Merge pull request #12 from michaelmsonne/michaelmsonne-bugfixing

Bugfixing and new features for Managed Identity list

Author: michaelmsonne

CHANGELOG.md

@@ -1,3 +1,13 @@
+## [1.0.0.2] 01/11/2024
+
+Added:
+- Added an option to search for Managed Identityes in the list from tenant to manage (much better view also!)
+- Check for if the tool is running as administrator or not
+- Now logging current execution location of the tool
+
+Fixed:
+- Added some better logic for PowerShell execution policy
+
 ## [1.0.0.1] - 27/10/2024
 
 Fixed:

docs/Managed Identity Permission Manager.png

@@ -1177,7 +1177,18 @@ $formChangelog_Load = {
 
 	# Changelog text
 	$textboxChangelog.Text =
-	"1.0.0.1 (27/10/2024):`n
+	"1.0.0.2 (01/11/2024):`n
+
+`tAdded:
+`t• Added an option to search for Managed Identityes in the list from tenant to manage`n
+`t   (much better view also!)
+`t• Check for if the tool is running as administrator or not`n
+`t• Now logging current execution location of the tool`n
+
+`tFixed:
+`t• Added some better logic for PowerShell execution policy`n
+
+1.0.0.1 (27/10/2024):`n
 
 `tFixed:
 `t• Added check for PowerShell execution policy`n

src/AboutForm.psf

@@ -6,8 +6,10 @@ $global:ConnectedState = $false # Default value
 $global:managedIdentities
 $global:clearExistingPermissions
 $global:darkModeStateUI
+$global:sortedManagedIdentities
+$global:filteredManagedIdentities
 
-$global:FormVersion = "1.0.0.1"
+$global:FormVersion = "1.0.0.2"
 $global:Author = "Michael Morten Sonne"
 $global:ToolName = "Managed Identity Permission Manager"
 $global:AuthorEmail = ""
@@ -22,29 +24,123 @@ $LogPath = "$Env:USERPROFILE\AppData\Local\$global:ToolName"
 # Variable that provides the location of the script
 [string]$ScriptDirectory = Get-ScriptDirectory
 
+function StartAsAdmin
+{
+	# Check if the current process is running with elevated privileges
+	$isElevated = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
+	
+	if (-not $isElevated)
+	{
+		# Restart the current process as administrator
+		$processPath = [System.Diagnostics.Process]::GetCurrentProcess().MainModule.FileName
+		#$arguments = "-NoProfile -ExecutionPolicy Bypass -File `"$processPath`""
+		
+		Write-Log -Level INFO -Message "Restarting $processPath as administrator..."
+		Start-Process $processPath -Verb RunAs
+		
+		# Exit the current process
+		[System.Environment]::Exit(0)
+	}
+}
+
+function Is-Administrator
+{
+	# Get the current Windows identity
+	$currentIdentity = [Security.Principal.WindowsIdentity]::GetCurrent()
+	
+	# Create a Windows principal object
+	$principal = New-Object Security.Principal.WindowsPrincipal($currentIdentity)
+	
+	# Check if the current principal is in the Administrator role
+	return $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
+}
+
+function Get-CurrentExecutionFilename
+{
+	# Get the current execution location
+	$currentLocation = Get-Location
+	
+	# Get the path of the currently executing assembly
+	# Get the path of the currently running process
+	$processPath = [System.Diagnostics.Process]::GetCurrentProcess().MainModule.FileName
+	$scriptName = [System.IO.Path]::GetFileName($processPath)
+	
+	# Get the current hostname using the .NET method
+	$hostname = [System.Net.Dns]::GetHostName()
+	
+	# Output the current location and script name
+	Write-Log -Level INFO -Message "Current execution location: '$($currentLocation.Path)\$scriptName' on host '$hostname'"
+}
+
 # Checks the current execution policy for the process
 function Check-ExecutionPolicy
 {
+	#StartAsAdmin
+	
+	if (Is-Administrator)
+	{
+		# TODO
+	}
+	
 	try
 	{
 		Write-Log -Level INFO -Message "Getting PowerShell execution policy..."
-		$executionPolicy = Get-ExecutionPolicy -Scope Process
-		if ($executionPolicy -ne "Unrestricted" -and $executionPolicy -ne "Bypass")
+		$executionPolicies = Get-ExecutionPolicy -List
+		
+		# Concatenate execution policies into a single string
+		$policyString = ($executionPolicies | ForEach-Object { "$($_.Scope): $($_.ExecutionPolicy)" }) -join ", "
+		Write-Log -Level INFO -Message "Execution policies: $policyString"
+		
+		$processPolicy = $executionPolicies | Where-Object { $_.Scope -eq 'Process' }
+		$currentUserPolicy = $executionPolicies | Where-Object { $_.Scope -eq 'CurrentUser' }
+		$effectivePolicy = $executionPolicies | Where-Object { $_.Scope -eq 'MachinePolicy' -or $_.Scope -eq 'UserPolicy' }
+		
+		if ($effectivePolicy.ExecutionPolicy -ne 'Undefined')
 		{
-			Write-Log -Level INFO -Message "Current execution policy is '$executionPolicy'."
+			Write-Log -Level INFO -Message "Execution policy is set by Group Policy. Current effective policy is '$($effectivePolicy.ExecutionPolicy)'."
+			return
+		}
+		
+		if ($processPolicy.ExecutionPolicy -ne "Unrestricted" -and $processPolicy.ExecutionPolicy -ne "Bypass")
+		{
+			Write-Log -Level INFO -Message "Current process execution policy is '$($processPolicy.ExecutionPolicy)'."
 
