forked from modularity/ADOpowershell
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathGet Target SG Members.ps1
81 lines (70 loc) · 2.61 KB
/
Get Target SG Members.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
az login
az extension add --name "azure-devops"
function Get-SGMembers
{
[CmdletBinding()]
param
(
[Parameter(mandatory = $true)]
[string]$securityGroupID
)
# aggregate users linked to the security group id
$linkedMembers = @();
$levelMembers = az devops security group membership list --id $securityGroupID --output json;
if (!$levelMembers) {
Write-Error -Message "Failed to list members of the $securityGroupName security group!" -ErrorAction Continue;
} else {
$members = $levelMembers | ConvertFrom-Json;
foreach ($member in $members.PSObject.Properties) {
$member = $member.Value;
if ($member.subjectKind -eq "user") {
# add members of SG to aggregate list
$email = $member.mailAddress;
$linkedMembers += $email;
}
if ($member.subjectKind -eq "group") {
# recursion for linked group members
$sgID = $member.descriptor;
$linkedMembers += Get-SGMembers $sgID;
}
}
}
return $linkedMembers;
}
# aggregate members of SecurityGroupName
function Get-TargetSGMembers
{
[CmdletBinding()]
param
(
[Parameter(mandatory = $true)]
[string]$azDevOpsOrgUrl,
[Parameter(mandatory = $true)]
[string]$azDevOpsProject,
[Parameter(mandatory = $true)]
[string]$securityGroupName
)
Write-Output "Checking groups..."
# transform SG displayName to descriptor(id) in target project
$securityGroups = az devops security group list --org $azDevOpsOrgUrl --project $azDevOpsProject --output json;
if (!$securityGroups) {
throw "Unable to list security groups!";
}
$securityGroups = $securityGroups | ConvertFrom-Json;
$thisSecurityGroup = $securityGroups.graphGroups | ? { $_.displayName -eq $securityGroupName };
if (!$thisSecurityGroup) {
throw "The security group $securityGroupName does not exist!";
}
# query members linked to this SG
$linkedMembers = Get-SGMembers $thisSecurityGroup.descriptor;
$uniqueMembers = $linkedMembers | select -Unique;
Write-Output "Members linked to $securityGroupName -";
Write-Output $uniqueMembers;
}
# target members of a security group in a project
$targetMembers = @{
azDevOpsOrgUrl = "https://dev.azure.com/org";
azDevOpsProject = "Project";
SecurityGroupName = "Contributors"
};
Get-TargetSGMembers @targetMembers;