internal/functions/Register-EWSGuiApp.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
Function Register-EWSGuiApp {
    <#
    .SYNOPSIS
    Registers EWS API Application into AzureAD
     
    .DESCRIPTION
    Registers EWS API Application into AzureAD and grant Admin consent on behalf of the Organization.
     
    .EXAMPLE
    PS C:\> Regiser-EWSGuiApp
    Registers EWS API Application into AzureAD
    #>

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseDeclaredVarsMoreThanAssignments", "")]
    [Cmdletbinding()]
    param(
        # Parameters
    )
    Invoke-PSFProtectedCommand -Action "Connecting to AzureAD" -Target "AzureAD" -ScriptBlock {
        Write-PSFHostColor -String "[$((Get-Date).ToString("HH:mm:ss"))] Connecting to AzureAD"
        if ( !(Get-Module AzureAD -ListAvailable) -and !(Get-Module AzureAD) ) {
            Install-Module AzureAD -Force -ErrorAction Stop
        }
        try {
            Import-module AzureAD
            Write-PSFHostColor -String "[$((Get-Date).ToString("HH:mm:ss"))] We will connect to AzureAD to allow this app to connect to your tenant using OAUTH"
            $ConnStatus = Connect-AzureAD -ErrorAction Stop
        }
        catch {
            return $_
        }
    } -EnableException $true -PSCmdlet $PSCmdlet

    # register "PowerShellEWSScripts" as Enterprise App, by creating servicePrincipal (if not created)
    Write-PSFHostColor -String "[$((Get-Date).ToString("HH:mm:ss"))] Register `"PowerShellEWSScripts`" as Enterprise App, by creating servicePrincipal (if not created)"
    if ( $null -eq ( Get-AzureADServicePrincipal -All:$True | Where-object { $_.displayname -eq "PowerShellEWSScripts" } ) ) {
        $AzureADServicePrincipalParams = @{
            AccountEnabled            = $True
            AppId                     = "8799ab60-ace5-4bda-b31f-621c9f6668db"
            ServicePrincipalNames     = "8799ab60-ace5-4bda-b31f-621c9f6668db"
            AppRoleAssignmentRequired = $False
            DisplayName               = "PowerShellEWSScripts"
            PublisherName             = "Microsoft"
            ReplyUrls                 = "http://localhost/code"
            ServicePrincipalType      = "Application"
            Tags                      = "WindowsAzureActiveDirectoryIntegratedApp"
            ErrorAction               = "Stop"
        }
        $AppDetails = New-AzureADServicePrincipal @AzureADServicePrincipalParams
    }
    else {
        $AppDetails = Get-AzureADServicePrincipal -All:$True | Where-object { $_.displayname -eq "PowerShellEWSScripts" }
    }

    # register Service Principal Assignment between Global admin and the registered app:
    $AdminObjectId = (Get-AzureAdUser -Filter "userprincipalname eq '$($ConnStatus.Account.id)'").ObjectId
    if ( -not (Get-AzureADServiceAppRoleAssignment -ObjectId $AppDetails.ObjectId -All:$true | Where-Object { $_.PrincipalId -eq $AdminObjectId }) ) {
        $null = $appDetails | New-AzureADServiceAppRoleAssignment -PrincipalId $AdminObjectId -ResourceId $AppDetails.ObjectId -id "00000000-0000-0000-0000-000000000000" -ErrorAction Stop
    }

    # Grant consent to the App to access EXO and Windows Azure AD to sign in on behalf of the whole tenant (no user consent will be needed afterwards)
    Write-PSFHostColor -String "[$((Get-Date).ToString("HH:mm:ss"))] Grant consent to the App to access EXO and AzureAD to sign-in on behalf of the users"
    if ( -not (Get-AzureADServicePrincipalOAuth2PermissionGrant -ObjectId $AppDetails.ObjectId -All:$True | Where-Object { ($_.Scope -eq "User.Read" -and $_.ResourceID -eq "525065a3-df7d-474d-be08-90fa1d62d4bb") -or ($_.Scope -eq "EWS.AccessAsUser.All" -and $_.ResourceID -eq "8b951d63-7dd0-46e8-a326-15e3f6a26353") }) ) {
        $TenantId = (Get-AzureADTenantDetail).objectid
        $context = Get-AzContext
        $refreshToken = @($context.TokenCache.ReadItems() | Where-Object { $_.tenantId -eq $tenantId -and $_.ExpiresOn -gt (Get-Date) })[0].RefreshToken
        $body = "grant_type=refresh_token&refresh_token=$($refreshToken)&resource=74658136-14ec-4630-ad9b-26e160ff0fc6"
        $apiToken = Invoke-RestMethod "https://login.windows.net/$tenantId/oauth2/token" -Method POST -Body $body -ContentType 'application/x-www-form-urlencoded' -ErrorAction Stop
        $header = @{
            'Authorization'          = 'Bearer ' + $apiToken.access_token
            'X-Requested-With'       = 'XMLHttpRequest'
            'x-ms-client-request-id' = [guid]::NewGuid()
            'x-ms-correlation-id'    = [guid]::NewGuid()
        }
        $url = "https://main.iam.ad.ext.azure.com/api/RegisteredApplications/$($AppDetails.AppId)/Consent?onBehalfOfAll=true"
        Invoke-RestMethod –Uri $url –Headers $header –Method POST -ErrorAction Stop
    }
}