Public/Push-AzureADUsersToBB.ps1
|
Function Push-AzureADUsersToBB { <# .SYNOPSIS Takes users via the pipeline from Get-MgUser or from the deprecated Get-AzureADUser, converts the information needed and process it directly in GoBright .DESCRIPTION Takes users via the pipeline from Get-MgUser or from the deprecated Get-AzureADUser, converts the information needed and process it directly in GoBright .PARAMETER ADUserNamePropertyName Optional AzureAd User Property which contains the name of the user, in case you do not want to use the default property .PARAMETER ADUserPincodePropertyName Optional AzureAd User Property which contains the pincode .PARAMETER ADUserMobilePropertyName Optional AzureAd User Property which contains the mobile phone number .PARAMETER ADUserNFCIdPropertyName Optional AzureAd User Property which contains the NFC Identifier, note that this must be in hex format, example: XX:XX:XX .PARAMETER ADUserDefaultCostCenterIdOrNamePropertyName Optional AzureAd User Property which contains the Default Cost Center for the user, which can be the Name or the Id, both the name or id can be found in the GoBright portal .PARAMETER BrightBookingApiUrl Address of the GoBright API, e.g.: https://t1b.gobright.cloud/ .PARAMETER BrightBookingApiKey API key of the user to use to process the import .PARAMETER BrightBookingIntegrationName Name of the GoBright integration to link the users to .PARAMETER UserRoleNameForNewUsers Name of the GoBright userrole to link new users to .PARAMETER UserDefaultRoleName Optional default name of role the role the user should get (will be assigned to every user, except for the matches found in 'GroupUserRoleMapping') .PARAMETER GroupUserRoleMapping Optional map of AzureADRoleName and the corresponding role name that should be assigned. First match will be taken, and will override a potential given 'UserDefaultRoleName' Examplestructure to supply in this parameter: $groupToRoleMapping = @() $groupToRoleMapping += @{AzureADRoleName = "Group name A"; RoleName = "Bookingmanagers"} $groupToRoleMapping += @{AzureADRoleName = ""; RoleName = "Standard user role"; MatchType = "AddForEveryUser"} # NOTE: Here a special case, by setting MatchType = "AddForEveryUser", every user will be assigned to this "Standard user role" .PARAMETER DeactivateExistingUsersInSameIntegrationThatAreNotLoaded Deactivate users that exist in the platform in the same integration but are not loaded anymore from AD (e.g. because they are not anymore in the group you filter on) .PARAMETER IncludeUsersWithoutAzureADAssignedLicensesOrAssignedPlans Include users that do not have AzureAD licenses assigned (would otherwise be included as inactive) or AzureAD licenses assigned (would otherwise be fully excluded). Note that including these users might result in having unintended 'users' like serviceacounts, roommailbox users, etc. That can be mitigated by filtering the users before feeding them into this command. .PARAMETER WhatIf Use the WhatIf switch to print out the retreived users, without processing them to the API. This is usefull for testing purposes .EXAMPLE Get-MgUser -All -Select Id,DisplayName,Mail,UserPrincipalName,AccountEnabled,MobilePhone,AssignedLicenses | Push-AzureADUsersToBB -BrightBookingApiUrl "https://xyz.gobright.cloud/" -BrightBookingApiKey "[your api key]" -BrightBookingIntegrationName "Office 365" # Get all users in the AzureAD and let GoBright process it directly .LINK Get-MgUser #> [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Low')] Param( [Parameter(Mandatory = $True, ValueFromPipeline = $True)] [System.Object[]]$pipelineInput, [Parameter(Mandatory = $False)] [string]$ADUserEmailAddressPropertyName = "Mail", [Parameter(Mandatory = $False)] [ValidateSet("None", "UserPrincipalName")] [string]$ADUserSpecificUsername = "None", [Parameter(Mandatory = $False)] [string]$ADUserNamePropertyName = "DisplayName", [Parameter(Mandatory = $False)] [string]$ADUserPincodePropertyName, [Parameter(Mandatory = $False)] [string]$ADUserMobilePropertyName = "MobilePhone", [Parameter(Mandatory = $False)] [string]$ADUserNFCIdPropertyName, [Parameter(Mandatory = $False)] [string]$ADUserDefaultCostCenterIdOrNamePropertyName, [Parameter(Mandatory = $True)] [string]$BrightBookingApiUrl, [Parameter(Mandatory = $True)] [string]$BrightBookingApiKey, [Parameter(Mandatory = $True)] [string]$BrightBookingIntegrationName, [Parameter(Mandatory = $False)] [string]$UserRoleNameForNewUsers, [Parameter(Mandatory = $False)] [string]$UserDefaultRoleName, [Parameter(Mandatory = $False)] [System.Object[]]$GroupUserRoleMapping, [switch]$DeactivateExistingUsersInSameIntegrationThatAreNotLoaded, [switch]$IncludeUsersWithoutAzureADAssignedLicensesOrAssignedPlans ) Begin { If (-not $PSBoundParameters.ContainsKey('Confirm')) { $ConfirmPreference = $PSCmdlet.SessionState.PSVariable.GetValue('ConfirmPreference') } If (-not $PSBoundParameters.ContainsKey('WhatIf')) { $WhatIfPreference = $PSCmdlet.SessionState.PSVariable.GetValue('WhatIfPreference') } $convertedUsers = @() $pipelineAzureADUsers = [System.Collections.Generic.List[Object]]::new() } Process { # collect all input users $pipelineAzureADUsers.Add($_) } End { # make the list unique, so we don't have duplicates $pipelineAzureADUsers = $pipelineAzureADUsers | Sort-Object -Property * -Unique # auto detect if the new Microsoft.Graph.Users module is used, or the old AzureAD module $UseDeprecatedAzureADModule = $False Foreach ($ADUser in $pipelineAzureADUsers) { If ($ADUser.GetType().FullName.StartsWith("Microsoft.Open.AzureAD","CurrentCultureIgnoreCase")) { $UseDeprecatedAzureADModule = $True Write-Warning "Detected user data that is loaded from the AzureAD module, please note that the AzureAD module is deprecated from 1st July 2023, visit https://support.gobright.com to migrate to the new Microsoft.Graph.Users module" } Else { If ($ADUser.GetType().FullName.StartsWith("Microsoft.Graph.PowerShell","CurrentCultureIgnoreCase")) { # user is loaded with Microsoft.Graph module } } break } # if using deprecated AzureAD module, then set the ADUserMobilePropertyName back to the default of the deprecated AzureAD module If ($UseDeprecatedAzureADModule) { If ($ADUserMobilePropertyName -eq "MobilePhone") { $ADUserMobilePropertyName = "Mobile" } } # prepare the user-role mapping If ($GroupUserRoleMapping) { Write-Output "Loading AzureAD groups for configured groups in the group to role mapping" # lookup a groupname, we do this in the order of the supplied key/values, and the first hit is taken. Foreach ($groupUserRoleMappingItem in $GroupUserRoleMapping) { If (-not ((-not $groupUserRoleMappingItem.RoleType) -or ($groupUserRoleMappingItem.RoleType -eq "MWV") -or ($groupUserRoleMappingItem.RoleType -eq "View"))) { Write-Warning "RoleType is not correct for role '$($groupUserRoleMappingItem.RoleName)', valid RoleType values are: MWV or View, but found: '$($groupUserRoleMappingItem.RoleType)', this rolemapping will be skipped" continue } If ($groupUserRoleMappingItem.MatchType -eq "AddForEveryUser") { # for this special match type we should not load the users of the group, because it is designed to matche always (and probably does not even have an AzureADRoleName set) Write-Output " - Special MatchType 'AddForEveryUser' found, every user will be added to the role '$($groupUserRoleMappingItem.RoleName)'" } Else { $foundGroup = $null # try to find the related group by name If ($UseDeprecatedAzureADModule) { $foundGroups = Get-AzureADGroup -Filter "DisplayName eq '$($groupUserRoleMappingItem.AzureADRoleName)'" } Else { [array]$foundGroups = Get-MgGroup -Filter "DisplayName eq '$($groupUserRoleMappingItem.AzureADRoleName)'" } If ($foundGroups.Count -ge 1) { # add the object id of the group to the mapping, so we can use it later on $foundGroup = $foundGroups[0] } $memberUserObjectIds = @() If ($foundGroup) { If ($UseDeprecatedAzureADModule) { $azureADGroupMembers = Get-AzureADGroupMember -All $true -ObjectId $foundGroup.ObjectId } Else { $azureADGroupMembers = Get-MgGroupMember -All -GroupId $foundGroup.Id } Foreach ($azureADGroupMember in $azureADGroupMembers) { If ($UseDeprecatedAzureADModule) { $memberUserObjectIds += $azureADGroupMember.ObjectId } Else { $memberUserObjectIds += $azureADGroupMember.Id } } Write-Output " - Group '$($foundGroup.DisplayName)' found, contains $($memberUserObjectIds.Count) users" } Else { Write-Warning " - Group '$($groupUserRoleMappingItem.AzureADRoleName)' not found in AzureAD, so users cannot be mapped to this group" } $groupUserRoleMappingItem | Add-Member MemberUserObjectIds $memberUserObjectIds -Force } } Write-Output "Finished loading AzureAD group info" } # process the users given in the pipeline Foreach ($ADUser in $pipelineAzureADUsers) { # load the basic information fields from the user object $userEmailAddress = "" If ($ADUserEmailAddressPropertyName) { $userEmailAddress = $ADUser.$ADUserEmailAddressPropertyName } Else { $userEmailAddress = $ADUser.Mail } $userName = "" If ($ADUserNamePropertyName) { $userName = $ADUser.