AzureADLicensing.psm1

#Region '.\_PrefixCode.ps1' 0
# Code in here will be prepended to top of the psm1-file.
#EndRegion '.\_PrefixCode.ps1' 1
#Region '.\Private\Get-AuthToken.ps1' 0
function Get-AuthToken {
    [Cmdletbinding()]
    [OutputType([hashtable])]

    param()

    process {

        $context = Get-AzContext

        if ($null -eq $context) {
            $null = Connect-AZAccount -EA stop
            $context = Get-AzContext
        }

        $apiToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id, $null, "Never", $null, "74658136-14ec-4630-ad9b-26e160ff0fc6")

        $header = @{
            'Authorization'          = 'Bearer ' + $apiToken.AccessToken.ToString()
            'Content-Type'           = 'application/json'
            'X-Requested-With'       = 'XMLHttpRequest'
            'x-ms-client-request-id' = [guid]::NewGuid()
            'x-ms-correlation-id'    = [guid]::NewGuid()
        }

        Write-Verbose "Connected to tenant: '$($context.Tenant.Id)' as: '$($context.Account)'"

        return $header
    }
}
#EndRegion '.\Private\Get-AuthToken.ps1' 30
#Region '.\Public\Add-AADGroupLicenseAssignment.ps1' 0
function Add-AADGroupLicenseAssignment {

    [cmdletbinding(SupportsShouldProcess)]
    param(
        [Parameter(Mandatory, HelpMessage = "ID of the Azure AD group")]
        [guid]$groupId,

        [Parameter(Mandatory, HelpMessage = "License SKU to assign")]
        [String]$accountSkuId,

        [Parameter(HelpMessage = "Excluded features for the specified SKU")]
        [String[]]$disabledServicePlans = @()
    )
    process {

        $licenceAssignmentConfig = @{
            assignments = @(
                @{
                    "objectId"       = "$groupId"
                    "isUser"         = $false
                    "addLicenses"    = @(
                        @{
                            "accountSkuId"         = "$accountSkuId"
                            "disabledServicePlans" = @($disabledServicePlans)
                        }
                    )
                    "removeLicenses" = @()
                    "updateLicenses" = @()
                }
            )
        }

        $requestBody = $licenceAssignmentConfig | ConvertTo-Json -Depth 5
        $baseUrl = "https://main.iam.ad.ext.azure.com/api/"

        if ($PSCmdlet.ShouldProcess($groupId, "Update license `"$accountSkuId`", disabled plans: `"$($disabledServicePlans -join `",`")`"")) {
            try {
                $response = Invoke-WebRequest -Method Post -Uri $($baseUrl + "AccountSkus/assign") -Headers $(Get-AuthToken) -Body $requestBody -ErrorAction Stop
                $responseContent = $response | ConvertFrom-Json
                return $responseContent
            }
            catch {
                # convert the error message if it appears to be JSON
                if ($_.ErrorDetails.Message -like "{`"Classname*") {
                    $local:errmsg = $_.ErrorDetails.Message | ConvertFrom-Json
                    if ($local:errmsg.Clientdata.operationresults.details) {
                        Write-Error $local:errmsg.Clientdata.operationresults.details
                    }
                    else {
                        Write-Error $local:errmsg
                    }
                }
                else {
                    Write-Error $_
                }
            }
        }
    }
}
#EndRegion '.\Public\Add-AADGroupLicenseAssignment.ps1' 59
#Region '.\Public\Get-AADGroupLicenseAssignment.ps1' 0
function Get-AADGroupLicenseAssignment {
    [cmdletbinding()]
    param(
        [Parameter(Mandatory, HelpMessage = "ID of the Azure AD group", ParameterSetName = "Single")]
        [guid]$groupId,

        [Parameter(Mandatory, HelpMessage = "Retrieves all Group Based License Assignments", ParameterSetName = "All")]
        [switch]
        $All
    )
    process {

        $baseUrl = "https://main.iam.ad.ext.azure.com/api/"

        try {

            if ($All.IsPresent) {

                $accountSkus = Get-AADLicenseSku
                $rep = @()

                foreach ($sku in $accountSkus){
                    $request = Invoke-WebRequest -Method Get -Uri $($baseUrl + "AccountSkus/GroupAssignments?accountSkuID=$($sku.accountSkuId)&nextLink=&searchText=&sortOrder=undefined") -Headers $(Get-AuthToken)
                    $requestContent = $request | ConvertFrom-Json

                    $licensedGroups = $requestContent.items | Select-Object objectId, displayName

                    $rep += [PSCustomObject]@{
                        Name = $sku.Name
                        AccountSkuId = $sku.accountSkuId
                        LicensedGroups = $licensedGroups
                    }
                }

                return $rep

            }else {
                $request = Invoke-WebRequest -Method Get -Uri $($baseUrl + "AccountSkus/Group/$groupId") -Headers $(Get-AuthToken) -ErrorAction Stop
                $requestContent = $request | ConvertFrom-Json
                return $requestContent
            }
        }
        catch {
            # convert the error message if it appears to be JSON
            if ($_.ErrorDetails.Message -like "{`"Classname*") {
                $local:errmsg = $_.ErrorDetails.Message | ConvertFrom-Json
                if ($local:errmsg.Clientdata.operationresults.details) {
                    Write-Error $local:errmsg.Clientdata.operationresults.details
                }
                else {
                    Write-Error $local:errmsg
                }
            }
            else {
                Write-Error $_
            }
        }
    }
}
#EndRegion '.\Public\Get-AADGroupLicenseAssignment.ps1' 59
#Region '.\Public\Get-AADLicenseSku.ps1' 0
function Get-AADLicenseSku {
    [cmdletbinding()]
    param()

