PowerShell Scripts
PS Script: Check Permissions
This PowerShell script checks if the user has the necessary permissions and licenses to use Revopy. It verifies if the user has the Azure AD Premium P2 license, if they are a Global Administrator, and if they have the Owner RBAC role on any subscription.
# Build authentication headers for Graph API
$graphAPIHeaders = @{
Authorization = "Bearer $($(Get-AzAccessToken -ResourceTypeName MSGraph).Token)"
Host = "graph.microsoft.com"
ConsistencyLevel = 'eventual'
}
# Get the signed-in user's ID
$userId = az ad signed-in-user show --query id -o tsv
# Retrieve the available licenses for the tenant
$licensesEndpoint = "https://graph.microsoft.com/v1.0/subscribedSkus"
$licenses = Invoke-RestMethod -Uri $licensesEndpoint -Headers $graphAPIHeaders
# Check if the Azure AD Premium P2 license is available
$p2License = $licenses.value.servicePlans | Where-Object {$_.servicePlanName -eq "AAD_PREMIUM_P2"} | Select-Object -First 1
$aadP2Status = if ($p2License) {
"Entra ID P2 is enabled in your tenant for revopy."
} else {
"Entra ID P2 is not enabled in your tenant for revopy."
}
Write-Host $aadP2Status -ForegroundColor $(if ($p2License) { "Green" } else { "Red" })
# Retrieve the roles assigned to the signed-in user
$rolesEndpoint = "https://graph.microsoft.com/beta/rolemanagement/directory/transitiveRoleAssignments?`$count=true&`$filter=principalId eq '$userId'"
$roles = Invoke-RestMethod -Uri $rolesEndpoint -Headers $graphAPIHeaders
# Check if the user is a member of the Global Administrator role
$globalAdminRole = $roles.value | Where-Object {$_.roleDefinitionId -eq "62e90394-69f5-4237-9190-012177145e10"} | Select-Object -First 1
$adminStatus = if ($globalAdminRole) {
"You are a Global Administrator in your tenant for revopy."
} else {
"You are not a Global Administrator in your tenant for revopy."
}
Write-Host $adminStatus -ForegroundColor $(if ($globalAdminRole) { "Green" } else { "Red" })
# Get the list of subscriptions
$subscriptionIds = az account list --query "[].id" -o tsv
# Count the subscriptions where the user is a Resource Owner
$resourceOwnerSubscriptions = $subscriptionIds | ForEach-Object {
az role assignment list --assignee $userId --all --query "[?roleDefinitionName == 'Owner'].scope" --subscription "$_" -o tsv
}
$subscriptionCount = $resourceOwnerSubscriptions.Count
$subscriptionTerm = if ($subscriptionCount -gt 1) { "subscriptions" } else { "subscription" }
$ownerStatus = if ($subscriptionCount -gt 0) {
"You have the Owner RBAC Role for $subscriptionCount $subscriptionTerm in revopy."
} else {
"You do not have the Owner RBAC Role on any subscription in revopy."
}
Write-Host $ownerStatus -ForegroundColor $(if ($subscriptionCount -gt 0) { "Green" } else { "Red" })
# Display final overall status
$overallStatus = if ($p2License -and $globalAdminRole -and ($subscriptionCount -gt 0)) {
"You have all the required permissions & licenses for revopy."
} else {
"You do not have all the required permissions & licenses for revopy."
}
Write-Host $overallStatus -ForegroundColor $(if ($p2License -and $globalAdminRole -and ($subscriptionCount -gt 0)) { "Green" } else { "Red" })
# Press enter or exit the console
PS Script: Assign Permissions
This PowerShell script assigns the necessary permissions to the Revopy service principal in Azure AD. It retrieves the Microsoft Graph service principal, identifies the roles that need to be added or removed, and updates the role assignments accordingly.
