Find-MgGraphPermission (#809)

Author: Taofeek F. Obafemi-Babatunde

.gitignore

@@ -226,6 +226,8 @@ _pkginfo.txt
 ClientBin/
 ~$*
 *~
+.#*
+*#
 *.dbmdl
 *.dbproj.schemaview
 *.jfm

samples/2-ConnectToGraph.ps1

@@ -6,6 +6,9 @@ Connect-Graph
 # Try to Get-User
 Get-MgUser
 
+# Search for delegated permissions related to sites
+Find-MgGraphPermission sites -PermissionType Delegated
+
 # Grant more permissions
 Connect-Graph -Scopes "User.Read","User.ReadWrite.All","Mail.ReadWrite",`
             "Directory.Read.All","Chat.ReadWrite", "People.Read", `
@@ -17,3 +20,6 @@ Connect-Graph -Scopes "User.Read","User.ReadWrite.All","Mail.ReadWrite",`
 
 # Forget all access tokens
 Disconnect-Graph
+
+# Launch detailed permissions documentation
+Get-Help Find-MgGraphPermission -Online

samples/9-Applications.ps1

@@ -26,6 +26,7 @@ $app3 = New-MgApplication -displayName "ImplicitWebApp" `
         }  
 
 # Create an registration for an ASP.NET Web App
+$scopeId_UserRead = Find-MgGraphPermission User.Read -ExactMatch -PermissionType Delegated | Select-Object -ExpandProperty Id
 $app = New-MgApplication -displayName "AspNetWebApp" `
            -Web @{ 
               RedirectUris = "https://localhost:5001/signin-oidc"; `
@@ -36,7 +37,7 @@ $app = New-MgApplication -displayName "AspNetWebApp" `
              -RequiredResourceAccess @{ ResourceAppId = "00000003-0000-0000-c000-000000000000"
                                         ResourceAccess = @(
                                                 @{ 
-                                                    Id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"
+                                                    Id = $scopeId_UserRead
                                                     Type = "Scope"
                                                  }
                                                  )
@@ -56,7 +57,7 @@ $createAppParams = @{
         ResourceAppId = "00000003-0000-0000-c000-000000000000"
         ResourceAccess = @(
             @{
-                Id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"
+                Id = $scopeId_UserRead
                 Type = "Scope"
             }
         )
@@ -76,18 +77,36 @@ $Certificate = Get-ChildItem -Path "Cert:\CurrentUser\My\$CertificateThumbprint"
 # Graph resource Id
 $GraphResourceId = "00000003-0000-0000-c000-000000000000"
 
-# Graph permissions constants
-$UserReadAll = @{ Id = "df021288-bdef-4463-88db-98f22de89214"; Type = "Role" }
-$GroupReadAll = @{ Id = "5b567255-7703-4780-807c-7be8301ae99b"; Type = "Role" }
-$MailboxSettingsRead = @{ Id = "40f97065-369a-49f4-947c-6a255697ae91"; Type = "Role" }
-$MailSend = @{ Id = "b633e1c5-b582-4048-a93e-9f11b44c7e96"; Type = "Role" }
+# Show friendly Graph permission names given their unique identifiers
+Find-MgGraphPermission | Where-Object Id -in @(
+    'df021288-bdef-4463-88db-98f22de89214'
+    '5b567255-7703-4780-807c-7be8301ae99b'
+    '40f97065-369a-49f4-947c-6a255697ae91'
+    'b633e1c5-b582-4048-a93e-9f11b44c7e96'
+)
 
 # Create an application registration.
+$requiredPermissions = 'Group.Read.All', 'Mail.Send', 'MailboxSettings.Read', 'User.Read.All' |
+  Find-MgGraphPermission -ExactMatch -PermissionType Application
+
+$resourceAccess = foreach ( $permission in $requiredPermissions ) {
+    @{ Id = $permission.Id; Type = 'Role' }
+}
+
 $AppName = "ScriptedGraphPSApp"
 $app4 = New-MgApplication -"ClientCredentialApp" $AppName `
                     -SignInAudience "AzureADMyOrg" `
-                    -RequiredResourceAccess @{ ResourceAppId = $graphResourceId; ResourceAccess = $UserReadAll, $GroupReadAll, $MailboxSettingsRead, $MailSend } `
+                    -RequiredResourceAccess @{ ResourceAppId = $graphResourceId; ResourceAccess = $resourceAccess } `
                     -KeyCredentials @(@{ Type = "AsymmetricX509Cert"; Usage = "Verify"; Key= $Certificate.RawData })
 