    process {

        $baseUrl = "https://main.iam.ad.ext.azure.com/api/"

        try {
            $request = Invoke-WebRequest -Method Get -Uri $($baseUrl + "AccountSkus") -Headers $(Get-AuthToken)
            $requestContent = $request | ConvertFrom-Json
            return $requestContent
        }
        catch {
            # convert the error message if it appears to be JSON
            if ($_.ErrorDetails.Message -like "{`"Classname*") {
                $local:errmsg = $_.ErrorDetails.Message | ConvertFrom-Json
                if ($local:errmsg.Clientdata.operationresults.details) {
                    Write-Error $local:errmsg.Clientdata.operationresults.details
                }
                else {
                    Write-Error $local:errmsg
                }
            }
            else {
                Write-Error $_
            }
        }
    }
}
#EndRegion '.\Public\Get-AADLicenseSku.ps1' 30
#Region '.\Public\Remove-AADGroupLicenseAssignment.ps1' 0
function Remove-AADGroupLicenseAssignment {

    [cmdletbinding(SupportsShouldProcess)]
    param(
        [Parameter(Mandatory, HelpMessage = "ID of the Azure AD group")]
        [guid]$groupId,

        [Parameter(Mandatory, HelpMessage = "License SKU to remove")]
        [String]$accountSkuId
    )
    process {

        $licenceAssignmentConfig = @{
            assignments = @(
                @{
                    "objectId"       = "$groupId"
                    "isUser"         = $false
                    "addLicenses"    = @()
                    "removeLicenses" = @($accountSkuId)
                    "updateLicenses" = @()
                }
            )
        }

        $requestBody = $licenceAssignmentConfig | ConvertTo-Json -Depth 5
        $baseUrl = "https://main.iam.ad.ext.azure.com/api/"

        if ($PSCmdlet.ShouldProcess($groupId, "Remove license `"$accountSkuId`"")) {
            try {

                $response = Invoke-WebRequest -Method Post -Uri $($baseUrl + "AccountSkus/remove") -Headers $(Get-AuthToken) -Body $requestBody -ErrorAction Stop
                $responseContent = $response | ConvertFrom-Json
                return $responseContent

            }
            catch {
                # convert the error message if it appears to be JSON
                if ($_.ErrorDetails.Message -like "{`"Classname*") {
                    $local:errmsg = $_.ErrorDetails.Message | ConvertFrom-Json
                    if ($local:errmsg.Clientdata.operationresults.details) {
                        Write-Error $local:errmsg.Clientdata.operationresults.details
                    }
                    else {
                        Write-Error $local:errmsg
                    }
                }
                else {
                    Write-Error $_
                }
            }
        }
    }
}
#EndRegion '.\Public\Remove-AADGroupLicenseAssignment.ps1' 53
#Region '.\Public\Update-AADGroupLicenseAssignment.ps1' 0
function Update-AADGroupLicenseAssignment {

    [cmdletbinding(SupportsShouldProcess)]
    param(
        [Parameter(Mandatory, HelpMessage = "ID of the Azure AD group")]
        [guid]$groupId,

        [Parameter(Mandatory, HelpMessage = "License SKU to assign")]
        [String]$accountSkuId,

        [Parameter(HelpMessage = "Excluded features for the specified SKU")]
        [String[]]$disabledServicePlans = @()
    )
    process {

        $licenceAssignmentConfig = @{
            assignments = @(
                @{
                    "objectId"       = "$groupId"
                    "isUser"         = $false
                    "addLicenses"    = @()
                    "removeLicenses" = @()
                    "updateLicenses" = @(
                        @{
                            "accountSkuId"         = "$accountSkuId"
                            "disabledServicePlans" = @($disabledServicePlans)
                        }
                    )
                }
            )
        }



        $requestBody = $licenceAssignmentConfig | ConvertTo-Json -Depth 5
        $baseUrl = "https://main.iam.ad.ext.azure.com/api/"

        if ($PSCmdlet.ShouldProcess($groupId, "Update license `"$accountSkuId`", disabled plans: `"$($disabledServicePlans -join `",`")`"")) {
            try {

                $response = Invoke-WebRequest -Method Post -Uri $($baseUrl + "AccountSkus/update") -Headers $(Get-AuthToken) -Body $requestBody -ErrorAction Stop
                $responseContent = $response | ConvertFrom-Json
                return $responseContent
            }
            catch {
                # convert the error message if it appears to be JSON
                if ($_.ErrorDetails.Message -like "{`"Classname*") {
                    $local:errmsg = $_.ErrorDetails.Message | ConvertFrom-Json
                    if ($local:errmsg.Clientdata.operationresults.details) {
                        Write-Error $local:errmsg.Clientdata.operationresults.details
                    }
                    else {
                        Write-Error $local:errmsg
                    }
                }
                else {
                    Write-Error $_
                }
            }
        }
    }
}
#EndRegion '.\Public\Update-AADGroupLicenseAssignment.ps1' 62