forked from Azure/securedworkstation
-
Notifications
You must be signed in to change notification settings - Fork 0
/
MasterScript-SPE.ps1
134 lines (95 loc) · 3.67 KB
/
MasterScript-SPE.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
<#
.COPYRIGHT
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
See LICENSE in the project root for license information.
#>
# Determine script location for PowerShell
$ScriptDir = Split-Path $script:MyInvocation.MyCommand.Path
function Test-MgAuth {
<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Test-MgAuth
Authenticates you with the Graph API interface
.NOTES
NAME: Test-MgAuth
#>
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
$User
)
$userUpn = New-Object 'System.Net.Mail.MailAddress' -ArgumentList $User
$tenant = $userUpn.Host
Write-Host 'Checking for Microsoft Graph module...'
$MgModule = Get-Module -Name 'Microsoft.Graph' -ListAvailable
if ($null -eq $MgModule) {
Write-Host
Write-Host 'Microsoft Graph Powershell module not installed...' -f Red
Write-Host "Install by running 'Install-Module Microsoft.Graph' or 'Install-Module Microsoft.Graph' from an elevated PowerShell prompt" -f Yellow
Write-Host "Script can't continue..." -f Red
Write-Host
}
$scopes = @()
#########################################
# Directory related scopes #
#########################################
$scopes += @('Device.Read.All',
'User.Read.All',
'GroupMember.ReadWrite.All',
'Group.ReadWrite.All',
'Directory.ReadWrite.All')
#########################################
# Device Management scopes #
#########################################
$scopes += @('DeviceManagementConfiguration.ReadWrite.All',
'DeviceManagementServiceConfig.ReadWrite.All',
'DeviceManagementRBAC.ReadWrite.All',
'DeviceManagementManagedDevices.ReadWrite.All',
'DeviceManagementApps.ReadWrite.All')
#$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
#$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
try {
Connect-MgGraph -Scopes $scopes -TenantId $tenant
#validate connected to proper tenant and account
$ctx = Get-MgContext
$org = Get-MgOrganization
$domains = $org.VerifiedDomains | Select-Object -ExpandProperty Name
if ($ctx.Account.ToLower() -ne $userUpn.Address.ToLower() -or ($ctx.TenantId -ne $org.Id) -or $domains -notcontains $tenant) {
Write-Host 'Unable to verify tenant or account' -f Red
Disconnect-MgGraph
throw 'Unable to continue due to validation'
}
# $authHeader = @{
# 'Content-Type' = 'application/json'
# 'Authorization' = "Bearer " + $authResult.AccessToken
# 'ExpiresOn' = $authResult.ExpiresOn
# }
# return $authHeader
}
catch {
Write-Host $_.Exception.Message -f Red
Write-Host $_.Exception.ItemName -f Red
Write-Host
break
}
}
####################################################
$User = Read-Host -Prompt 'Please specify your user principal name for Microsoft Authentication'
Test-MgAuth -user $user
####################################################
Write-Host 'Adding Device Configuration Profiles'
. $ScriptDir/Import-SPE-DeviceConfiguration.ps1
Start-Sleep -s 5
Write-Host 'Adding Device Compliance Policies'
. $ScriptDir/Import-SPE-DeviceCompliancePolicies.ps1
Start-Sleep -s 5
Write-Host 'Adding Edge Browser Policy'
. $ScriptDir/Import-SPE-DeviceConfigurationADMX.ps1
Start-Sleep -Seconds 5
#Write-host "Importing Device Config PowerShell script"
#. $ScriptDir/Import-SPE-DeviceConfigScript.ps1