Public/Add-AvdApplicationGroupPermissions.ps1

function Add-AvdApplicationGroupPermissions {
    <#
    .SYNOPSIS
    Adds permissions to an Azure Virtual Desktop Applicationgroup
    .DESCRIPTION
    The function will add permissions to an Azure Virtual Desktop Applicationgroup. This can be a user or a group.
    .PARAMETER ApplicationGroupName
    Enter the AVD application group name
    .PARAMETER ResourceGroupName
    Enter the AVD application group resourcegroup name
    .PARAMETER UserPrincipalName
    Provide the user principal name (eg. user@domain.com)
    .PARAMETER GroupName
    Provide the group name (eg. All Users)
    .EXAMPLE
    Add-AvdApplicationGroupPermissions -ApplicationGroupName avd-application-group -ResourceGroupName rg-avd-01 -UserPrincipalName user@domain.com
    .EXAMPLE
    Add-AvdApplicationGroupPermissions -ApplicationGroupName avd-application-group -ResourceGroupName rg-avd-01 -GroupName "All Users"
    #>

    [CmdletBinding(DefaultParameterSetName = 'Name')]
    param
    (
        [parameter(Mandatory, ParameterSetName = 'Group')]
        [parameter(Mandatory, ParameterSetName = 'PrincipalId')]
        [parameter(Mandatory, ParameterSetName = 'User')]
        [ValidateNotNullOrEmpty()]
        [string]$ApplicationGroupName,
    
        [parameter(Mandatory, ParameterSetName = 'Group')]
        [parameter(Mandatory, ParameterSetName = 'PrincipalId')]
        [parameter(Mandatory, ParameterSetName = 'User')]
        [ValidateNotNullOrEmpty()]
        [string]$ResourceGroupName,

        [parameter(Mandatory, ParameterSetName = 'ResourceId-User')]
        [parameter(Mandatory, ParameterSetName = 'ResourceId-Group')]
        [parameter(Mandatory, ParameterSetName = 'ResourceId-PrincipalId')]
        [ValidateNotNullOrEmpty()]
        [string]$ResourceId,
    
        [parameter(Mandatory, ParameterSetName = 'ResourceId-User')]
        [parameter(Mandatory, ParameterSetName = 'Name-User')]
        [ValidateNotNullOrEmpty()]
        [string]$UserPrincipalName,

        [parameter(Mandatory, ParameterSetName = 'ResourceId-Group')]
        [parameter(Mandatory, ParameterSetName = 'Name-Group')]
        [ValidateNotNullOrEmpty()]
        [string]$GroupName,

        [parameter(Mandatory, ParameterSetName = 'ResourceId-PrincipalId')]
        [parameter(Mandatory, ParameterSetName = 'Name-PrincipalId')]
        [ValidateNotNullOrEmpty()]
        [string]$PrincipalId
        
    )
    Begin {
        Write-Verbose "Start searching"
        AuthenticationCheck
        $apiVersion = "?api-version=2021-04-01-preview"
        $token = GetAuthToken -resource $script:AzureApiUrl
    }
    Process {
        $graphToken = GetAuthToken -resource $Script:GraphApiUrl
        switch -Wildcard ($PsCmdlet.ParameterSetName) {
            *User {
                Write-Verbose "UPN $UserPrincipalName provided, looking for user in Azure AD"
                $graphUrl = $Script:GraphApiUrl + "/" + $script:GraphApiVersion + "/users/" + $UserPrincipalName
                $identityInfo = (Invoke-RestMethod -Method GET -Uri $graphUrl -Headers $graphToken).id
            }
            *Group {
                Write-Verbose "Group name $GroupName provided, looking for group in Azure AD"
                $graphUrl = $Script:GraphApiUrl + "/" + $script:GraphApiVersion + "/groups?`$filter=displayName eq '$GroupName'"
                $identityInfo = (Invoke-RestMethod -Method GET -Uri $graphUrl -Headers $graphToken).value.id
            }
            *PrincipalId {
                Write-Verbose "looking for principal $PrincipalId in Azure AD"
                $identityInfo = $PrincipalId
            }
            Default {
                Write-Error "No UPN, group name or principal ID is provided"
            }
        }
        if ($ApplicationGroupName) {
            $applicationGroup = Get-AvdApplicationGroup -ApplicationGroupName $ApplicationGroupName -ResourceGroupName $ResourceGroupName
        }
        else {
            $applicationGroup = Get-AvdApplicationGroup -resourceId $ResourceId
        }
        $guid = (New-Guid).Guid
        $url = $script:AzureApiUrl + "/" + $applicationGroup.id + "/providers/Microsoft.Authorization/roleAssignments/$($guid)" + $apiVersion
       
        # Used ID 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63 is default built-in role Desktop Virtualization User.
        # Source: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#desktop-virtualization-user
        $body = @{
            properties = @{
                roleDefinitionId = "/subscriptions/" + $script:subscriptionId + "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63"
                principalId      = $identityInfo
            }
        }
        $jsonBody = $body | ConvertTo-Json
        $parameters = @{
            uri     = $url
            Method  = "PUT"
            Headers = $token
            Body    = $jsonBody
        }
        Invoke-RestMethod @parameters
    }
}