Find-MgGraphPermission #809
Conversation
FehintolaObafemi
requested review from
ddyett,
georgend,
peombwa and
shemogumbe
as code owners
|
@peombwa , I can't find a log of the Pester test runs in the repository -- do you have a pointer to this? |
@adamedx, the Pester test run results can be found here. @georgend, would you know why Invoke-MgGraphRequest tests a failing here? @FehintolaObafemi, you can ignore the failing |
Thanks @peombwa -- it seems I don't have permission to see the test results, even though I'm signed in to Azure DevOps. Any way to fix that? If not, can you validate that the tests we added are indeed running? The unit test file is linked in the PR description. |
| @@ -26,6 +26,7 @@ $app3 = New-MgApplication -displayName "ImplicitWebApp" ` | |||
| } | |||
|
|
|||
| # Create an registration for an ASP.NET Web App | |||
| $scopeId_UserRead = Find-MgGraphPermission User.Read -ExactMatch -PermissionType Delegated | Select-Object -ExpandProperty Id | |||
There was a problem hiding this comment.
@peombwa you'll want to sign off on having the sample changed to use the new command.
There was a problem hiding this comment.
This looks good! This is a good example of how Find-MgGraphPermission can be used to aid in scope discovery.
| $GroupReadAll = @{ Id = "5b567255-7703-4780-807c-7be8301ae99b"; Type = "Role" } | ||
| $MailboxSettingsRead = @{ Id = "40f97065-369a-49f4-947c-6a255697ae91"; Type = "Role" } | ||
| $MailSend = @{ Id = "b633e1c5-b582-4048-a93e-9f11b44c7e96"; Type = "Role" } | ||
| # Show friendly Graph permission names given their unique identifiers |
There was a problem hiding this comment.
Another big change to the sample @peombwa
| @@ -6,6 +6,9 @@ Connect-Graph | |||
| # Try to Get-User | |||
| Get-MgUser | |||
|
|
|||
| # Search for delegated permissions related to sites | |||
There was a problem hiding this comment.
@peombwa goal here is to show you can use the new command to find permissions, and also to get to the permissions reference help.
| @@ -17,3 +20,7 @@ Connect-Graph -Scopes "User.Read","User.ReadWrite.All","Mail.ReadWrite",` | |||
|
|
|||
| # Forget all access tokens | |||
| Disconnect-Graph | |||
|
|
|||
| # Launch detailed permissions documentation | |||
| Get-Help Find-MgGraphPermission -Online | |||
There was a problem hiding this comment.
@msewaweru , this works because the .LINKS field in the comment help has exactly one entry, and it's the URI to the permissions docs. That means we can't provide references to other commands in .LINKS though -- hope that's ok.
There was a problem hiding this comment.
@maisarissi given the pointer by @adamedx it means we cannot use related links as we had intended to store Survey Links.
There was a problem hiding this comment.
You may want to sync with someone from the https://github.com/powershell/powershell or other experts on dcs + PowerShell project to confirm the behavior I observed.
There was a problem hiding this comment.
If there is such a limitation they should call Related Link instead of Related Links (plural) LOL
I will try to sync with someone to confirm this behavior.
| } | ||
|
|
||
| <# | ||
| .SYNOPSIS |
There was a problem hiding this comment.
@msewaweru this is the documentation section -- I believe this will be used to generate the online docs...
| in the default table view. | ||
|
|
||
| .LINK | ||
| https://docs.microsoft.com/en-us/graph/permissions-reference |
There was a problem hiding this comment.
This allows Get-Help -Online Find-MgGraphPermission to actually point at the permissions reference rather than help for Find-MgGraphPermission. If that's not ok, we can change this.
src/Authentication/Authentication/custom/Find-MgGraphPermission.ps1
Outdated
Show resolved
Hide resolved
| The SearchString parameter allows you to specify a string such as 'user' or 'mail' that represents the subject or domain | ||
| of the permission you're searching for. Since permissions usually have names such as 'User.Read' or 'Mail.ReadWrite', the | ||
| command uses the SearchString parameter to return all permissions that contain the value specified for SearchString in the | ||
| name of the permission. |
There was a problem hiding this comment.
@FehintolaObafemi Clarification: I thought you said this searches the description field as well. I don't think that is the case, but just want to make sure.
There was a problem hiding this comment.
@TannerTrombley Adam and I opted to excluding the description field search.
