
var objectType = "Unknown";
if (adClient == null || string.IsNullOrWhiteSpace(objectId))
{
return(displayName, objectType);
}
try
{
var obj = adClient.GetObjectsByObjectId(new List <string> {
objectId
}).FirstOrDefault();
if (obj != null)
{
if (obj.Type.Equals("user", StringComparison.InvariantCultureIgnoreCase))
{
var user = adClient.FilterUsers(new ADObjectFilterOptions {
Id = objectId
}).FirstOrDefault();
displayName = user.DisplayName;
upnOrSpn = user.UserPrincipalName;
objectType = "User";
}
else if (obj.Type.Equals("serviceprincipal", StringComparison.InvariantCultureIgnoreCase))
{
var odataQuery = new Rest.Azure.OData.ODataQuery <Graph.RBAC.Version1_6.Models.ServicePrincipal>(s => s.ObjectId == objectId);
var servicePrincipal = adClient.FilterServicePrincipals(odataQuery).FirstOrDefault();
displayName = servicePrincipal.DisplayName;
upnOrSpn = servicePrincipal.ServicePrincipalNames.FirstOrDefault();
objectType = "Service Principal";
}
else if (obj.Type.Equals("group", StringComparison.InvariantCultureIgnoreCase))
{
var group = adClient.FilterGroups(new ADObjectFilterOptions {
Id = objectId
}).FirstOrDefault();
displayName = group.DisplayName;
objectType = "Group";
}
}
}
catch
{
// Error occurred. Don't get the friendly name
}
return(
displayName + (!string.IsNullOrWhiteSpace(upnOrSpn) ? (" (" + upnOrSpn + ")") : ""),
objectType
);
}
public static IEnumerable <PSDenyAssignment> ToPSDenyAssignments(this IEnumerable <DenyAssignment> assignments, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals = true)
{
var psAssignments = new List <PSDenyAssignment>();
if (assignments == null || !assignments.Any())
{
return(psAssignments);
}
var objectIds = new List <string>();
foreach (var da in assignments)
{
objectIds.AddRange(da.Principals.Where(p => Guid.Parse(p.Id) != Guid.Empty).Select(p => p.Id));
objectIds.AddRange(da.ExcludePrincipals.Where(ep => Guid.Parse(ep.Id) != Guid.Empty).Select(ep => ep.Id));
}
objectIds = objectIds.Distinct().ToList();
List <PSADObject> adObjects = null;
try
{
adObjects = activeDirectoryClient.GetObjectsByObjectId(objectIds);
}
catch (CloudException ce) when(IsAuthorizationDeniedException(ce))
{
throw new InvalidOperationException(ProjectResources.InSufficientGraphPermission);
}
foreach (var da in assignments)
{
var psda = new PSDenyAssignment()
{
Id = da.Id.GuidFromFullyQualifiedId(),
DenyAssignmentName = da.DenyAssignmentName,
Description = da.Description,
Actions = new List <string>(da.Permissions.SelectMany(p => p.Actions)),
NotActions = new List <string>(da.Permissions.SelectMany(p => p.NotActions)),
DataActions = new List <string>(da.Permissions.SelectMany(p => p.DataActions)),
NotDataActions = new List <string>(da.Permissions.SelectMany(p => p.NotDataActions)),
Scope = da.Scope,
DoNotApplyToChildScopes = da.DoNotApplyToChildScopes ?? false,
IsSystemProtected = da.IsSystemProtected ?? false,
};
psda.Principals = da.Principals.ToPSPrincipals(adObjects, excludeAssignmentsForDeletedPrincipals).ToList();
psda.ExcludePrincipals = da.ExcludePrincipals.ToPSPrincipals(adObjects, excludeAssignmentsForDeletedPrincipals).ToList();
psAssignments.Add(psda);
}
return(psAssignments);
}
private bool ValidateObjectId(string objId)
{
bool isValid = false;
if (!string.IsNullOrWhiteSpace(objId))
{
var objectCollection = ActiveDirectoryClient.GetObjectsByObjectId(new List <string> {
objId
});
if (objectCollection.Any())
{
isValid = true;
}
}
return(isValid);
}
private bool ValidateObjectId(string objId)
{
if (string.IsNullOrWhiteSpace(objId))
{
return(false);
}
// TODO: Remove IfDef
#if NETSTANDARD
var objectCollection = ActiveDirectoryClient.GetObjectsByObjectId(new List <string> {
objId
});
#else
var objectCollection = ActiveDirectoryClient.GetObjectsByObjectIdsAsync(new[] { objId }, new string[] { }).GetAwaiter().GetResult();
#endif
return(objectCollection.Any());
}
private bool ValidateObjectId(string objId)
{
if (string.IsNullOrWhiteSpace(objId))
{
return(false);
}
try
{
var objectCollection = ActiveDirectoryClient.GetObjectsByObjectId(new List <string> {
objId
});
return(objectCollection.Any());
}
catch (Exception ex)
{
WriteWarning(Resources.ADGraphPermissionWarning);
throw ex;
}
}
public static string GetDisplayNameForADObject(string objectId, ActiveDirectoryClient adClient)
{
string displayName = "";
string upnOrSpn = "";
if (adClient == null || string.IsNullOrWhiteSpace(objectId))
{
return(displayName);
}
try
{
var obj = adClient.GetObjectsByObjectId(new List <string> {
objectId
}).FirstOrDefault();
if (obj != null)
{