-			Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force
-			Write-Log -Level INFO -Message "Execution policy set to 'Bypass' for the current process."
+			try
+			{
+				Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force
+				Write-Log -Level INFO -Message "Execution policy set to 'Bypass' for the current process."
+			}
+			catch
+			{
+				if ($_.Exception.Message -match "Security error")
+				{
+					Write-Log -Level WARN -Message "Security error encountered. Attempting to set execution policy to 'RemoteSigned'..."
+					try
+					{
+						Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned -Force
+						Write-Log -Level INFO -Message "Execution policy set to 'RemoteSigned' for the current process."
+					}
+					catch
+					{
+						Write-Log -Level ERROR -Message "Failed to set execution policy to 'RemoteSigned': $($_.Exception.Message)"
+						
+						StartAsAdmin
+					}
+				}
+				else
+				{
+					Write-Log -Level ERROR -Message "Failed to set execution policy: $($_.Exception.Message)"
+				}
+			}
 		}
 		else
 		{
-			Write-Log -Level INFO -Message "Current execution policy is '$executionPolicy'. No need to change."
+			Write-Log -Level INFO -Message "Current process execution policy is '$($processPolicy.ExecutionPolicy)'. No need to change."
 		}
 	}
 	catch
 	{
-		Write-Log -Level ERROR -Message "Failed to set execution policy: $($_.Exception.Message)"
-		throw
+		Write-Log -Level ERROR -Message "An error occurred: $($_.Exception.Message)"
 	}
 }
 
@@ -421,7 +517,8 @@ function ConnectToGraph
 function Get-CurrentAppRoleAssignments
 {
 	param (
-		[string]$ManagedIdentityID
+		[string]$ManagedIdentityID,
+		[string]$ManagedIdentityName
 	)
 
 	$result = ""
@@ -430,15 +527,15 @@ function Get-CurrentAppRoleAssignments
 		# Retrieve the current app role assignments for the specified service principal
 
 		# Log
-		Write-Log -Level INFO -Message "Getting permissions for Managed Identity with Id: '$ManagedIdentityID'"
+		Write-Log -Level INFO -Message "Getting permissions for Managed Identity with Id: '$ManagedIdentityID' name '$ManagedIdentityName'"
 
 		# Get current role assignments
 		$currentAppRoles = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ManagedIdentityID -All -ErrorAction Stop
 
 		# Of any roles assigned
 		if ($currentAppRoles)
 		{
-			$result += "Current permissions assignments for Managed Identity ID '$ManagedIdentityID':`r`n"
+			$result += "Current permissions assignments for Managed Identity ID '$ManagedIdentityID' name '$ManagedIdentityName':`r`n"
 			foreach ($appRole in $currentAppRoles)
 			{
 				# Resolve ResourceId to Service Principal Name
@@ -465,14 +562,14 @@ AppRoleScope: '$appRoleScope'
 			}
 
 			# Log
-			Write-Log -Level INFO -Message "Got current assigned permissions for Managed Identity ID '$ManagedIdentityID'"
+			Write-Log -Level INFO -Message "Got current assigned permissions for Managed Identity ID '$ManagedIdentityID' name '$ManagedIdentityName'"
 		}
 		else
 		{
-			$result += "No AppRole assignments found for Managed Identity ID '$ManagedIdentityID'.`r`n"
+			$result += "No AppRole assignments found for Managed Identity ID '$ManagedIdentityID' name '$ManagedIdentityName.`r`n"
 
 			# Log
-			Write-Log -Level INFO -Message "No AppRole assignments found for Managed Identity ID '$ManagedIdentityID'"
+			Write-Log -Level INFO -Message "No AppRole assignments found for Managed Identity ID '$ManagedIdentityID' name '$ManagedIdentityName"
 		}
 	}
 	catch
@@ -847,4 +944,4 @@ function Remove-AllServicePrincipalPermissions
 		# Log
 		Write-Log -Level ERROR -Message "Error removing all permissions for managed identity '$ManagedIdentityID': $($_.Exception.Message)"
 	}
-}
+}