chore: add setup script to modify security defaults
This commit is contained in:
@ -1,16 +1,15 @@
|
||||
# Ensure Microsoft.Graph module is installed
|
||||
if (-not (Get-Module -ListAvailable -Name Microsoft.Graph)) {
|
||||
Write-Host "Installing Microsoft.Graph module..."
|
||||
Write-Host "✅ Installing Microsoft.Graph module..."
|
||||
Install-Module -Name Microsoft.Graph -Force -AllowClobber
|
||||
}
|
||||
|
||||
# Ensure ExchangeOnlineManagement module is installed
|
||||
if (-not (Get-Module -ListAvailable -Name Microsoft.Graph)) {
|
||||
Write-Host "Installing ExchangeOnlineManagement Module..."
|
||||
if (-not (Get-Module -ListAvailable -Name ExchangeOnlineManagement)) {
|
||||
Write-Host "✅ Installing ExchangeOnlineManagement Module..."
|
||||
Install-Module -Name ExchangeOnlineManagement -Force -AllowClobber
|
||||
}
|
||||
|
||||
|
||||
# Import necessary modules
|
||||
Import-Module Microsoft.Graph.Authentication
|
||||
Import-Module Microsoft.Graph.Applications
|
||||
@ -21,7 +20,40 @@ Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All",
|
||||
|
||||
# Application details
|
||||
$Name = "GraphAPI"
|
||||
$Scope = "Application.ReadWrite.All", "DeviceManagementApps.ReadWrite.All", "DeviceManagementConfiguration.ReadWrite.All", "DeviceManagementServiceConfig.ReadWrite.All", "Group.ReadWrite.All", "Policy.ReadWrite.ApplicationConfiguration", "User.ReadWrite.All"
|
||||
$Scope = "Application.ReadWrite.All", "DeviceManagementApps.ReadWrite.All", "DeviceManagementConfiguration.ReadWrite.All", "DeviceManagementServiceConfig.ReadWrite.All", "Group.ReadWrite.All", "Policy.ReadWrite.ApplicationConfiguration", "User.ReadWrite.All", "Policy.ReadWrite.AuthenticationMethod"
|
||||
|
||||
# -------------------------------
|
||||
# Check for existing apps with the same name
|
||||
# -------------------------------
|
||||
Write-Host "🔍 Checking for existing applications named '$Name'..."
|
||||
$existingApps = Get-MgApplication -All | Where-Object { $_.DisplayName -eq $Name }
|
||||
|
||||
if ($existingApps) {
|
||||
Write-Host "⚠️ Found $($existingApps.Count) existing application(s) with this name. Removing them..."
|
||||
foreach ($existingApp in $existingApps) {
|
||||
try {
|
||||
# Remove associated Service Principal first
|
||||
$sp = Get-MgServicePrincipal -Filter "AppId eq '$($existingApp.AppId)'" -ErrorAction SilentlyContinue
|
||||
if ($sp) {
|
||||
Remove-MgServicePrincipal -ServicePrincipalId $sp.Id -Confirm:$false
|
||||
Write-Host " ➜ Removed Service Principal: $($sp.Id)"
|
||||
}
|
||||
|
||||
# Remove the application
|
||||
Remove-MgApplication -ApplicationId $existingApp.Id -Confirm:$false
|
||||
Write-Host " ➜ Removed Application: $($existingApp.Id)"
|
||||
} catch {
|
||||
Write-Warning " ❌ Failed to remove application $($existingApp.Id): $_"
|
||||
}
|
||||
}
|
||||
|
||||
# Optional pause to ensure deletion propagates
|
||||
Write-Host "⏳ Waiting for application deletion..."
|
||||
Start-Sleep -Seconds 10
|
||||
} else {
|
||||
Write-Host "✅ No existing applications found with name '$Name'."
|
||||
}
|
||||
|
||||
|
||||
# Fetch Microsoft Graph Service Principal
|
||||
$graphSp = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
|
||||
@ -76,11 +108,10 @@ if (-not $app) {
|
||||
Write-Host "✅ Application Created: $($app.Id)"
|
||||
|
||||
# Wait for the application to propagate
|
||||
Start-Sleep -Seconds 10
|
||||
Write-Host "⏳ Waiting for application propagation..."
|
||||
Start-Sleep -Seconds 10
|
||||
|
||||
# Create Service Principal
|
||||
Write-Host "Creating Service Principal..."
|
||||
$servicePrincipal = New-MgServicePrincipal -AppId $app.AppId
|
||||
|
||||
if (-not $servicePrincipal) {
|
||||
@ -147,32 +178,6 @@ Write-Host "🔑 Client ID: $($app.AppId)"
|
||||
Write-Host "🕵️♂️ Client Secret: $($clientSecret.SecretText)"
|
||||
Write-Host "----------------------------------"
|
||||
|
||||
#Connect-ExchangeOnline -ShowBanner:$false
|
||||
|
||||
$scope = "https://graph.microsoft.com/.default"
|
||||
$tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
|
||||
|
||||
# Create the body for the token request
|
||||
$body = @{
|
||||
client_id = "$($app.AppId)"
|
||||
scope = $scope
|
||||
client_secret = "$($clientSecret.SecretText)"
|
||||
grant_type = "client_credentials"
|
||||
}
|
||||
|
||||
# Request the token
|
||||
$tokenResponse = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -ContentType "application/x-www-form-urlencoded" -Body $body
|
||||
$accessToken = $tokenResponse.access_token
|
||||
|
||||
# Use the token in subsequent requests
|
||||
$headers = @{
|
||||
Authorization = "Bearer $accessToken"
|
||||
}
|
||||
$templates = Invoke-RestMethod -Method Get -Uri "https://graph.microsoft.com/beta/deviceManagement/templates" -Headers $headers
|
||||
|
||||
# Output the templates
|
||||
$templates
|
||||
|
||||
$null = Disconnect-Graph -ErrorAction SilentlyContinue
|
||||
$null = Disconnect-ExchangeOnline -Confirm:$false -ErrorAction SilentlyContinue
|
||||
|
||||
$null = Disconnect-Graph -ErrorAction SilentlyContinue
|
||||
$null = Disconnect-ExchangeOnline -Confirm:$false -ErrorAction SilentlyContinue
|
||||
Reference in New Issue
Block a user