Get-AADExportRequiredScopes.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
<#
 .Synopsis
  Gets the required scopes for schema
 
 .Description
  Gets the require scopes for schema
 
 .Example
  Get-AADExportRequiredScopes
#>


function Get-AADExportRequiredScopes {
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory = $true)] 
        [ValidateSet('Delegated','Application')]
        [string]$PermissionType,
        [Parameter(Mandatory = $false)]
        [object]$ExportSchema
    )

    if (!$ExportSchema) {
        $ExportSchema = Get-AADExportDefaultSchema
    }

    $scopeProperty = "DelegatedPermission"
    if ($PermissionType -eq "Application") {
        $scopeProperty = "ApplicationPermission"
    }

    $scopes = @()
    foreach($entry in $ExportSchema) {
        $entryScopes = Get-ObjectProperty $entry $scopeProperty
        $command = Get-ObjectProperty $entry 'Command'
        $graphUri = Get-ObjectProperty $entry 'GraphUri'
        $entryType = "graphuri"
        $tocall = $graphUri
        if ($command) {
            $entryType = "command"
            $tocall = $command
        }

        if (!$entryScopes) {
            write-warning "call to $entryType '$tocall' doesn't provide $PermissionType permissions"
        }
        
        foreach ($entryScope in $entryScopes) {
            if ($entryScope -notin $scopes) {
                $scopes += $entryScope
            }
        }
        if ($entry.ContainsKey('Children')) {
            $childScopes = Get-AADExportRequiredScopes -PermissionType $PermissionType -ExportSchema $entry.Children
            foreach ($entryScope in $childScopes) {
                if ($entryScope -notin $scopes) {
                    $scopes += $entryScope
                }
            }
        }
    }

    $scopes | sort-object
}