improved cpv permissions settings for app perms

DChorn-ANS · Aug 10, 2023 · 1138265 · 1138265
1 parent b636201
commit 1138265
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/ExecCPVPermissions/run.ps1 b/ExecCPVPermissions/run.ps1
@@ -63,6 +63,9 @@ $ourSVCPrincipal = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/se
 
 # if the app svc principal exists, consent app permissions
 $apps = $ExpectedPermissions 
+#get current roles
+$CurrentRoles = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/appRoleAssignments" -tenantid $tenantfilter
+#If 
 $Grants = foreach ($App in $apps.requiredResourceAccess) {
     try {
         $svcPrincipalId = New-GraphGETRequest -uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($app.resourceAppId)')" -tenantid $tenantfilter
@@ -71,6 +74,7 @@ $Grants = foreach ($App in $apps.requiredResourceAccess) {
         continue
     }
     foreach ($SingleResource in $app.ResourceAccess | Where-Object -Property Type -EQ "Role") {
+        if ($singleresource.id -In $currentroles.appRoleId) { continue }
         [pscustomobject]@{
             principalId = $($ourSVCPrincipal.id)
             resourceId  = $($svcPrincipalId.id)

diff --git a/UpdatePermissionsQueue/run.ps1 b/UpdatePermissionsQueue/run.ps1
@@ -65,6 +65,7 @@ $Grants = foreach ($App in $apps.requiredResourceAccess) {
         continue
     }
     foreach ($SingleResource in $app.ResourceAccess | Where-Object -Property Type -EQ "Role") {
+        if ($singleresource.id -In $currentroles.appRoleId) { continue }
         [pscustomobject]@{
             principalId = $($ourSVCPrincipal.id)
             resourceId  = $($svcPrincipalId.id)