approved with minor edits

Author: Kalyan Krishna

5-AccessControl/2-call-api-groups/AppCreationScripts/BulkCreateGroups.ps1

@@ -43,22 +43,45 @@ Function CreateGroupsAndAssignUser($user)
         $group = Get-MgGroup -Filter "DisplayName eq '$groupName'"
         $groupNameLower =  $groupName.ToLower();
         $nickName = $groupNameLower.replace(' ','');
+
         if ($group) 
         {
-            Write-Host "Group $($group.DisplayName) already exists"
+            Write-Host "Group '$($group.DisplayName)' already exists"
+            $newsg = $group
         }
         else
         {
-            $newsg = New-MgGroup -DisplayName $groupName -MailEnabled:$False -MailNickName $nickName  -SecurityEnabled
-            Write-Host "Successfully created group '$($newsg.DisplayName)'" 
+            try
+            {
+                $newsg = New-MgGroup -DisplayName $groupName -MailEnabled:$False -MailNickName $nickName  -SecurityEnabled                
+                Write-Host "Successfully created group '$($newsg.DisplayName)'"
+            }
+            catch 
+            {
+                $_.Exception.ToString() | out-host
+                $message = $_
+                Write-Warning $Error[0]
+                Write-Host "Unable to create group '$($newsg.DisplayName)'. Error is $message." -ForegroundColor White -BackgroundColor Red
+            }
+        }
+
             $userId = $user.Id
             $params = @{
-                "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/{$userId}"
+            "@odata.id"="https://graph.microsoft.com/v1.0/users/$userId"
             }
 
+        try
+        {
             New-MgGroupMemberByRef -GroupId $newsg.Id -BodyParameter $params
             Write-Host "Successfully assigned user to group '$($newsg.DisplayName)'"
         }
+        catch 
+        {
+            $_.Exception.ToString() | out-host
+            $message = $_
+            Write-Warning $Error[0]
+            Write-Host "Unable to assign user to group '$($newsg.DisplayName)'. Error is $message." -ForegroundColor White -BackgroundColor Red
+        }
 
         $val += 1;
     }
@@ -127,7 +150,7 @@ if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph")) {
     Install-Module "Microsoft.Graph" -Scope CurrentUser 
 }
 
-Import-Module Microsoft.Graph
+#Import-Module Microsoft.Graph
 
 if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph.Authentication")) {
     Install-Module "Microsoft.Graph.Authentication" -Scope CurrentUser 

5-AccessControl/2-call-api-groups/AppCreationScripts/BulkRemoveGroups.ps1

@@ -45,8 +45,18 @@ Function RemoveGroups
         $group = Get-MgGroup -Filter "DisplayName eq '$groupName'"
         if ($group) 
         {
-            Remove-MgGroup -GroupId $group.Id
-            Write-Host "Successfully deleted '$($group.DisplayName)'"
+            try
+            {
+                Remove-MgGroup -GroupId $group.Id
+                Write-Host "Successfully deleted '$($group.DisplayName)'"
+            }
+            catch 
+            {
+                $_.Exception.ToString() | out-host
+                $message = $_
+                Write-Warning $Error[0]
+                Write-Host "Unable to remove group '$($newsg.DisplayName)'. Error is $message." -ForegroundColor White -BackgroundColor Red
+            }
         }
         else 
         {
@@ -73,7 +83,7 @@ Function ConfigureApplications
 
     if ($tenantId -eq "") 
     {
-        Connect-MgGraph -Scopes "Organization.Read.All Group.ReadWrite.All" -Environment $azureEnvironmentName
+        Connect-MgGraph -Scopes "User.Read.All Organization.Read.All Group.ReadWrite.All" -Environment $azureEnvironmentName
     }
     else 
     {
@@ -102,6 +112,7 @@ Function ConfigureApplications
 
 }
 
+
 $ErrorActionPreference = "Stop"
 
 if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph.Authentication")) 

5-AccessControl/2-call-api-groups/AppCreationScripts/Cleanup.ps1

@@ -7,6 +7,51 @@ param(
     [string] $azureEnvironmentName
 )
 