if (obj.Type.Equals("user", StringComparison.InvariantCultureIgnoreCase))
{
var user = adClient.FilterUsers(new ADObjectFilterOptions {
Id = objectId
}).FirstOrDefault();
displayName = user.DisplayName;
upnOrSpn = user.UserPrincipalName;
}
else if (obj.Type.Equals("serviceprincipal", StringComparison.InvariantCultureIgnoreCase))
{
var servicePrincipal = adClient.FilterServicePrincipals(new ADObjectFilterOptions {
Id = objectId
}).FirstOrDefault();
displayName = servicePrincipal.DisplayName;
upnOrSpn = servicePrincipal.ServicePrincipalNames.FirstOrDefault();
}
}
}
catch
{
// Error occured. Don't get the friendly name
}
return(displayName + (!string.IsNullOrWhiteSpace(upnOrSpn) ? (" (" + upnOrSpn + ")") : ""));
}
private bool ValidateObjectId(string objId)
{
bool isValid = false;
if (!string.IsNullOrWhiteSpace(objId))
{
#if NETSTANDARD
var objectCollection = ActiveDirectoryClient.GetObjectsByObjectId(new List <string> {
objId
});
#else
var objectCollection = ActiveDirectoryClient.GetObjectsByObjectIdsAsync(new[] { objId }, new string[] { }).GetAwaiter().GetResult();
#endif
if (objectCollection.Any())
{
isValid = true;
}
}
return(isValid);
}
private static IEnumerable <PSRoleAssignment> ToPSRoleAssignments(this IEnumerable <RoleAssignment> assignments, List <PSRoleDefinition> roleDefinitions, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals)
{
List <PSRoleAssignment> psAssignments = new List <PSRoleAssignment>();
if (assignments == null || !assignments.Any())
{
return(psAssignments);
}
List <string> objectIds = new List <string>();
objectIds.AddRange(assignments.Select(r => r.Properties.PrincipalId.ToString()));
List <PSADObject> adObjects = activeDirectoryClient.GetObjectsByObjectId(objectIds);
foreach (RoleAssignment assignment in assignments)
{
assignment.Properties.RoleDefinitionId = assignment.Properties.RoleDefinitionId.GuidFromFullyQualifiedId();
Guid pid;
PSADObject adObject;
if (Guid.TryParse(assignment.Properties.PrincipalId, out pid))
{
adObject = adObjects.SingleOrDefault(o => o.Id == Guid.Parse(assignment.Properties.PrincipalId)) ??
new PSADObject()
{
Id = Guid.Parse(assignment.Properties.PrincipalId)
};
}
else
{
adObject = adObjects.SingleOrDefault(o => o.AdfsId == assignment.Properties.PrincipalId) ??
new PSADObject()
{
AdfsId = assignment.Properties.PrincipalId
};
}
PSRoleDefinition roleDefinition = roleDefinitions.SingleOrDefault(r => r.Id == assignment.Properties.RoleDefinitionId) ??
new PSRoleDefinition()
{
Id = assignment.Properties.RoleDefinitionId
};
if (adObject is PSADUser)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
SignInName = ((PSADUser)adObject).UserPrincipalName,
ObjectId = string.IsNullOrEmpty(adObject.AdfsId) ? adObject.Id.ToString() : adObject.AdfsId,
ObjectType = adObject.Type
});
}
else if (adObject is PSADGroup)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
ObjectId = string.IsNullOrEmpty(adObject.AdfsId) ? adObject.Id.ToString() : adObject.AdfsId,
ObjectType = adObject.Type
});
}
else if (adObject is PSADServicePrincipal)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
ObjectId = string.IsNullOrEmpty(adObject.AdfsId) ? adObject.Id.ToString() : adObject.AdfsId,
ObjectType = adObject.Type
});
}
else if (!excludeAssignmentsForDeletedPrincipals)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
ObjectId = string.IsNullOrEmpty(adObject.AdfsId) ? adObject.Id.ToString() : adObject.AdfsId,
});
}
// Ignore the assignment if principal does not exists and excludeAssignmentsForDeletedPrincipals is set to true
}
return(psAssignments);
}
private static IEnumerable <PSRoleAssignment> ToPSRoleAssignments(this IEnumerable <RoleAssignment> assignments, IEnumerable <PSRoleDefinition> roleDefinitions, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals)
{
List <PSRoleAssignment> psAssignments = new List <PSRoleAssignment>();
if (assignments == null || !assignments.Any())
{
return(psAssignments);
}
List <string> objectIds = new List <string>();
objectIds.AddRange(assignments.Select(r => r.PrincipalId.ToString()));
objectIds = objectIds.Distinct().ToList();
List <PSADObject> adObjects = null;
try
{
adObjects = activeDirectoryClient.GetObjectsByObjectId(objectIds);
}
catch (CloudException ce) when(IsAuthorizationDeniedException(ce))
{
throw new InvalidOperationException(ProjectResources.InSufficientGraphPermission);
}
foreach (RoleAssignment assignment in assignments)
{
assignment.RoleDefinitionId = assignment.RoleDefinitionId.GuidFromFullyQualifiedId();
PSADObject adObject = adObjects.SingleOrDefault(o => o.Id == assignment.PrincipalId) ??
