forked from lucabol/University
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathAdd-GroupPermissionsDevTestLab.ps1
74 lines (54 loc) · 2.3 KB
/
Add-GroupPermissionsDevTestLab.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
<#
.SYNOPSIS
This script adds the specified role to the AD Group in the DevTest Lab.
.DESCRIPTION
This script allows IT admins to give programmatically the permissions to access lab resources to a specific group using the lab role.
.PARAMETER labName
Mandatory. The name of the lab.
.PARAMETER ADGroupName
Mandatory. The name of the AD group.
.PARAMETER role
Optional. The role definition name.
Default "University DevTest Labs User".
.PARAMETER profilePath
Optional. Path to file with Azure Profile.
Default "$env:APPDATA\AzProfile.txt".
.EXAMPLE
Add-GroupPermissionsDevTestLab -labName University -ADGroupName MyGroup
.EXAMPLE
Add-GroupPermissionsDevTestLab -labName University -ADGroupName MyGroup -role "My DevTest Lab User"
.NOTES
#>
[cmdletbinding()]
param
(
[Parameter(Mandatory = $true, HelpMessage = "The name of the lab")]
[string] $labName,
[Parameter(Mandatory = $true, HelpMessage = "The name of the AD group")]
[string] $ADGroupName,
[Parameter(Mandatory = $false, HelpMessage = "The role definition name")]
[string] $role = "University DevTest Labs User",
[Parameter(Mandatory = $false, HelpMessage = "Path to file with Azure Profile")]
[string] $profilePath = "$env:APPDATA\AzProfile.txt"
)
trap {
# NOTE: This trap will handle all errors. There should be no need to use a catch below in this
# script, unless you want to ignore a specific error.
Handle-LastError
}
. .\Common.ps1
$credentialsKind = InferCredentials
LogOutput "Credentials kind: $credentialsKind"
LoadAzureCredentials -credentialsKind $credentialsKind -profilePath $profilePath
$azVer = GetAzureModuleVersion
if ($azVer -ge "3.8.0") {
$SubscriptionID = (Get-AzureRmContext).Subscription.Id
}
else {
$SubscriptionID = (Get-AzureRmContext).Subscription.SubscriptionId
}
$ResourceGroupName = (Find-AzureRmResource -ResourceType "Microsoft.DevTestLab/labs" -ResourceNameContains $LabName).ResourceGroupName
# get the ObjectId from the AD group name
$objectId = Get-AzureRmADGroup -SearchString $ADGroupName
# assign the role to the group for the specified lab
New-AzureRmRoleAssignment -ObjectId $objectId.Id -Scope /subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.devtestlab/labs/$labName -RoleDefinitionName $role