diff --git a/ImportPolicies.ps1 b/ImportPolicies.ps1 index 5b3944a..fb273eb 100644 --- a/ImportPolicies.ps1 +++ b/ImportPolicies.ps1 @@ -27,7 +27,7 @@ ForEach ($policie in $policies) { try { $uri = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies" # Using the beta version - # $response = Invoke-MgGraphRequest -Method POST -Uri $uri -Body ($PolicyObject | ConvertTo-Json -Depth 10) + $response = Invoke-MgGraphRequest -Method POST -Uri $uri -Body ($PolicyObject | ConvertTo-Json -Depth 10) Write-Host "āœ… $PolicieName - successfully imported!" #$response } catch { @@ -39,10 +39,9 @@ ForEach ($policie in $policies) { # Define the dynamic membership rule $dynamicRule = '(device.deviceOSType -eq "Windows") and (device.accountEnabled -eq true) and (device.managementType -eq "MDM")' - # Create the security group with dynamic membership $groupBody = @{ - displayName = "Intune - All Windows Workstations Dynamic Membership" + displayName = "Intune - All Windows Workstations MDM" mailEnabled = $false mailNickname = "IntuneWindowsDevices" securityEnabled = $true @@ -57,4 +56,26 @@ $groupBodyJson = $groupBody | ConvertTo-Json -Depth 10 # Create the group using Invoke-MgGraphRequest Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json" +# Define the dynamic membership rule +$dynamicRule = '(device.deviceOSVersion -startsWith "10") and (device.deviceOSType -eq "Windows")' + +# Create the security group with dynamic membership +$groupBody = @{ + displayName = "Intune - All Windows Computers" + mailEnabled = $false + mailNickname = "IntuneWindowsDevices" + securityEnabled = $true + groupTypes = @("DynamicMembership") + membershipRule = $dynamicRule + membershipRuleProcessingState = "On" +} + +# Convert the body to JSON +$groupBodyJson = $groupBody | ConvertTo-Json -Depth 10 + +# Create the group using Invoke-MgGraphRequest +Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json" + + + $null = Disconnect-Graph -ErrorAction SilentlyContinue \ No newline at end of file diff --git a/NewAppReg.ps1 b/NewAppReg.ps1 new file mode 100644 index 0000000..5061cf3 --- /dev/null +++ b/NewAppReg.ps1 @@ -0,0 +1,178 @@ +# Ensure Microsoft.Graph module is installed +if (-not (Get-Module -ListAvailable -Name Microsoft.Graph)) { + Write-Host "Installing Microsoft.Graph module..." + Install-Module -Name Microsoft.Graph -Force -AllowClobber +} + +# Ensure ExchangeOnlineManagement module is installed +if (-not (Get-Module -ListAvailable -Name Microsoft.Graph)) { + Write-Host "Installing ExchangeOnlineManagement Module..." + Install-Module -Name ExchangeOnlineManagement -Force -AllowClobber +} + + +# Import necessary modules +Import-Module Microsoft.Graph.Authentication +Import-Module Microsoft.Graph.Applications +Import-Module ExchangeOnlineManagement + +# Connect to Microsoft Graph with required permissions +Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All", "AppRoleAssignment.ReadWrite.All" -NoWelcome + +# Application details +$Name = "GraphAPI" +$Scope = "Application.ReadWrite.All", "DeviceManagementApps.ReadWrite.All", "DeviceManagementConfiguration.ReadWrite.All", "DeviceManagementServiceConfig.ReadWrite.All", "Group.ReadWrite.All", "Policy.ReadWrite.ApplicationConfiguration", "User.ReadWrite.All" + +# Fetch Microsoft Graph Service Principal +$graphSp = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'" +$graphRoles = $graphSp.AppRoles + +# Debugging: Confirm AppRoles permissions +# Write-Host "`nšŸ” Retrieved AppRoles from Microsoft Graph:" +# $graphRoles | Format-Table DisplayName, Id, Value -AutoSize + +# Build required resource access list +$resourceAccess = @() +foreach ($perm in $Scope) { + $permId = ($graphRoles | Where-Object { $_.Value -eq $perm }).Id + if ($permId) { + $resourceAccess += @{ + "id" = $permId + "Type" = "Role" # Use "Scope" if using delegated permissions + } + } else { + Write-Host "āš ļø Skipping $perm - Role ID not found in Microsoft Graph." + } +} + +# Debugging: Confirm matched permissions +# Write-Host "`nāœ… Final Mapped Permissions:" +# $resourceAccess | Format-Table -AutoSize + +# Define app creation body +$body = @{ + DisplayName = $Name + SignInAudience = "AzureADMyOrg" + RequiredResourceAccess = @( + @{ + ResourceAppId = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + ResourceAccess = $resourceAccess + } + ) +} + +# Convert body to JSON +$payload = $body | ConvertTo-Json -Depth 4 + +# Create the application +Write-Host "Creating Azure AD application..." +$app = New-MgApplication -BodyParameter $payload + +if (-not $app) { + Write-Host "āŒ Failed to create application. Exiting." + exit +} + +Write-Host "āœ… Application Created: $($app.Id)" + +# Wait for the application to propagate +Start-Sleep -Seconds 10 +Write-Host "ā³ Waiting for application propagation..." + +# Create Service Principal +Write-Host "Creating Service Principal..." +$servicePrincipal = New-MgServicePrincipal -AppId $app.AppId + +if (-not $servicePrincipal) { + Write-Host "āŒ Failed to create Service Principal. Exiting." + exit +} + +Write-Host "āœ… Service Principal created: $($servicePrincipal.Id)" + +# Wait for service principal to propagate +Start-Sleep -Seconds 10 +Write-Host "ā³ Waiting for application permissions to propagate..." + +# Grant Admin Consent +foreach ($access in $resourceAccess) { + # Write-Host "`nšŸ”¹ About to grant admin consent for:" + # Write-Host " āžœ AppRoleId: $($access.id)" + # Write-Host " āžœ ServicePrincipalId: $($servicePrincipal.Id)" + # Write-Host " āžœ PrincipalId: $($servicePrincipal.Id)" + # Write-Host " āžœ ResourceId: $($graphSp.Id)" + + try { + $null = New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $servicePrincipal.Id -PrincipalId $servicePrincipal.Id -ResourceId $graphSp.Id -AppRoleId $access.id + + Write-Host "āœ… Successfully granted admin consent for AppRoleId: $($access.id)" + } catch { + Write-Host "āŒ Failed to grant admin consent for AppRoleId: $($access.id) - $_" + } +} + +Write-Host "`nšŸŽ‰ Admin consent process completed!" + +# ------------------------------- +# CREATE CLIENT SECRET +# ------------------------------- + +Write-Host "`nšŸ” Creating Client Secret..." +$secretStartDate = Get-Date +$secretEndDate = $secretStartDate.AddYears(1) # Secret valid for 1 year + +$clientSecret = Add-MgApplicationPassword -ApplicationId $app.Id -PasswordCredential @{ + DisplayName = "GraphAPI-ClientSecret" + StartDateTime = $secretStartDate + EndDateTime = $secretEndDate +} + +if (-not $clientSecret) { + Write-Host "āŒ Failed to create client secret. Exiting." + exit +} + +Write-Host "āœ… Client Secret Created!" + +# ------------------------------- +# PRINT CREDENTIALS (STORE SECURELY!) +# ------------------------------- + +$tenantId = (Get-MgOrganization).Id + +Write-Host "`nšŸš€ **Application Credentials**" +Write-Host "----------------------------------" +Write-Host "šŸŒ Tenant ID: $tenantId" +Write-Host "šŸ”‘ Client ID: $($app.AppId)" +Write-Host "šŸ•µļøā€ā™‚ļø Client Secret: $($clientSecret.SecretText)" +Write-Host "----------------------------------" + +#Connect-ExchangeOnline -ShowBanner:$false + +$scope = "https://graph.microsoft.com/.default" +$tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" + +# Create the body for the token request +$body = @{ + client_id = "$($app.AppId)" + scope = $scope + client_secret = "$($clientSecret.SecretText)" + grant_type = "client_credentials" +} + +# Request the token +$tokenResponse = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -ContentType "application/x-www-form-urlencoded" -Body $body +$accessToken = $tokenResponse.access_token + +# Use the token in subsequent requests +$headers = @{ + Authorization = "Bearer $accessToken" +} +$templates = Invoke-RestMethod -Method Get -Uri "https://graph.microsoft.com/beta/deviceManagement/templates" -Headers $headers + +# Output the templates +$templates + +$null = Disconnect-Graph -ErrorAction SilentlyContinue +$null = Disconnect-ExchangeOnline -Confirm:$false -ErrorAction SilentlyContinue + diff --git a/policies/LAPS.json b/policies/LAPS.json index a831922..f0b5527 100644 --- a/policies/LAPS.json +++ b/policies/LAPS.json @@ -1,81 +1,59 @@ { - "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity", - "createdDateTime": "2025-03-03T10:40:15.8588089Z", - "creationSource": null, - "description": "", - "lastModifiedDateTime": "2025-03-03T10:40:15.8588089Z", - "name": "LAPS", + "name": "Windows