PowerShell 或 Azure CLI - 显示/创建已设置 PIM 的 Azure 安全组

我想要一个脚本来验证是否为 PIM 设置了安全组，如果没有，则创建它。理想情况下，我还想将成员添加到符合条件的任务中。

这里是

PowerShell

Privileged Identity Management

    Connect-AzureAD
    $upn = "[email protected]"
    $groupId = "xxxxxxxx-21f1-4871-8ba317a7b9b608ee"
    $resource = Get-AzureADMSPrivilegedResource -ProviderId aadGroups
    $subject = Get-AzureADUser -Filter "userPrincipalName eq '$upn'"
    # Check if the security group exists
    $group = Get-AzADGroup -SearchString $securityGroupName
    if ($group -eq $null) {
        # Create the security group if it doesn't exist
        $group = New-AzADGroup -DisplayName $securityGroupName -MailEnabled $false -SecurityEnabled $true
        Write-Host "Created Security Group: $($group.DisplayName)"
    } else {
        Write-Host "The Group: $securityGroupName already exists."
    }
    
    $roleDefinitionCollection = $roleDefinitionCollection = Get-AzureADMSPrivilegedRoleDefinition -ProviderId "aadGroups" -ResourceId $groupId
    $reason = "test"
    
    if ($roleDefinitionCollection.Count -eq 0) {
        $schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
        $schedule.Type = "Once"
        $schedule.StartDateTime = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
        
        Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId AzureResources -Schedule $schedule -ResourceId $securityGroupName -RoleDefinitionId $roleDefinitionId -SubjectId $subjectObjectId -AssignmentState "Eligible" -Type "AdminAdd"
        
        Write-Host "Enabling PIM for the group: $securityGroupName"
    } else {
        Write-Host "PIM is already enabled for the group: $securityGroupName"
    }

输出：

参考：azure - 如何使用 Powershell 激活特权访问组？ - 堆栈溢出，作者：

Brice