From a4cdb9beef784b0bac02395dbe0a4450f138c4ce Mon Sep 17 00:00:00 2001 From: KoenZomers Date: Wed, 6 Dec 2023 21:57:15 +0100 Subject: [PATCH 1/2] Added Manage and FullControl to Grant-PnPAzureADAppSitePermission --- CHANGELOG.md | 1 + .../Grant-PnPAzureADAppSitePermission.md | 12 ++--- .../Apps/GrantAzureADAppSitePermission.cs | 54 +++++++++++-------- .../Enums/AzureADNewSitePermissionRole.cs | 14 ++++- .../Enums/AzureADUpdateSitePermissionRole.cs | 2 +- 5 files changed, 53 insertions(+), 30 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 93112f108..6abab9367 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -50,6 +50,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). - Added support for executing the 'Invoke-PnPSPRestMethod' cmdlet in a batch [#3565](https://github.com/pnp/powershell/pull/3565) - Added `Get-PnPSiteSetVersionPolicyProgress` cmdlet which allows for getting the progress of setting a version policy for existing document libraries on a site [#3564](https://github.com/pnp/powershell/pull/3564) - Added `EnableSensitivityLabelForPDF` to `Set-PnPTenant` and `Get-PnPTenant` [#3581](https://github.com/pnp/powershell/pull/3581) +- Added the ability to set Manage and FullControl permissions directly when using Sites.Selected with `Grant-PnPAzureADAppSitePermission` ### Fixed diff --git a/documentation/Grant-PnPAzureADAppSitePermission.md b/documentation/Grant-PnPAzureADAppSitePermission.md index b12654fc3..c0dc6dda3 100644 --- a/documentation/Grant-PnPAzureADAppSitePermission.md +++ b/documentation/Grant-PnPAzureADAppSitePermission.md @@ -20,12 +20,12 @@ Adds permissions for a given Azure Active Directory application registration. ## SYNTAX ```powershell -Grant-PnPAzureADAppSitePermission -AppId -DisplayName -Permissions [-Site ] [-Connection ] +Grant-PnPAzureADAppSitePermission -AppId -DisplayName -Permissions [-Site ] [-Connection ] ``` ## DESCRIPTION -This cmdlet adds permissions for a given Azure Active Directory application registration in a site collection. It is used in conjunction with the Azure Active Directory SharePoint application permission Sites.Selected. Notice that this cmdlet allows for fewer permissions compared to updating rights through [Set-PnPAzureADAppSitePermission](Set-PnPAzureADAppSitePermission.md). If you wish to i.e. assign FullControl permissions, you need to add read or write permissions through this cmdlet first and then update it to FullControl. +This cmdlet adds permissions for a given Azure Active Directory application registration in a site collection. It is used in conjunction with the Azure Active Directory SharePoint application permission Sites.Selected. ## EXAMPLES @@ -38,10 +38,10 @@ Adds permissions for the Azure Active Directory application registration with th ### EXAMPLE 2 ```powershell -Grant-PnPAzureADAppSitePermission -AppId "aa37b89e-75a7-47e3-bdb6-b763851c61b6" -DisplayName "TestApp" -Permissions Write -Site https://contoso.sharepoint.com/sites/projects +Grant-PnPAzureADAppSitePermission -AppId "aa37b89e-75a7-47e3-bdb6-b763851c61b6" -DisplayName "TestApp" -Permissions FullControl -Site https://contoso.sharepoint.com/sites/projects ``` -Adds permissions for the Azure Active Directory application registration with the specific application id and sets the rights to 'Write' access for the site collection at the provided URL. +Adds permissions for the Azure Active Directory application registration with the specific application id and sets the rights to 'FullControl' access for the site collection at the provided URL. ## PARAMETERS @@ -88,14 +88,14 @@ Accept wildcard characters: False ``` ### -Permissions -Specifies the permissions to set for the Azure Active Directory application registration which can either be Read or Write. Use [Set-PnPAzureADAppSitePermission](Set-PnPAzureADAppSitePermission.md) after initially adding these permissions to update it to Manage or FullControl permissions. +Specifies the permissions to set for the Azure Active Directory application registration which can either be Read, Write, Manage or FullControl. ```yaml Type: String Parameter Sets: (All) Required: True -Accepted values: Read, Write +Accepted values: Read, Write, Manage, FullControl Position: Named Default value: None Accept pipeline input: False diff --git a/src/Commands/Apps/GrantAzureADAppSitePermission.cs b/src/Commands/Apps/GrantAzureADAppSitePermission.cs index d1914b9be..f9bfe350a 100644 --- a/src/Commands/Apps/GrantAzureADAppSitePermission.cs +++ b/src/Commands/Apps/GrantAzureADAppSitePermission.cs @@ -14,6 +14,7 @@ namespace PnP.PowerShell.Commands.Apps [Cmdlet(VerbsSecurity.Grant, "PnPAzureADAppSitePermission")] [RequiredMinimalApiPermissions("Sites.FullControl.All")] [Alias("Grant-PnPEntraIDAppSitePermission")] + [OutputType(typeof(AzureADAppPermissionInternal))] public