 # Create corresponding service principal.
 New-MgServicePrincipal -AppId $app4.AppId
+
+# Show permissions assigned to the application in the organization
+# using friendly permission names instead of just the unique identifiers
+$servicePrincipal4 = Get-MgServicePrincipal -Filter "appId eq '$($app4.AppId)'"
+Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $servicePrincipal4.id |
+  Select-Object appRoleId |
+  Find-MgGraphPermission
+
+

src/Authentication/Authentication/Microsoft.Graph.Authentication.csproj

@@ -1,6 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
-    <Version>1.6.0</Version>
+    <Version>1.7.0</Version>
     <LangVersion>7.1</LangVersion>
     <TargetFramework>netstandard2.0</TargetFramework>
     <OutputType>Library</OutputType>

src/Authentication/Authentication/Microsoft.Graph.Authentication.format.ps1xml

@@ -32,5 +32,50 @@
         </TableRowEntries>
       </TableControl>
     </View>
+
+    <View>
+      <Name>Permission</Name>
+      <ViewSelectedBy>
+        <TypeName>Microsoft.Graph.Custom.Permission</TypeName>
+      </ViewSelectedBy>
+      <GroupBy>
+        <PropertyName>PermissionType</PropertyName>
+        <Label>PermissionType</Label>
+      </GroupBy>
+      <TableControl>
+        <TableHeaders>
+          <TableColumnHeader>
+            <Label>Id</Label>
+          </TableColumnHeader>
+          <TableColumnHeader>
+            <Label>Consent</Label>
+          </TableColumnHeader>
+          <TableColumnHeader>
+            <Label>Name</Label>
+          </TableColumnHeader>
+          <TableColumnHeader>
+            <Label>Description</Label>
+          </TableColumnHeader>
+        </TableHeaders>
+        <TableRowEntries>
+          <TableRowEntry>
+            <TableColumnItems>
+              <TableColumnItem>
+                <PropertyName>Id</PropertyName>
+              </TableColumnItem>
+              <TableColumnItem>
+                <PropertyName>Consent</PropertyName>
+              </TableColumnItem>
+              <TableColumnItem>
+                <PropertyName>Name</PropertyName>
+              </TableColumnItem>
+              <TableColumnItem>
+                <PropertyName>Description</PropertyName>
+              </TableColumnItem>
+            </TableColumnItems>
+          </TableRowEntry>
+        </TableRowEntries>
+      </TableControl>
+    </View>
   </ViewDefinitions>
 </Configuration>

src/Authentication/Authentication/Microsoft.Graph.Authentication.nuspec

@@ -1,7 +1,7 @@
 <?xml version="1.0"?>
 <package>
   <metadata>
-    <version>1.4.2</version>
+    <version>1.7.0</version>
     <id>Microsoft.Graph.Authentication</id>
     <description>Microsoft Graph PowerShell authentication module</description>
     <authors>Microsoft</authors>
@@ -24,6 +24,7 @@
     <file src="artifacts\Microsoft.Graph.Authentication.Core.dll" />
     <file src="artifacts\Microsoft.Graph.Core.dll" />
     <file src="artifacts\StartupScripts\*" target="StartupScripts" />
+    <file src="artifacts\custom\" target="custom" />
     <file src="artifacts\Dependencies\Newtonsoft.Json.dll" target="Dependencies" />
     <file src="artifacts\Dependencies\Microsoft.Graph.Auth.dll" target="Dependencies" />
     <file src="artifacts\Dependencies\Microsoft.IdentityModel.JsonWebTokens.dll" target="Dependencies" />

src/Authentication/Authentication/Microsoft.Graph.Authentication.psd1

@@ -3,7 +3,7 @@
 #
 # Generated by: Microsoft
 #
-# Generated on: 3/12/2021
+# Generated on: 8/4/2021
 #
 
 @{
@@ -12,7 +12,7 @@
 RootModule = './Microsoft.Graph.Authentication.psm1'
 
 # Version number of this module.
-ModuleVersion = '1.6.0'
+ModuleVersion = '1.7.0'
 
 # Supported PSEditions
 CompatiblePSEditions = 'Core', 'Desktop'
@@ -63,13 +63,13 @@ DotNetFrameworkVersion = '4.7.2'
 # TypesToProcess = @()
 
 # Format files (.ps1xml) to be loaded when importing this module
-FormatsToProcess = './Microsoft.Graph.Authentication.format.ps1xml'
+FormatsToProcess = 'Microsoft.Graph.Authentication.format.ps1xml'
 
 # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
 # NestedModules = @()
 
 # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
-FunctionsToExport = @()
+FunctionsToExport = 'Find-MgGraphPermission'
 
 # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
 CmdletsToExport = 'Connect-MgGraph', 'Disconnect-MgGraph', 'Get-MgContext', 

src/Authentication/Authentication/Microsoft.Graph.Authentication.psm1

@@ -4,7 +4,7 @@ $null = Import-Module -Name (Join-Path $PSScriptRoot 'Microsoft.Graph.Authentica
 
 if (Test-Path -Path "$PSScriptRoot\StartupScripts" -ErrorAction Ignore)
 {
-    Get-ChildItem "$PSScriptRoot\StartupScripts" -ErrorAction Stop | ForEach-Object {
+    Get-ChildItem "$PSScriptRoot\StartupScripts" -Filter *.ps1 -ErrorAction Stop | ForEach-Object {
         . $_.FullName
     }
 }

src/Authentication/Authentication/StartupScripts/ExportCustomCommands.ps1

@@ -0,0 +1,22 @@
+# ------------------------------------------------------------------------------
+#  Copyright (c) Microsoft Corporation.  All Rights Reserved.  Licensed under the MIT License.  See License in the project root for license information.
+# ------------------------------------------------------------------------------
+
+# Load custom commands
+$customScriptCommandDirItem = Get-Item $PSScriptRoot -ErrorAction Ignore
+if ( $customScriptCommandDirItem ) {
+    $customScriptCommandDir = join-path $customScriptCommandDirItem.FullName ../custom
+
+    Get-ChildItem $customScriptCommandDir -Filter *.ps1 -ErrorAction Stop | ForEach-Object {
+        . $_.FullName
+    }
+}
+
+# Export custom script commands without removing the
+# binary cmdlets. Custom script commands are functions,
+# the cmdlets are.. cmdlets. We must explicitly specify
+# both functions and cmdlets at export; if only one of
+# these classes is specified, nothing of the other
+# class will be exported.
+Export-ModuleMember -Function * -Cmdlet *
+

src/Authentication/Authentication/build-module.ps1

@@ -80,16 +80,21 @@ if ($LastExitCode -ne 0) {
 
 # Ensure out directory exists and is clean.
 Remove-Item -Path $outDir -Recurse -ErrorAction Ignore
-New-Item -Path $outDir -ItemType Directory
-New-Item -Path $outDeps -ItemType Directory
-New-Item -Path $outCore -ItemType Directory
-New-Item -Path $outDesktop -ItemType Directory
+New-Item -Path $outDir -ItemType Directory | out-null
+New-Item -Path $outDeps -ItemType Directory | out-null
+New-Item -Path $outCore -ItemType Directory | out-null
+New-Item -Path $outDesktop -ItemType Directory | out-null
 
 # Copy manifest.
 Copy-Item -Path "$cmdletsSrc/$ModulePrefix.$ModuleName.format.ps1xml" -Destination $outDir
 Copy-Item -Path "$cmdletsSrc/$ModulePrefix.$ModuleName.psm1" -Destination $outDir
 Copy-Item -Path "$cmdletsSrc/$ModulePrefix.$ModuleName.psd1" -Destination $outDir
-Copy-Item -Path "$cmdletsSrc/StartupScripts" -Recurse -Destination $outDir
+Copy-Item -Path "$cmdletsSrc/StartupScripts" -Filter *.ps1 -Recurse -Destination $outDir
+
+# Copy custom commands
+
+Copy-Item -Path "$cmdletsSrc/custom" -Filter *.ps1 -Recurse -Destination $outDir
+Copy-Item -Path "$cmdletsSrc/custom" -Filter *.json -Recurse -Destination $outDir -Force
 
 # Core assemblies to include with cmdlets (Let PowerShell load them).
 $CoreAssemblies = @('Microsoft.Graph.Authentication.Core', 'Microsoft.Graph.Core')
@@ -114,4 +119,4 @@ Get-ChildItem -Path "$cmdletsSrc/bin/$Configuration/$netStandard/publish/" |
 Where-Object { -not $Deps.Contains($_.Name) -and $_.Extension -in $copyExtensions } |
 ForEach-Object { Copy-Item -Path $_.FullName -Destination $outDir }
 
-Write-Host -ForegroundColor Green '-------------Done-------------'
+Write-Host -ForegroundColor Green '-------------Done-------------'