forked from lucabol/University
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathRemove-GroupPermissionsDevTestLab.ps1
74 lines (54 loc) · 2.33 KB
/
Remove-GroupPermissionsDevTestLab.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
<#
.SYNOPSIS
This script removes the specified role from the AD Group in the DevTest Lab.
.DESCRIPTION
This script allows IT admins to remove programmatically the permissions to access lab resources to a specific group associated to a specific role.
.PARAMETER labName
Mandatory. The name of the lab.
.PARAMETER ADGroupName
Mandatory. The name of the AD group.
.PARAMETER role
Optional. The role definition name.
Default "University DevTest Labs User".
.PARAMETER profilePath
Optional. Path to file with Azure Profile.
Default "$env:APPDATA\AzProfile.txt".
.EXAMPLE
Remove-GroupPermissionsDevTestLab -labName University -ADGroupName MyGroup
.EXAMPLE
Remove-GroupPermissionsDevTestLab -labName University -ADGroupName MyGroup -role "My DevTest Lab User"
.NOTES
#>
[cmdletbinding()]
param
(
[Parameter(Mandatory = $true, HelpMessage = "The name of the lab")]
[string] $labName,
[Parameter(Mandatory = $true, HelpMessage = "The name of the AD group")]
[string] $ADGroupName,
[Parameter(Mandatory = $false, HelpMessage = "The role definition name")]
[string] $role = "University DevTest Labs User",
[Parameter(Mandatory = $false, HelpMessage = "Path to file with Azure Profile")]
[string] $profilePath = "$env:APPDATA\AzProfile.txt"
)
trap {
# NOTE: This trap will handle all errors. There should be no need to use a catch below in this
# script, unless you want to ignore a specific error.
Handle-LastError
}
. .\Common.ps1
$credentialsKind = InferCredentials
LogOutput "Credentials kind: $credentialsKind"
LoadAzureCredentials -credentialsKind $credentialsKind -profilePath $profilePath
$azVer = GetAzureModuleVersion
if ($azVer -ge "3.8.0") {
$SubscriptionID = (Get-AzureRmContext).Subscription.Id
}
else {
$SubscriptionID = (Get-AzureRmContext).Subscription.SubscriptionId
}
$ResourceGroupName = (Find-AzureRmResource -ResourceType "Microsoft.DevTestLab/labs" -ResourceNameContains $LabName).ResourceGroupName
# get the ObjectId from the AD group name
$objectId = Get-AzureRmADGroup -SearchString $ADGroupName
# remove the role from the group for the specified lab
Remove-AzureRmRoleAssignment -ObjectId $objectId.Id -Scope /subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.devtestlab/labs/$labName -RoleDefinitionName $role