-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcreateAADUser.ps1
More file actions
65 lines (45 loc) · 2.23 KB
/
createAADUser.ps1
File metadata and controls
65 lines (45 loc) · 2.23 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Param
(
[Parameter (Mandatory = $true)]
[String] $Username,
[Parameter (Mandatory = $true)]
[String] $ClientName,
[Parameter (Mandatory = $true)]
[INT] $Database = 0
)
$cred=Get-AutomationPSCredential -Name 'AutomationAccount'
Connect-AzureRMAccount -Credential $cred -InformationVariable InfoVar -ErrorVariable ErrorVar
select-azurermsubscription
Connect-AzureAD -Credential $cred
if ((get-azureadgroup -Filter "DisplayName eq '$clientName'").count -lt 1)
{
new-azureadgroup -DisplayName $ClientName -MailEnabled $false -SecurityEnabled $true `
-Description $ClientName `
-MailNickname $clientName
}
$Password = ([char[]]([char]33..[char]95) + ([char[]]([char]97..[char]126)) + 0..9 | sort {Get-Random})[0..8] -join ''
$password
$user=$username+"@daas.contoso.com"
$SecureStringPassword = ConvertTo-SecureString -String $password -AsPlainText -Force
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = $Password
New-AzureADUser -DisplayName $Username -PasswordProfile $PasswordProfile -UserPrincipalName $User `
-AccountEnabled $true `
-MailNickname $UserName$ClientName
$GroupID=(get-azureadgroup -Filter "DisplayName eq '$clientName'").ObjectID
$UserId=(Get-AzureADUser -ObjectID $user).ObjectID
Add-AzureADGroupMember -ObjectID $GroupID -RefObjectID $UserId
$GroupID=(get-azureadgroup -SearchString "DaaSRO").ObjectID
Add-AzureADGroupMember -ObjectID $GroupID -RefObjectID $UserId
#New-AzureRmADUser -DisplayName $UserName -UserPrincipalName $username -Password $SecureStringPassword -MailNickname $ClientName
if ($Database -eq 1)
{
$adminlogin = "DBAdmin"
$pwd = (get-AzureKeyVaultSecret -vaultName "DaaSKeys" -name "daaslogin").SecretValueText
$pwd = ConvertTo-SecureString $pwd -AsPlainText -Force
$sqlcred = New-Object System.Management.Automation.PSCredential($adminlogin,$pwd)
#TODO: SQL to be fixed with specific role. And should grant be to group or user?
$server = Connect-DbaInstance -SqlInstance 'db1.database.windows.net' -Database 'daasevalDB' -Credential $sqlcred -DisableException
Invoke-DbaQuery -SqlInstance $server -Query "create login $UserName from external provider"
Invoke-DbaQuery -SqlInstance $server -Query "grant db_ddladmin to $UserName"
}