class GrantPnPAzureADAppSitePermission : PnPGraphCmdlet { [Parameter(Mandatory = true)] @@ -36,39 +37,50 @@ protected override void ExecuteCmdlet() Guid siteId = Guid.Empty; if (ParameterSpecified(nameof(Site))) { + WriteVerbose($"Using Microsoft Graph to lookup the site Id of the passed in site using -{nameof(Site)}"); siteId = Site.GetSiteIdThroughGraph(Connection, AccessToken); + WriteVerbose($"Site passed in using -{nameof(Site)} resolved to Id {siteId}"); } else { + WriteVerbose($"No specific site passed in through -{nameof(Site)}, taking the currently connected to site"); siteId = PnPContext.Site.Id; + WriteVerbose($"Currently connected to site has Id {siteId}"); } - if (siteId != Guid.Empty) + if (siteId == Guid.Empty) { - var payload = new - { - roles = Permissions.Select(p => p.ToLower()).ToArray(), - grantedToIdentities = new[] { - new { - application = new { - id = AppId.ToString(), - displayName = DisplayName - } + WriteVerbose("Id of the site to provide permissions on could not be defined. Please ensure you're passing in a valid site using -{nameof(Site)}"); + return; + } + + // Construct the payload of the Graph request + var payload = new + { + roles = Permissions.Select(p => p.ToString().ToLowerInvariant()).ToArray(), + grantedToIdentities = new[] { + new { + application = new { + id = AppId.ToString(), + displayName = DisplayName } - }, - grantedToIdentitiesV2 = new[] { - new { - application = new { - id = AppId.ToString(), - displayName = DisplayName - } + } + }, + grantedToIdentitiesV2 = new[] { + new { + application = new { + id = AppId.ToString(), + displayName = DisplayName } } - }; + } + }; - var results = Utilities.REST.RestHelper.PostAsync(Connection.HttpClient, $"https://{Connection.GraphEndPoint}/v1.0/sites/{siteId}/permissions", AccessToken, payload).GetAwaiter().GetResult(); - WriteObject(results.Convert()); - } + WriteVerbose($"Granting App with Id {AppId} the permission{(payload.roles.Length != 1 ? "s" : "")} {string.Join(',', payload.roles)}"); + + // Make the Graph Grant request + var result = Utilities.REST.RestHelper.PostAsync(Connection.HttpClient, $"https://{Connection.GraphEndPoint}/v1.0/sites/{siteId}/permissions", AccessToken, payload).GetAwaiter().GetResult(); + WriteObject(result.Convert()); } } } \ No newline at end of file diff --git a/src/Commands/Enums/AzureADNewSitePermissionRole.cs b/src/Commands/Enums/AzureADNewSitePermissionRole.cs index b4be19018..04a44b604 100644 --- a/src/Commands/Enums/AzureADNewSitePermissionRole.cs +++ b/src/Commands/Enums/AzureADNewSitePermissionRole.cs @@ -2,7 +2,7 @@ { /// /// Defines the roles that can be chosen when setting up a new site permission - /// See Graph Reference + /// See Graph Reference /// public enum AzureADNewSitePermissionRole { @@ -14,6 +14,16 @@ public enum AzureADNewSitePermissionRole /// /// Provides the ability to read and modify the metadata and contents of the item /// - Write + Write, + + /// + /// Applies the SharePoint manage permissions + /// + Manage, + + /// + /// Applies Full Control permissions + /// + FullControl } } diff --git a/src/Commands/Enums/AzureADUpdateSitePermissionRole.cs b/src/Commands/Enums/AzureADUpdateSitePermissionRole.cs index 82356858c..024bd809c 100644 --- a/src/Commands/Enums/AzureADUpdateSitePermissionRole.cs +++ b/src/Commands/Enums/AzureADUpdateSitePermissionRole.cs @@ -2,7 +2,7 @@ { /// /// Defines the roles that can be chosen when updating an existing site permission - /// See Graph Reference + /// See Graph Reference /// public enum AzureADUpdateSitePermissionRole { From c5ebc154522fec58758870c0136597be2a7f3782 Mon Sep 17 00:00:00 2001 From: KoenZomers Date: Wed, 6 Dec 2023 22:00:00 +0100 Subject: [PATCH 2/2] Adding PR reference --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6abab9367..9a0a3d7ca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -50,7 +50,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). - Added support for executing the 'Invoke-PnPSPRestMethod' cmdlet in a batch [#3565](https://github.com/pnp/powershell/pull/3565) - Added `Get-PnPSiteSetVersionPolicyProgress` cmdlet which allows for getting the progress of setting a version policy for existing document libraries on a site [#3564](https://github.com/pnp/powershell/pull/3564) - Added `EnableSensitivityLabelForPDF` to `Set-PnPTenant` and `Get-PnPTenant` [#3581](https://github.com/pnp/powershell/pull/3581) -- Added the ability to set Manage and FullControl permissions directly when using Sites.Selected with `Grant-PnPAzureADAppSitePermission` +- Added the ability to set Manage and FullControl permissions directly when using Sites.Selected with `Grant-PnPAzureADAppSitePermission` [#3617](https://github.com/pnp/powershell/pull/3617) ### Fixed