functions/private/New-CSPAdmin.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
function New-CSPAdmin {
    [CmdletBinding()]
    [OutputType([pscredential])]
    param(
        [Parameter()]
        [ValidateNotNullOrEmpty()]
        [string] $AccountName = "CSPAdmin",
        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [string] $DomainName

    )
    try{
        $UserName = "$AccountName@$DomainName"
        #$AdminRole = Get-MsolRole -RoleName 'Company Administrator'
        $AdminRole = (Get-AzureADDirectoryRole).where{$_.DisplayName -eq 'Company Administrator'}
        if(($User = get-azureaduser -SearchString $UserName)){
            if((Get-AzureADDirectoryRoleMember -ObjectId $AdminRole.ObjectId).where{$_.DisplayName -eq "$UserName"}){
                write-log "The CSPAdmin account '$AccountName' already exists in the correct scope. Resetting password..."
                $PassWord = new-swrandompassword
                $null = Set-AzureADUserPassword -ObjectId $User.ObjectId -Password $($PassWord|ConvertTo-SecureString -AsPlainText -Force) -ForceChangePasswordNextLogin $false -EnforceChangePasswordPolicy $false
                #$null = Set-MsolUserPassword -ObjectId $User.ObjectId -NewPassword $PassWord -ForceChangePassword $false
                $cred = new-object pscredential $User.UserPrincipalName,($Password|ConvertTo-SecureString -AsPlainText -force)
                $cred
            } else {
                throw "the account '$AccountName' already exists in the wrong security scope"
            }
        } else {
            $PassWord = new-swrandompassword
            
            #$User= New-AzureADUser -DisplayName $AccountName -UserPrincipalName "$AccountName@$DomainName" -PasswordNeverExpires $true -Password $PassWord
            $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
            $PasswordProfile.EnforceChangePasswordPolicy = $false
            $PasswordProfile.ForceChangePasswordNextLogin = $false
            $PasswordProfile.Password = $PassWord
            $User = New-AzureADUser -AccountEnabled $true -MailNickName $AccountName -UserPrincipalName $username -PasswordProfile $PasswordProfile -DisplayName $username
            if($? -eq $false){
                throw $Error[0]
            }
            $null = Set-AzureADUserPassword -ObjectId $User.ObjectId -Password $($PassWord|ConvertTo-SecureString -AsPlainText -Force) -ForceChangePasswordNextLogin $false -EnforceChangePasswordPolicy $false
            #$null = Set-MsolUserPassword -ObjectId $User.ObjectId -NewPassword $PassWord -ForceChangePassword $false
            #$null = Add-MsolRoleMember -RoleObjectId $AdminRole.ObjectId -RoleMemberType User -RoleMemberObjectId $User.ObjectId
            $null = Add-AzureADDirectoryRoleMember -ObjectId $AdminRole.ObjectId -RefObjectId $User.ObjectId
            $cred = new-object pscredential $User.UserPrincipalName,($Password|ConvertTo-SecureString -AsPlainText -force)
            $cred
            write-log "Created CSP Admin Account '$AccountName'"
        }
    } catch {
        throw "Error during CSP Admin creation/retrieval: $_"
    }

}