$ADUserNamePropertyName } Else { $userName = $ADUser.DisplayName } $userAuthenticationUsername = "" if ($ADUserSpecificUsername -like "UserPrincipalName") { $userAuthenticationUsername = $ADUser.UserPrincipalName } $userMobile = "" If ($ADUserMobilePropertyName) { $userMobile = $ADUser.$ADUserMobilePropertyName } $userNFCId = "" If ($ADUserNFCIdPropertyName) { $userNFCId = $ADUser.$ADUserNFCIdPropertyName } $userDefaultCostCenterIdOrName = "" If ($ADUserDefaultCostCenterIdOrNamePropertyName) { $userDefaultCostCenterIdOrName = $ADUser.$ADUserDefaultCostCenterIdOrNamePropertyName } $userEnabled = $false If ($ADUser.AccountEnabled -And ($ADUser.AssignedLicenses -Or $IncludeUsersWithoutAzureADAssignedLicensesOrAssignedPlans) -And $userEmailAddress) { $userEnabled = $true } $userPincode = "" If ($ADUserPincodePropertyName) { $userPincode = $ADUser.$ADUserPincodePropertyName } $userMappedRoles = @() If ($GroupUserRoleMapping) { # lookup which roles are valid for this user Foreach ($groupUserRoleMappingItem in $GroupUserRoleMapping) { $userMatches = $false # check if there is a 'special' matchtype, and otherwise match the default way If ($groupUserRoleMappingItem.MatchType -eq "AddForEveryUser") { $userMatches = $true } Else { If ($UseDeprecatedAzureADModule) { If ($groupUserRoleMappingItem.MemberUserObjectIds -contains $ADUser.ObjectId) { $userMatches = $true } } Else { If ($groupUserRoleMappingItem.MemberUserObjectIds -contains $ADUser.Id) { $userMatches = $true } } } If ($userMatches) { $propertiesHash = [ordered]@{ RoleName = $groupUserRoleMappingItem.RoleName RoleType = $groupUserRoleMappingItem.RoleType } $userMappedRoles += New-Object PSObject -Property $propertiesHash } } } # if nothing matched, then add the default rolename If ($UserDefaultRoleName) { If ($userMappedRoles.Count -eq 0) { $propertiesHash = [ordered]@{ RoleName = $UserDefaultRoleName } $userMappedRoles += New-Object PSObject -Property $propertiesHash } } If ($UseDeprecatedAzureADModule) { $uniqueImportID = $ADUser.ObjectId $hasAssignedLicenses = $ADUser.AssignedPlans } Else { $uniqueImportID = $ADUser.Id $hasAssignedLicenses = $ADUser.AssignedLicenses } $outputUserPropertiesHash = [ordered]@{ EmailAddress = $userEmailAddress Name = $userName AuthenticationUsername = $userAuthenticationUsername TelephoneMobile = $userMobile Pincode = $userPincode Active = $userEnabled UniqueImportID = $uniqueImportID UserMappedRoles = $userMappedRoles NFCId = $userNFCId DefaultCostCenterIdOrName = $userDefaultCostCenterIdOrName } If ($hasAssignedLicenses -Or $IncludeUsersWithoutAzureADAssignedLicensesOrAssignedPlans) { $outputUser = New-Object PSObject -Property $outputUserPropertiesHash $convertedUsers += $outputUser } } # finishing all, and either put it to process further, or return the result as WhatIf result $syncIncludesUserPincode = $false If ($ADUserPincodePropertyName) { $syncIncludesUserPincode = $true } $syncIncludesUserNFCId = $false If ($ADUserNFCIdPropertyName) { $syncIncludesUserNFCId = $true } # ShouldProcess intercepts WhatIf* --> no need to pass it on If ($PSCmdlet.ShouldProcess("ShouldProcess?")) { If ($DeactivateExistingUsersInSameIntegrationThatAreNotLoaded) { Send-ADUsersToBB -pipelineConvertedADUsers $convertedUsers -BrightBookingApiUrl $BrightBookingApiUrl -BrightBookingApiKey $BrightBookingApiKey -BrightBookingIntegrationName $BrightBookingIntegrationName -UserRoleNameForNewUsers $UserRoleNameForNewUsers -SyncIncludesUserPincode $syncIncludesUserPincode -SyncIncludesUserNFCId $syncIncludesUserNFCId -DeactivateExistingUsersInSameIntegrationThatAreNotLoaded } Else { Send-ADUsersToBB -pipelineConvertedADUsers $convertedUsers -BrightBookingApiUrl $BrightBookingApiUrl -BrightBookingApiKey $BrightBookingApiKey -BrightBookingIntegrationName $BrightBookingIntegrationName -UserRoleNameForNewUsers $UserRoleNameForNewUsers -SyncIncludesUserPincode $syncIncludesUserPincode -SyncIncludesUserNFCId $syncIncludesUserNFCId } } Else { $countConvertedUsers = $convertedUsers | Measure-Object | Select-Object -ExpandProperty Count; Write-Output "============ Test mode (AzureAD) ============" Write-Output "When run in normal mode, it would now process the following $countConvertedUsers users to the API." Write-Output "If you want to run it for real, you should run without the WhatIf parameter." If ($syncIncludesUserPincode) { Write-Output "Sync will process user property '$ADUserPincodePropertyName' as 'PIN code'" } If ($syncIncludesUserNFCId) { Write-Output "Sync will process user property '$ADUserNFCIdPropertyName' as NFC ids" } Return $convertedUsers } } } |