LAPS", + "description": "created by ourcloudnetwork.com", "platforms": "windows10", - "priorityMetaData": null, + "technologies": "mdm", "roleScopeTagIds": [ "0" ], - "settingCount": 2, - "technologies": "mdm", - "id": "e7c1fcf8-13fb-42c7-a09a-3f43d7bd5cc9", - "templateReference": { - "templateId": "", - "templateFamily": "none", - "templateDisplayName": null, - "templateDisplayVersion": null - }, "settings": [ { - "id": "0", + "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", - "settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd", - "settingInstanceTemplateReference": null, + "settingDefinitionId": "device_vendor_msft_laps_policies_backupdirectory", "choiceSettingValue": { - "settingValueTemplateReference": null, - "value": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_1", + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", + "value": "device_vendor_msft_laps_policies_backupdirectory_1", "children": [ { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance", - "settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordagedays", - "settingInstanceTemplateReference": null, + "settingDefinitionId": "device_vendor_msft_laps_policies_passwordagedays_aad", "simpleSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue", - "settingValueTemplateReference": null, - "value": 14 - } - }, - { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", - "settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordcomplexity", - "settingInstanceTemplateReference": null, - "choiceSettingValue": { - "settingValueTemplateReference": null, - "value": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordcomplexity_4", - "children": [] - } - }, - { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance", - "settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordlength", - "settingInstanceTemplateReference": null, - "simpleSettingValue": { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue", - "settingValueTemplateReference": null, "value": 14 } } - ] + ], + "settingValueTemplateReference": { + "settingValueTemplateId": "4d90f03d-e14c-43c4-86da-681da96a2f92" + } + }, + "settingInstanceTemplateReference": { + "settingInstanceTemplateId": "a3270f64-e493-499d-8900-90290f61ed8a" } } }, { - "id": "1", + "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", - "settingDefinitionId": "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus", - "settingInstanceTemplateReference": null, + "settingDefinitionId": "device_vendor_msft_laps_policies_passwordcomplexity", "choiceSettingValue": { - "settingValueTemplateReference": null, - "value": "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus_1", - "children": [] + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", + "value": "device_vendor_msft_laps_policies_passwordcomplexity_4", + "children": [], + "settingValueTemplateReference": { + "settingValueTemplateId": "aa883ab5-625e-4e3b-b830-a37a4bb8ce01" + } + }, + "settingInstanceTemplateReference": { + "settingInstanceTemplateId": "8a7459e8-1d1c-458a-8906-7b27d216de52" } } } - ] -} + ], + "templateReference": { + "templateId": "adc46e5a-f4aa-4ff6-aeff-4f27bc525796_1" + } +} \ No newline at end of file diff --git a/policies/LAPSAdmin.json b/policies/LAPSAdmin.json new file mode 100644 index 0000000..4ee7513 --- /dev/null +++ b/policies/LAPSAdmin.json @@ -0,0 +1,37 @@ +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity", + "createdDateTime": "2025-02-05T23:10:06.2132942Z", + "creationSource": null, + "description": "", + "lastModifiedDateTime": "2025-02-05T23:10:06.2132942Z", + "name": "Windows LAPS - Enable Administrator Account", + "platforms": "windows10", + "priorityMetaData": null, + "roleScopeTagIds": [ + "0" + ], + "settingCount": 1, + "technologies": "mdm", + "id": "388fbf31-619d-42e9-a481-7c09c64d2266", + "templateReference": { + "templateId": "", + "templateFamily": "none", + "templateDisplayName": null, + "templateDisplayVersion": null + }, + "settings": [ + { + "id": "0", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus_1", + "children": [] + } + } + } + ] +}