-
Notifications
You must be signed in to change notification settings - Fork 237
/
Remove-AadAppsForBc.ps1
118 lines (104 loc) · 5.38 KB
/
Remove-AadAppsForBc.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
<#
.Synopsis
Remove Apps in Azure Active Directory to clean up the AAD
.Description
This function will remove the apps in AAD for Web and Windows Client to use AAD for authentication,
the API Integration, the Excel AddIn and the PowerBI integration
.Parameter accessToken
Accesstoken for Microsoft Graph with permissions to create apps in the AAD
.Parameter appIdUri
Unique Uri to identify the AAD App (typically we use the URL for the Web Client)
.Parameter useCurrentMicrosoftGraphConnection
Specify this switch to use the current Microsoft Graph Connection instead of invoking Connect-MgGraph (which will pop up a UI)
.Example
Remove-AadAppsForBc -accessToken $accessToken -appIdUri https://mycontainer.mydomain/bc/
.Example
$bcAuthContext = New-BcAuthContext -tenantID $azureTenantId -clientID $azureApplicationId -clientSecret $clientSecret -scopes "https://graph.microsoft.com/.default"
$AdProperties = Remove-AadAppsForBc -appIdUri https://mycontainer.mydomain/bc/ -bcAuthContext $bcAuthContext
#>
function Remove-AadAppsForBc {
Param (
[Parameter(Mandatory=$false)]
[string] $accessToken,
[Parameter(Mandatory=$true)]
[string] $appIdUri,
[switch] $useCurrentMicrosoftGraphConnection,
[Hashtable] $bcAuthContext
)
$telemetryScope = InitTelemetryScope -name $MyInvocation.InvocationName -parameterValues $PSBoundParameters -includeParameters @()
try {
if (!(Get-PackageProvider -Name NuGet -ListAvailable -ErrorAction Ignore)) {
Write-Host "Installing NuGet Package Provider"
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -WarningAction Ignore | Out-Null
}
if (!(Get-Package -Name Microsoft.Graph -ErrorAction Ignore)) {
Write-Host "Installing Microsoft.Graph PowerShell package"
Install-Package Microsoft.Graph -Force -WarningAction Ignore | Out-Null
}
# Check the AccessToken since Microsoft Graph V2 requires a SecureString
$graphAccesTokenParameter = (Get-Command Connect-MgGraph).Parameters['AccessToken']
if ($graphAccesTokenParameter.ParameterType -eq [securestring]){
$useSecureStringForAccessToken = $true
}
# Connect to Microsoft.Graph
if (!$useCurrentMicrosoftGraphConnection) {
if ($bcAuthContext) {
$bcAuthContext = Renew-BcAuthContext -bcAuthContext $bcAuthContext
$jwtToken = Parse-JWTtoken -token $bcAuthContext.accessToken
if ($jwtToken.aud -ne 'https://graph.microsoft.com') {
Write-Host -ForegroundColor Yellow "The accesstoken was provided for $($jwtToken.aud), should have been for https://graph.microsoft.com"
}
$accessToken = $bcAuthContext.accessToken
}
if ($accessToken) {
if ($useSecureStringForAccessToken){
Connect-MgGraph -AccessToken (ConvertTo-SecureString -String $accessToken -AsPlainText -Force) | Out-Null
}
else {
Connect-MgGraph -AccessToken $accessToken | Out-Null
}
}
else {
Connect-MgGraph -Scopes 'Application.ReadWrite.All' | Out-Null
}
}
$account = Get-MgContext
if ($null -eq $account.Account) {
$adUser = Get-MgServicePrincipal -Filter "AppId eq '$($account.ClientId)'"
} else {
$adUser = Get-MgUser -UserId $account.Account
}
if (!$adUser) {
throw "Could not identify Aad Tenant"
}
# Remove "old" AD Application
Get-MgApplication -All | Where-Object { $_.IdentifierUris -contains $appIdUri } | ForEach-Object { Remove-MgApplication -ApplicationId $_.Id }
# Remove "old" Api AAD Application
Write-Host "Remove AAD App for Api"
$ApiIdentifierUri = $appIdUri.Replace('://','://api.')
Get-MgApplication -All | Where-Object { $_.IdentifierUris -contains $ApiIdentifierUri } | ForEach-Object { Remove-MgApplication -ApplicationId $_.Id }
# Remove "old" Excel AD Application
Write-Host "Remove AAD App for Excel"
$ExcelIdentifierUri = $appIdUri.Replace('://','://xls.')
Get-MgApplication -All | Where-Object { $_.IdentifierUris -contains $ExcelIdentifierUri } | ForEach-Object { Remove-MgApplication -ApplicationId $_.Id }
# Remove "old" PowerBI AD Application
Write-Host "Remove AAD App for PowerBI"
$PowerBiIdentifierUri = $appIdUri.Replace('://','://pbi.')
Get-MgApplication -All | Where-Object { $_.IdentifierUris -contains $PowerBiIdentifierUri } | ForEach-Object { Remove-MgApplication -ApplicationId $_.Id }
# Remove "old" Email AD Application
Write-Host "Remove AAD App for EMail Service"
$EMailIdentifierUri = $appIdUri.Replace('://','://email.')
Get-MgApplication -All | Where-Object { $_.IdentifierUris -contains $EMailIdentifierUri } | ForEach-Object { Remove-MgApplication -ApplicationId $_.Id }
# Remove "old" Other Services AD Application
$OtherServicesIdentifierUri = $appIdUri.Replace('://','://other.')
Get-MgApplication -All | Where-Object { $_.IdentifierUris -contains $OtherServicesIdentifierUri } | ForEach-Object { Remove-MgApplication -ApplicationId $_.Id }
}
catch {
TrackException -telemetryScope $telemetryScope -errorRecord $_
throw
}
finally {
TrackTrace -telemetryScope $telemetryScope
}
}
Export-ModuleMember -Function Remove-AadAppsForBc