Added PS script to add permissions to UAMI

alrios-ms · danielluo-msft · commit 33c5d3224bf7 · 2024-05-15T16:49:46.000-07:00
diff --git a/Deployment/Deploy-Resources.ps1 b/Deployment/Deploy-Resources.ps1
@@ -184,6 +184,10 @@ function Set-RBACPermissions {
 
     . ($ScriptsDirectory + '\Set-PostDeploymentRoles.ps1')
     Set-PostDeploymentRoles -SolutionAbbreviation $SolutionAbbreviation -EnvironmentAbbreviation $EnvironmentAbbreviation
+
+    . ($ScriptsDirectory + '\Set-UserManagedIdentityPermissions.ps1')
+    Set-UserManagedIdentityPermissions -SolutionAbbreviation $SolutionAbbreviation -EnvironmentAbbreviation $EnvironmentAbbreviation
+
 }
 
 function Set-DBMigrations {
diff --git a/Scripts/Install-MSGraphIfNeeded.ps1 b/Scripts/Install-MSGraphIfNeeded.ps1
@@ -0,0 +1,28 @@
+$ErrorActionPreference = "Stop"
+<#
+.SYNOPSIS
+Installs a module if it is needed.
+
+.DESCRIPTION
+Installs a module if it is needed.
+
+.EXAMPLE
+Install-MSGraphIfNeeded
+
+#>
+function Install-MSGraphIfNeeded {
+    [CmdletBinding()]
+    param(
+    [Parameter(Mandatory = $False)]
+    [string] $BaseScriptDirectory
+)
+
+$scriptsDirectory = (Split-Path $PSScriptRoot -Parent) + "\Scripts"
+
+if ($BaseScriptDirectory) {
+    $scriptsDirectory = $BaseScriptDirectory
+}
+
+. ($scriptsDirectory + '\Install-ModuleIfNeeded.ps1')
+Install-ModuleIfNeeded -Name Microsoft.Graph -Version "2.17.0" -Verbose
+}
diff --git a/Scripts/PostDeployment/Set-PostDeploymentRoles.ps1 b/Scripts/PostDeployment/Set-PostDeploymentRoles.ps1
@@ -33,7 +33,9 @@ function Set-PostDeploymentRoles {
         [Parameter(Mandatory = $False)]
 		[string] $DataResourceGroupName = $null,
         [Parameter(Mandatory = $False)]
-		[string] $ComputeResourceGroupName = $null
+		[string] $ComputeResourceGroupName = $null,
+        [Parameter(Mandatory = $False)]
+		[string] $SetUserAssignedManagedIdentityPermissions = $false
     )
 
     $scriptsDirectory = Split-Path $PSScriptRoot -Parent
@@ -68,4 +70,11 @@ function Set-PostDeploymentRoles {
                                        -ComputeResourceGroupName $ComputeResourceGroupName `
                                        -Verbose
 
+    if ($SetUserAssignedManagedIdentityPermissions) {
+        . ($scriptsDirectory + '\PostDeployment\Set-UserManagedIdentityPermissions.ps1')
+        Set-UserManagedIdentityPermissions	-SolutionAbbreviation $SolutionAbbreviation `
+                                            -EnvironmentAbbreviation $EnvironmentAbbreviation `
+                                            -Verbose
+    }
+
 }
diff --git a/Scripts/PostDeployment/Set-UserManagedIdentityPermissions.ps1 b/Scripts/PostDeployment/Set-UserManagedIdentityPermissions.ps1
@@ -0,0 +1,56 @@
+<#
+.SYNOPSIS
+Grants GraphAPI permissions to the User Assigned Managed Identity.
+
+.DESCRIPTION
+Grants GraphAPI permissions to the User Assigned Managed Identity.
+
+.PARAMETER SolutionAbbreviation
+The abbreviation for your solution.
+
+.PARAMETER EnvironmentAbbreviation
+A 2-6 character abbreviation for your environment.
+
+.EXAMPLE
+Set-UserManagedIdentityPermissions -SolutionAbbreviation "gmm" `
+								   -EnvironmentAbbreviation "<env>"
+#>
+
+function Set-UserManagedIdentityPermissions {
+	[CmdletBinding()]
+	param(
+		[Parameter(Mandatory = $True)]
+		[string] $SolutionAbbreviation,
+		[Parameter(Mandatory = $True)]
+		[string] $EnvironmentAbbreviation
+	)
+
+	Write-Host "Setting permissions for User Assigned Managed Identity"
+
+	$scriptsDirectory = Split-Path $PSScriptRoot -Parent
+
+	. ($scriptsDirectory + '\Install-MSGraphIfNeeded.ps1')
+	Install-MSGraphIfNeeded
+
+	# Connect to Microsoft Graph
+	Connect-MgGraph -Scopes "Directory.ReadWrite.All"
+
+	# Get the User Assigned Managed Identity and Graph Service Principal
+	$uamiName = "$SolutionAbbreviation-identity-$EnvironmentAbbreviation-Graph"
+	$uamiSPN = Get-MgServicePrincipal -Filter "displayName eq '$uamiName'"
+	$graphApiSPN = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
+
+	$appRoles = @("GroupMember.Read.All", "Member.Read.Hidden", "User.Read.All")
+	foreach ($appRoleName in $appRoles) {
+
+		$appRole = $graphApiSPN.AppRoles | Where-Object { $_.Value -eq $appRoleName -and $_.AllowedMemberTypes -contains "Application" }
+
+		$bodyParam = @{
+			PrincipalId = $uamiSPN.Id
+			ResourceId  = $graphApiSPN.Id
+			AppRoleId   = $appRole.Id
+		}
+
+		New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $uamiSPN.Id -BodyParameter $bodyParam
+ }
+}

Original file line number	Diff line number	Diff line change
`@@ -184,6 +184,10 @@ function Set-RBACPermissions {`
`184`	`184`
`185`	`185`	`. ($ScriptsDirectory + '\Set-PostDeploymentRoles.ps1')`
`186`	`186`	`Set-PostDeploymentRoles -SolutionAbbreviation $SolutionAbbreviation -EnvironmentAbbreviation $EnvironmentAbbreviation`
	`187`	`+`
	`188`	`+ . ($ScriptsDirectory + '\Set-UserManagedIdentityPermissions.ps1')`
	`189`	`+ Set-UserManagedIdentityPermissions -SolutionAbbreviation $SolutionAbbreviation -EnvironmentAbbreviation $EnvironmentAbbreviation`
	`190`	`+`
`187`	`191`	`}`
`188`	`192`
`189`	`193`	`function Set-DBMigrations {`