AzDO is picking up the Find-MgGraphPermission Pester tests and running them as expected. However, the following test is failing with: The Find-MgGraphPermission Command.When executing the command using a constrained set of permissions returned by MS Graph and there is a connection.Should return null and not throw an exception if ExactMatch is specified and there is no match
Expected no exception to be thrown, but an exception "No results were found that exactly matched the specified permission 'IDontExist'" was thrown from C:\a\1\s\src\Authentication\Authentication\test\Find-MgGraphPermission.Tests.ps1:119 char:15
+ … { Find-MgGraphPermission -ExactMatch IDontExist 2>&1 | out- …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.
at { Find-MgGraphPermission -ExactMatch IDontExist 2>&1 | out-null } | Should -Not -Throw, C:\a\1\s\src\Authentication\Authentication\test\Find-MgGraphPermission.Tests.ps1:119 |
adamedx
force-pushed
the
FehintolaObafemi/permission
branch
from
0a9db56 to
21c50f3
Compare
Find-MgGraphPermission: Define new location for common script code
Find-MgGraphPermission: Add formatting Work around Pester corrupting variable scopes Add missing files: Work around Pester corrupting variable scopes
Add help documentation for Find-MgGraphPermission
Add pipeline support, ExactMatch and explicitly return all
…tion to make errors ignorable Update samples to include usage of Find-MgGraphPermission
…ject auto-completion works
…authentication module
adamedx
force-pushed
the
FehintolaObafemi/permission
branch
from
21c50f3 to
ae89eec
Compare
Interesting -- then my question why are the checks passing? Shouldn't this failure cause the checks to all fail and turn red? I'm not sure why this would fail unless the |
…ons-edits Edits v0.1
src/Authentication/Authentication/test/Find-MgGraphPermission.Tests.ps1
Outdated
Show resolved
Hide resolved
src/Authentication/Authentication/custom/common/Permissions.ps1
Outdated
Show resolved
Hide resolved
Co-authored-by: Peter Ombwa <[email protected]>
…Tests.ps1 Co-authored-by: Peter Ombwa <[email protected]>
Co-authored-by: Peter Ombwa <[email protected]>
@adamedx, I've figured out why the failing tests were not causing the checks to fail. You can find the PR to fix this here. |
| # both functions and cmdlets at export; if only one of | ||
| # these classes is specified, nothing of the other | ||
| # class will be exported. | ||
| Export-ModuleMember -Function * -Cmdlet * |
There was a problem hiding this comment.
Just an FYI Exporting module members like this will suppress currently exported cmdlet aliases such as Connect-Graph. The Pester tests to confirm this can be found here. I've fixed this in my PR by adding Get-ModuleCmdlet and Get-ScriptCmdlet helper cmdlets to aid in exporting functions, cmdlets, and aliases.
This will be fixed #816 when we merge the 2 PRs.
There was a problem hiding this comment.
There was a problem hiding this comment.
@adamedx, That's right. I'll merge the PR later today (to give others time to review it) then schedule everything for a 1.7.0 release.
@FehintolaObafemi, thank you for the excellent contribution!! I'm quite sure our customers will find this command valuable for their scripts.
This change adds the
Find-MgGraphPermissioncommand to theMicrosoft.Graph.Authenticationmodule as part of #704. See that issue for details on the functionality and use cases. Here are the implementation highlights:Find-MgGraphPermissioncommand is implemented as a custom script command using PowerShell itself, not C#Microsoft.Graph.Custom.Permissionis defined as the output type ofFind-MgGraphPermissionso that other commands likeSelect-Objectcan implement auto-complete for the output ofFind-MgGraphPermissionps1xmldefinition forMicrosoft.Graph.Custom.PermissionApplicationandConnecthave been updated to include relevant use cases involvingFind-MgGraphPermissionTo understand the expected behavior, you can review:
As noted in the original proposal, the permissions data is sourced from Microsoft Graph itself. However, many users will not have the privileges required to read it (you must be able to read the Microsoft Graph service principal object in your Azure Active Directory organization; company admins will have no problem with this, but many lower-privileged users won't be able to. Due to this, there is a fallback to snapshot of that service principal included in the code. For 99% of cases, the fallback will be fine as the newest permissions are unlikely to be those that someone is looking for. We do need to periodically update the file though.
Note that the command also includes additional documented capabilities that were not part of the original proposal -- these were added to simplify automation cases where you where partial matches and non-determinism are unacceptable. The additional filtering allows the set of results to be narrowed down to just one result (or none!) which is required for scenarios such as translating a known friendly permission name to the unique id for use with Microsoft Graph REST APIs or commands for those APIs.