# Configuration
$appName = "RevopyExtractor-" # Name of the service principal
$graphAppId = "00000003-0000-0000-c000-000000000000" # Microsoft Graph App ID
$requiredPermissions = @(
"Directory.Read.All",
"AuditLog.Read.All",
"Domain.Read.All",
"Reports.Read.All",
"Policy.Read.All"
)
# Retrieve the Microsoft Graph service principal
$graphServicePrincipal = Get-AzADServicePrincipal -Filter "appId eq '$graphAppId'"
Write-Host "Retrieved Microsoft Graph service principal." -ForegroundColor Green
# Identify roles that need to be added
$rolesToAdd = $graphServicePrincipal.AppRole | Where-Object {
($_.Value -in $requiredPermissions) -and ($_.AllowedMemberType -contains "Application")
}
Write-Host "Identified roles to add." -ForegroundColor Green
# Define headers for Graph API requests
$apiHeaders = @{
Authorization = "Bearer $($(Get-AzAccessToken -ResourceTypeName MSGraph).Token)"
Host = "graph.microsoft.com"
}
Write-Host "Set up Graph API headers." -ForegroundColor Green
# Fetch the current service principal
$currentPrincipal = Get-AzADServicePrincipal -DisplayNameBeginsWith $appName
Write-Host "Fetched current service principal." -ForegroundColor Green
# URL for fetching current role assignments
$roleAssignmentsUrl = "https://graph.microsoft.com/v1.0/servicePrincipals/$($currentPrincipal.Id)/appRoleAssignments"
# Fetch existing role assignments
$currentAssignments = Invoke-RestMethod -Uri $roleAssignmentsUrl -Headers $apiHeaders | Select-Object -ExpandProperty value
Write-Host "Fetched current role assignments." -ForegroundColor Green
Write-Host "Current Role Assignments:" -ForegroundColor Cyan
$currentAssignments | Format-Table -AutoSize # Print current assignments in a readable format
# Identify roles to be added
$rolesToAddFiltered = $rolesToAdd | Where-Object {
$_.id -notin $currentAssignments.appRoleId
}
Write-Host "Filtered roles to be added." -ForegroundColor Green
Write-Host "Roles to Add:" -ForegroundColor Cyan
$rolesToAddFiltered | Format-Table -AutoSize # Print roles to add in a readable format
# Add new roles
foreach ($role in $rolesToAddFiltered) {
$assignmentBody = @{
principalId = $currentPrincipal.Id
resourceId = $graphServicePrincipal.Id
appRoleId = $role.id
} | ConvertTo-Json -Depth 99 -Compress -EscapeHandling EscapeNonAscii
Invoke-RestMethod -Method Post -Uri $roleAssignmentsUrl -Headers $apiHeaders -Body $assignmentBody -ContentType "application/json"
Write-Host "Added role: $($role.Value)" -ForegroundColor Green
}
# Identify roles to be removed
$rolesToRemove = $currentAssignments | Where-Object {
$_.appRoleId -notin $rolesToAdd.id
}
Write-Host "Identified roles to remove." -ForegroundColor Green
# Remove unwanted roles
foreach ($role in $rolesToRemove) {
$assignmentId = $role.id
Invoke-RestMethod -Method Delete -Uri "$roleAssignmentsUrl/$assignmentId" -Headers $apiHeaders
Write-Host "Removed role assignment with ID: $assignmentId" -ForegroundColor Yellow
}
Write-Host "Permissions update complete for service principal with Object ID $($currentPrincipal.Id)" -ForegroundColor Cyan
PS Script: Check/Enable Resource Providers
This script is intended for use in Azure environments to ensure necessary resource providers are registered for the installation of the Revopy Data Extractor service. It targets a specified subscription ID and checks if each required Microsoft resource provider is registered. If any are missing, the script automatically registers them, providing updates on the registration status.
# Set your Subscription ID
$subscriptionId = "your-subscription-id" # Replace with the Subscription ID where Revopy will be installed.
# List of required resource providers (including Managed Application support)
$requiredProviders = @(
'Microsoft.OperationalInsights',
'Microsoft.Insights',
'Microsoft.Storage',
'Microsoft.Web',
'Microsoft.KeyVault',
'Microsoft.Resources',
'Microsoft.Solutions' # Managed Applications
)
# Select the target subscription
Select-AzSubscription -SubscriptionId $subscriptionId
# Get current resource provider states
$allProviders = Get-AzResourceProvider
foreach ($rp in $requiredProviders) {
$provider = $allProviders | Where-Object { $_.ProviderNamespace -eq $rp }
if ($provider -and $provider.RegistrationState -eq 'Registered') {
Write-Host "[OK] $rp is already registered." -ForegroundColor Green
} else {
Write-Host "[MISSING] $rp is not registered. Registering..." -ForegroundColor Yellow
Register-AzResourceProvider -ProviderNamespace $rp | Out-Null
# Confirm registration
do {
Start-Sleep -Seconds 2
$state = (Get-AzResourceProvider -ProviderNamespace $rp).RegistrationState
} while ($state -ne 'Registered')
Write-Host "[DONE] $rp successfully registered." -ForegroundColor Cyan
}
}