new PSADObject()
{
Id = assignment.PrincipalId
};
PSRoleDefinition roleDefinition = roleDefinitions.SingleOrDefault(r => r.Id == assignment.RoleDefinitionId) ??
new PSRoleDefinition()
{
Id = assignment.RoleDefinitionId
};
bool delegationFlag = assignment.CanDelegate.HasValue ? (bool)assignment.CanDelegate : false;
if (adObject is PSADUser)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Scope,
SignInName = ((PSADUser)adObject).UserPrincipalName,
ObjectId = adObject.Id,
ObjectType = adObject.Type,
CanDelegate = delegationFlag
});
}
else if (adObject is PSADGroup)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Scope,
ObjectId = adObject.Id,
ObjectType = adObject.Type,
CanDelegate = delegationFlag
});
}
else if (adObject is PSADServicePrincipal)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Scope,
ObjectId = adObject.Id,
ObjectType = adObject.Type,
CanDelegate = delegationFlag
});
}
else if (!excludeAssignmentsForDeletedPrincipals)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Scope,
ObjectId = adObject.Id,
CanDelegate = delegationFlag,
ObjectType = DeletedObject
});
}
// Ignore the assignment if principal does not exists and excludeAssignmentsForDeletedPrincipals is set to true
}
return(psAssignments);
}
public static string GetDisplayNameForADObject(string objectId, ActiveDirectoryClient adClient)
{
string displayName = "";
string upnOrSpn = "";
if (adClient == null || string.IsNullOrWhiteSpace(objectId))
{
return(displayName);
}
try
{
#if NETSTANDARD
var obj = adClient.GetObjectsByObjectId(new List <string> {
objectId
}).FirstOrDefault();
if (obj != null)
{
if (obj.Type.Equals("user", StringComparison.InvariantCultureIgnoreCase))
{
var user = adClient.FilterUsers(new ADObjectFilterOptions {
Id = objectId
}).FirstOrDefault();
displayName = user.DisplayName;
upnOrSpn = user.UserPrincipalName;
}
else if (obj.Type.Equals("serviceprincipal", StringComparison.InvariantCultureIgnoreCase))
{
var servicePrincipal = adClient.FilterServicePrincipals(new ADObjectFilterOptions {
Id = objectId
}).FirstOrDefault();
displayName = servicePrincipal.DisplayName;
upnOrSpn = servicePrincipal.ServicePrincipalNames.FirstOrDefault();
}
else if (obj.Type.Equals("group", StringComparison.InvariantCultureIgnoreCase))
{
var group = adClient.FilterGroups(new ADObjectFilterOptions {
Id = objectId
}).FirstOrDefault();
displayName = group.DisplayName;
}
}
#else
var obj = adClient.GetObjectsByObjectIdsAsync(new[] { objectId }, new string[] { }).GetAwaiter().GetResult().FirstOrDefault();
if (obj != null)
{
if (obj.ObjectType.Equals("user", StringComparison.InvariantCultureIgnoreCase))
{
var user = adClient.Users.GetByObjectId(objectId).ExecuteAsync().GetAwaiter().GetResult();
displayName = user.DisplayName;
upnOrSpn = user.UserPrincipalName;
}
else if (obj.ObjectType.Equals("serviceprincipal", StringComparison.InvariantCultureIgnoreCase))
{
var servicePrincipal = adClient.ServicePrincipals.GetByObjectId(objectId).ExecuteAsync().GetAwaiter().GetResult();
displayName = servicePrincipal.AppDisplayName;
upnOrSpn = servicePrincipal.ServicePrincipalNames.FirstOrDefault();
}
else if (obj.ObjectType.Equals("group", StringComparison.InvariantCultureIgnoreCase))
{
var group = adClient.Groups.GetByObjectId(objectId).ExecuteAsync().GetAwaiter().GetResult();
displayName = group.DisplayName;
upnOrSpn = group.MailNickname;
}
}
#endif
}
catch
{
// Error occured. Don't get the friendly name
}
return(displayName + (!string.IsNullOrWhiteSpace(upnOrSpn) ? (" (" + upnOrSpn + ")") : ""));
}
