azure - PowerShell 或 Azure CLI - 显示/创建已设置 PIM 的 Azure 安全组

Question

使用 Azure 门户，我设置了一个名为“SG_AZR-0111-0014-002_O”的 Azure 安全组。然后，我设置特权身份管理以允许 PIM 成为该组的成员。有关背景信息 - 我将其与 Azure AD 集成一起使用到第三方产品中，因此成为该组成员的 PIM 将在第三方产品中提供升级的权限。

我正在尝试设置一个脚本 - 最好是 PowerShell 或 azure cli 来自动执行此操作，因为这对我们(更多安全组)来说将是一个重复的事情。我环顾四周，但没有看到任何方法来查看和/或创建它。如 - 我想要一个脚本来验证是否为 PIM 设置了安全组，如果没有，则创建它。理想情况下，我还想将成员添加到符合条件的任务中。

Answer 1

I want a script to verify a security group is set up for PIM and if not, create it. Ideally, I'd also like to add members to the eligible assignments.

这是 PowerShell检查 Privileged Identity Management 的安全组是否存在的脚本存在，如果不存在则创建它。它还将成员添加到符合条件的任务中。

    Connect-AzureAD
    $upn = "<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="82f7f1e7f0c2e3e1e0acedecefebe1f0edf1ede4f6ace1edef" rel="noreferrer noopener nofollow">[email protected]</a>"
    $groupId = "xxxxxxxx-21f1-4871-8ba317a7b9b608ee"
    $resource = Get-AzureADMSPrivilegedResource -ProviderId aadGroups
    $subject = Get-AzureADUser -Filter "userPrincipalName eq '$upn'"
    # Check if the security group exists
    $group = Get-AzADGroup -SearchString $securityGroupName
    if ($group -eq $null) {
        # Create the security group if it doesn't exist
        $group = New-AzADGroup -DisplayName $securityGroupName -MailEnabled $false -SecurityEnabled $true
        Write-Host "Created Security Group: $($group.DisplayName)"
    } else {
        Write-Host "The Group: $securityGroupName already exists."
    }
    
    $roleDefinitionCollection = $roleDefinitionCollection = Get-AzureADMSPrivilegedRoleDefinition -ProviderId "aadGroups" -ResourceId $groupId
    $reason = "test"
    
    if ($roleDefinitionCollection.Count -eq 0) {
        $schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
        $schedule.Type = "Once"
        $schedule.StartDateTime = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
        
        Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId AzureResources -Schedule $schedule -ResourceId $securityGroupName -RoleDefinitionId $roleDefinitionId -SubjectId $subjectObjectId -AssignmentState "Eligible" -Type "AdminAdd"
        
        Write-Host "Enabling PIM for the group: $securityGroupName"
    } else {
        Write-Host "PIM is already enabled for the group: $securityGroupName"
    }

输出:

引用:azure - How to activate Privileged Access Groups using Powershell? - Stack Overflow通过Brice