+if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph.Groups")) {
+    Install-Module "Microsoft.Graph.Groups" -Scope CurrentUser 
+}
+
+Import-Module Microsoft.Graph.Groups
+
+<#.Description
+   This function creates a new Azure AD Security Group with provided values
+#>  
+Function CreateSecurityGroup([string] $name, [string] $description)
+{
+    Write-Host "Creating a security group by the name '$name'."
+    $newGroup = New-MgGroup -Description $description -DisplayName $name -MailEnabled:$false -SecurityEnabled:$true -MailNickName $name
+    return Get-MgGroup -Filter "DisplayName eq '$name'" 
+}
+
+<#.Description
+   This function first checks and then creates a new Azure AD Security Group with provided values, if required
+#>  
+Function CreateIfNotExistsSecurityGroup([string] $name, [string] $description,  [switch] $promptBeforeCreate)
+{
+
+    # check if Group exists
+    $group = Get-MgGroup -Filter "DisplayName eq '$name'"    
+    
+    if( $group -eq $null)
+    {
+        if ($promptBeforeCreate) 
+        {
+            $confirmation = Read-Host "Proceed to create a new security group named '$name' in the tenant ? (Y/N)"
+
+            if($confirmation -eq 'y')
+            {
+                $group = CreateSecurityGroup -name $name -description $description
+            }
+        }
+        else
+        {
+            Write-Host "No Security Group created!"
+        }     
+    }
+    
+    return $group    
+}
+
 <#.Description
    This function first checks and then deletes an existing Azure AD Security Group, if required
 #>  
@@ -40,7 +85,7 @@ Function RemoveSecurityGroup([string] $name, [switch] $promptBeforeDelete)
 <#.Description
    This function assigns a provided user to a security group
 #>  
-Function AssignUserToGroup([Microsoft.Graph.PowerShell.Models.MicrosoftGraphDirectoryObject]$userToAssign, [Microsoft.Graph.PowerShell.Models.MicrosoftGraphGroup]$groupToAssign)
+Function AssignUserToGroup([Microsoft.Graph.PowerShell.Models.MicrosoftGraphUser]$userToAssign, [Microsoft.Graph.PowerShell.Models.MicrosoftGraphGroup]$groupToAssign)
 {
     $owneruserId = $userToAssign.Id
     $params = @{
@@ -72,11 +117,11 @@ Function Cleanup
 
     if ($tenantId -eq "") 
     {
-        Connect-MgGraph -Scopes "Organization.Read.All Application.ReadWrite.All Group.ReadWrite.All" -Environment $azureEnvironmentName
+        Connect-MgGraph -Scopes "User.Read.All Organization.Read.All Application.ReadWrite.All Group.ReadWrite.All" -Environment $azureEnvironmentName
     }
     else 
     {
-        Connect-MgGraph -TenantId $tenantId -Scopes "Organization.Read.All Application.ReadWrite.All Group.ReadWrite.All" -Environment $azureEnvironmentName
+        Connect-MgGraph -TenantId $tenantId -Scopes "User.Read.All Organization.Read.All Application.ReadWrite.All Group.ReadWrite.All" -Environment $azureEnvironmentName
     }
 
     $context = Get-MgContext
@@ -147,7 +192,7 @@ if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph")) {
     Install-Module "Microsoft.Graph" -Scope CurrentUser 
 }
 
-Import-Module Microsoft.Graph
+#Import-Module Microsoft.Graph
 
 if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph.Authentication")) {
     Install-Module "Microsoft.Graph.Authentication" -Scope CurrentUser 

5-AccessControl/2-call-api-groups/AppCreationScripts/Configure.ps1

@@ -85,6 +85,46 @@ Function GetRequiredPermissions([string] $applicationDisplayName, [string] $requ
 }
 
 
+<#.Description
+   This function takes a string input as a single line, matches a key value and replaces with the replacement value
+#> 
+Function UpdateLine([string] $line, [string] $value)
+{
+    $index = $line.IndexOf(':')
+    $lineEnd = ''
+
+    if($line[$line.Length - 1] -eq ','){   $lineEnd = ',' }
+    
+    if ($index -ige 0)
+    {
+        $line = $line.Substring(0, $index+1) + " " + '"' + $value+ '"' + $lineEnd
+    }
+    return $line
+}
+
+<#.Description
+   This function takes a dictionary of keys to search and their replacements and replaces the placeholders in a text file
+#> 
+Function UpdateTextFile([string] $configFilePath, [System.Collections.HashTable] $dictionary)
+{
+    $lines = Get-Content $configFilePath
+    $index = 0
+    while($index -lt $lines.Length)
+    {
+        $line = $lines[$index]
+        foreach($key in $dictionary.Keys)
+        {
+            if ($line.Contains($key))
+            {
+                $lines[$index] = UpdateLine $line $dictionary[$key]
+            }
+        }
+        $index++
+    }
+
+    Set-Content -Path $configFilePath -Value $lines -Force
+}
+
 <#.Description
    This function takes a string input as a single line, matches a key value and replaces with the replacement value
 #>     
@@ -158,45 +198,6 @@ Function CreateAppRole([string] $types, [string] $name, [string] $description)
     $appRole.Value = $name;
     return $appRole
 }
-<#.Description
-   This function takes a string input as a single line, matches a key value and replaces with the replacement value
-#> 
-Function UpdateLine([string] $line, [string] $value)
-{
-    $index = $line.IndexOf(':')
-    $lineEnd = ''
-
-    if($line[$line.Length - 1] -eq ','){   $lineEnd = ',' }
-    
-    if ($index -ige 0)
-    {
-        $line = $line.Substring(0, $index+1) + " " + '"' + $value+ '"' + $lineEnd
-    }
-    return $line
-}
-
-<#.Description
-   This function takes a dictionary of keys to search and their replacements and replaces the placeholders in a text file
-#> 
-Function UpdateTextFile([string] $configFilePath, [System.Collections.HashTable] $dictionary)
-{
-    $lines = Get-Content $configFilePath
-    $index = 0
-    while($index -lt $lines.Length)
-    {
-        $line = $lines[$index]
-        foreach($key in $dictionary.Keys)
-        {
-            if ($line.Contains($key))
-            {
-                $lines[$index] = UpdateLine $line $dictionary[$key]
-            }
-        }
-        $index++
-    }
-
-    Set-Content -Path $configFilePath -Value $lines -Force
-}
 if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph.Groups")) {
     Install-Module "Microsoft.Graph.Groups" -Scope CurrentUser 
 }
@@ -275,7 +276,7 @@ Function RemoveSecurityGroup([string] $name, [switch] $promptBeforeDelete)
 <#.Description
    This function assigns a provided user to a security group
 #>  
-Function AssignUserToGroup([Microsoft.Graph.PowerShell.Models.MicrosoftGraphDirectoryObject]$userToAssign, [Microsoft.Graph.PowerShell.Models.MicrosoftGraphGroup]$groupToAssign)
+Function AssignUserToGroup([Microsoft.Graph.PowerShell.Models.MicrosoftGraphUser]$userToAssign, [Microsoft.Graph.PowerShell.Models.MicrosoftGraphGroup]$groupToAssign)
 {
     $owneruserId = $userToAssign.Id
     $params = @{
@@ -324,10 +325,10 @@ Function ConfigureApplications
     # Connect to the Microsoft Graph API, non-interactive is not supported for the moment (Oct 2021)
     Write-Host "Connecting to Microsoft Graph"
     if ($tenantId -eq "") {
-        Connect-MgGraph -Scopes "Organization.Read.All Application.ReadWrite.All Group.ReadWrite.All" -Environment $azureEnvironmentName
+        Connect-MgGraph -Scopes "User.Read.All Organization.Read.All Application.ReadWrite.All Group.ReadWrite.All" -Environment $azureEnvironmentName
     }
     else {
-        Connect-MgGraph -TenantId $tenantId -Scopes "Organization.Read.All Application.ReadWrite.All Group.ReadWrite.All" -Environment $azureEnvironmentName
+        Connect-MgGraph -TenantId $tenantId -Scopes "User.Read.All Organization.Read.All Application.ReadWrite.All Group.ReadWrite.All" -Environment $azureEnvironmentName
     }
 
