Powershell script for Azure PIM report not returning correct results

Welcome Forums General PowerShell Q&A Powershell script for Azure PIM report not returning correct results

Viewing 0 reply threads
  • Author
    Posts
    • #215286
      Participant
      Topics: 2
      Replies: 2
      Points: 11
      Rank: Member
      Hi there
      
      I have written the below script it worked fine but was very slow when trying to return a large number of users - took forever - so I
      tried to speed it up by multithreading - because there is no way to filter on results returned by Get-AzureADUser except by equals to or
      searchstring which doesnt grab the set of users I want - there is no filter for 'contains' or wildcard - so I try to grab all users - which seems to take forever - so I try to run the function in parallel with different
      runspaces - unfortunately all I get returned to me is the little write-host statement I have in the function not the actual custom object
      containing PIM information for a user? Also the roleassignments variable contains nothing even though i store the objectID of the user in a variable which is a string type?  That variable becomes 'blank' or contains nothing on the next line? Can any one tell me what I am doing wrong or assist me please?
      
      
      [cmdletBinding()]
      param(
      [Parameter(
      ParameterSetName='Users',
      Position=0,
      ValueFromPipeLineByPropertyName=$true,
      ValueFromPipeLine=$true,
      Mandatory=$true
      )]
      [string[]]$Users,
      
      [Parameter(
      ParameterSetName='Department',
      Mandatory=$true
      )]
      [string]$Division
      
      
      )
      begin{
      $id = "blah"
      $roledefinitions = @{}
      Get-AzureADMSPrivilegedRoleDefinition -ProviderId "aadRoles" -ResourceId $id | ForEach-Object {$roledefinitions[$_.Id] = $_.DisplayName}
      [bool]$isactive | Out-Null
      $pimusers=@()
      
      }
      
      process{
      
      function GetPimInformation()
      {
      
      [Microsoft.Open.AzureAD.Model.User]$users1,
      [hashtable]$roledefinitions
      [Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedRoleAssignment[]]$roleassignments
      $report=@()
      
      foreach($user in $users1)
      {
      
      
      
      foreach($roleassignment in $roleassignments)
      {
      if($roleassignment.LinkedEligibleRoleAssignmentId)
      {
      $isactive=$true 
      } 
      else
      {
      $isactive=$false
      }
      
      $rolename = $roledefinitions[$roleassignment.RoleDefinitionId]
      
      
      $pimobject = New-Object PSCustomObject
      $pimobject | Add-Member NoteProperty User $user.DisplayName
      $pimobject | Add-Member NoteProperty RoleName $rolename
      $pimobject | Add-Member NoteProperty RoleCurrentlyActive $isactive
      $pimobject | Add-Member NoteProperty RoleAssignment $roleassignment.AssignmentState
      $report += $pimobject
      
      
      }
      
      }
      write-host "in the runspace"
      return $report
      
      }
      
      
      if($division)
      {
      
      
      $jobs=@()
      $Sessionstate = [System.Management.Automation.Runspaces.InitialSessionState]::CreateDefault()
      $RunspacePool = [RunspaceFactory]::CreateRunspacePool(1,10,$Sessionstate,$Host)
      $RunspacePool.ApartmentState = "STA"
      $RunspacePool.Open()
      
      
      [Microsoft.Open.AzureAD.Model.User[]]$pimusers = Get-AzureADUser -Filter "extensionAttribute11 eq '$Department' and AccountEnabled eq true" -Top 10
      
      foreach($user in $pimusers)
      {
      $obj = $user.ObjectId
      $roleassignments = Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadRoles" -ResourceId "blahblah" -Filter "subjectId eq '$obj'" 
      
      
      
      $ScriptBlock = [scriptblock]::Create((Get-ChildItem Function:\GetPimInformation).Definition)
      $PowershellThread = [powershell]::Create().AddScript($ScriptBlock)
      $PowershellThread.AddParameter("user",$user)| Out-Null
      $PowershellThread.AddParameter("roledefinitions",$roledefinitions) | Out-Null
      $PowershellThread.AddParameter("roleassignments",$roleassignments) | Out-Null
      $PowershellThread.RunspacePool = $RunspacePool
      $Handle = $PowershellThread.BeginInvoke()
      $job = "" | Select-Object Handle,Thread,object
      $job.Handle = $Handle
      $job.Thread = $PowershellThread
      $job.Object = $user
      $jobs += $job
      }
      
      
      
      }
      else{ 
      foreach($userobject in $users)
      {
      $userinfo = Get-AzureADUser -ObjectId $userobject
      $pimusers += $userinfo
      }
      GetPimInformation $pimusers, $roledefinitions
      }
      
      
      
      } 
      
      end
      {
      if($division)
      {
      $pimreport=@()
      While (@($Jobs | Where-Object {$_.Handle -ne $Null}).count -gt 0) {
      ForEach ($Job in $($Jobs | Where-Object {$_.Handle.IsCompleted -eq $True})){
      $pimreport += $Job.Thread.EndInvoke($Job.Handle)
      $Job.Thread.Dispose()
      $Job.Thread = $Null
      $Job.Handle = $Null
      
      }
      
      } `
      }
      $RunspacePool.Close() | Out-Null
      $RunspacePool.Dispose() | Out-Null
      
      
      
      
      $pimreport
      
      }
Viewing 0 reply threads
  • You must be logged in to reply to this topic.