function GetAllPolicies { param ( [string] $scope ) #https://learn.microsoft.com/en-us/rest/api/authorization/role-management-policies/list-for-scope?view=rest-authorization-2020-10-01&tabs=HTTP $access_token = (Get-AzAccessToken -TenantId "e9792fd7-4044-47e7-a40d-3fba46f1cd09").Token $url = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleManagementPolicies?api-version=2020-10-01" $head = @{ Authorization =" Bearer $access_token" } $response = Invoke-RestMethod -Uri $url -Method GET -Headers $head $response | ForEach-Object { $responseValue = $_.value if ($responseValue.Length -gt 0) { return $responseValue } else { return "" } } } function UpdatePolicy { param ( [string] $scope, [string] $roleManagementPolicyName, [string] $patchValue ) #https://learn.microsoft.com/en-us/rest/api/authorization/role-management-policies/update?view=rest-authorization-2020-10-01&tabs=HTTP $access_token = (Get-AzAccessToken -TenantId "e9792fd7-4044-47e7-a40d-3fba46f1cd09").Token $url = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleManagementPolicies/$($roleManagementPolicyName)?api-version=2020-10-01" $head = @{ Authorization =" Bearer $access_token" } Invoke-RestMethod -Uri $url -Method Patch -Headers $head -Body $patchValue -ContentType "application/json" | Out-Null } Write-Host "==========================================================================================" Write-Host "Setting standard PIM role settings on modified roles." Write-Host "==========================================================================================" [string] $patchValue = Get-Content .\AzurePIMpatch.json -Raw $managementGroups = Get-AzManagementGroup foreach ($managementGroup in $managementGroups) { Write-Host "--------------------------------------------------------------------" Write-Host "Management group [$($managementGroup.Name)]" $scope = "providers/Microsoft.Management/managementGroups/$($managementGroup.Name)" $assignments = GetAllPolicies -scope $scope | Where-Object { $prop = $_.properties if ($prop.LastModifiedDateTime) { return $_ } } foreach ($assignment in $assignments) { $assignmentName = $assignment.name Write-Host "Updating assignment [$($assignment.id)]" UpdatePolicy -scope $scope -roleManagementPolicyName $assignmentName -patchValue $patchValue } # $subscriptions = Get-AzManagementGroupSubscription -Group $managementGroup.Name | Where-Object State -eq "Active" # foreach ($subscription in $subscriptions) # { # Write-Host " --------------------------------------------------------------------" # $scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length) # $subscriptionId = $scope.Replace("/subscriptions/", "") # Write-Host " Subscription [$($subscription.DisplayName) - $subscriptionId]" # Write-Host " --------------------------------------------------------------------" # $assignments = GetAllPolicies -scope $scope | Where-Object { # $prop = $_.properties # if ($prop.LastModifiedDateTime) { return $_ } # } # foreach ($assignment in $assignments) # { # $assignmentName = $assignment.name # Write-Host " Updating assignment [$($assignment.id)]" # UpdatePolicy -scope $scope -roleManagementPolicyName $assignmentName -patchValue $patchValue # } # } } Write-Host "==========================================================================================" Write-Host "Done."