     $context = Get-MgContext
@@ -347,7 +348,6 @@ Function ConfigureApplications
 
     Write-Host ("Connected to Tenant {0} ({1}) as account '{2}'. Domain is '{3}'" -f  $Tenant.DisplayName, $Tenant.Id, $currentUserPrincipalName, $verifiedDomainName)
 
-
    # Create the client AAD application
    Write-Host "Creating the AAD application (msal-react-app)"
    # Get a 6 months application key for the client Application
@@ -400,10 +400,10 @@ Function ConfigureApplications
 
     $newClaim =  CreateOptionalClaim  -name "groups" 
     $optionalClaims.IdToken += ($newClaim)
-    $newClaim =  CreateOptionalClaim  -name "groups" 
-    $optionalClaims.AccessToken += ($newClaim)
-    $newClaim =  CreateOptionalClaim  -name "groups" 
-    $optionalClaims.Saml2Token += ($newClaim)
+    # $newClaim =  CreateOptionalClaim  -name "groups" 
+    # $optionalClaims.AccessToken += ($newClaim)
+    # $newClaim =  CreateOptionalClaim  -name "groups" 
+    # $optionalClaims.Saml2Token += ($newClaim)
 
     # Add Optional Claims
 
@@ -486,7 +486,7 @@ Function ConfigureApplications
 
     if ($ownerAssigned -eq $false)
     {
-        AssignUserToGroup -userToAssign $owner -groupToAssign $GroupAdmin
+        AssignUserToGroup -userToAssign $user -groupToAssign $GroupAdmin
         $ownerAssigned = $true
     }
 
@@ -495,7 +495,7 @@ Function ConfigureApplications
 
     if ($ownerAssigned -eq $false)
     {
-        AssignUserToGroup -userToAssign $owner -groupToAssign $GroupMember
+        AssignUserToGroup -userToAssign $user -groupToAssign $GroupMember
         $ownerAssigned = $true
     }
     Write-Host "Don't forget to assign the users you wish to work with to the newly created security groups !" -ForegroundColor Red 
@@ -533,6 +533,7 @@ Function ConfigureApplications
     Write-Host "  - To support overage scenario, remember to provide admin consent for GroupMember.Read.All permission in the portal." -ForegroundColor Red 
     Write-Host "  - This script has created a group named 'GroupAdmin' for you. On Azure portal, navigate to Azure AD > Groups blade and assign some users to it." -ForegroundColor Red 
     Write-Host "  - This script has created a group named 'GroupMember' for you. On Azure portal, navigate to Azure AD > Groups blade and assign some users to it." -ForegroundColor Red 
+    Write-Host "  - Security groups matching the names you provided have been created in this tenant (if not present already). On Azure portal, assign some users to it, and configure ID & Access tokens to emit Group IDs" -ForegroundColor Red 
     Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
 
 if($isOpenSSL -eq 'Y')