This is going to be a short one. Somebody on the CIPP discord asked about scripted invites to a CIPP instance the other day and I put this together. His use case didn’t fit but it would be a shame for it to get lost in my scripts folder.
We need a few things to invite people to a static web app.
- We need the userPrincipalName of the user.
- We need the SWA name.
- We need the Resource Group its in.
- We need the Subscription its in.
The script below has prompts or filters for all of these and it should make generating (bulk) invites a breeze.
Of course you don’t have to use the prompts. You could easily hard code in the values for your SWA and provide the users from a CSV or JSON.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# Auth
Connect-AzAccount
# Select CIPP instance
$count = 0
do {
$count++
$getSubscription = Get-AzSubscription | Out-GridView -Title "Select Azure Subscription" -OutputMode Single
Set-AzContext -Subscription $getSubscription.SubscriptionId | Out-Null
$cipp = Get-AzStaticWebApp | Select-Object Name,DefaultHostName,ResourceGroupName | Out-GridView -Title "Select CIPP app" -OutputMode Single
} until ($cipp -OR $count -ge 5) # Very arbitrary count, surely you'll get the right one in 5 right?
if (!$cipp) {
Write-Host "CIPP instance was not selected, exiting..."
Pause
Return
}
# Select role
$role = @(
[pscustomobject]@{
RoleName = "readonly"
Description = "Only allowed to read and list items and send push messages to users."
},
[pscustomobject]@{
RoleName = "editor"
Description = "Allowed to perform everything, except editing tenants, exclusions, and standards."
},
[pscustomobject]@{
RoleName = "admin"
Description = "Allowed to perform everything."
}
) | Out-GridView -Title "Select role for invites" -OutputMode Single
if (!$role) {
Write-Host "A role was not selected, exiting..."
Pause
Return
}
# Select user(s)
$users = Get-AzADUser | Out-GridView -Title "Select users to invite" -OutputMode Multiple
if (!$users) {
Write-Host "Users were not selected, exiting..."
Pause
Return
}
# Get current users
$currentUsers = Get-AzStaticWebAppUser -ResourceGroupName $cipp.ResourceGroupName -Name $cipp.Name -AuthProvider all
# Process invites
$invites = foreach ($user in $users) {
try {
$splat = @{
ResourceGroupName = $cipp.ResourceGroupName
Name = $cipp.Name
Domain = $cipp.DefaultHostName
Provider = 'aad'
UserDetail = $user.UserPrincipalName
Role = $role.RoleName
NumHoursToExpiration = 1
}
if ($currentUsers.DisplayName -notcontains $user.UserPrincipalName) {
$invite = New-AzStaticWebAppUserRoleInvitationLink @splat
Write-Host "Generated invite for $($user.UserPrincipalName)"
[pscustomobject]@{
User = $user.UserPrincipalName
InviteURL = $invite.InvitationUrl
}
} else {
Write-Host "User $($user.UserPrincipalName) is already a member of the CIPP app with the role(s): $(($currentUsers | Where-Object { $_.DisplayName -eq $user.UserPrincipalName}).Role)"
}
} catch {
Write-Warning "Failed to invite $($user.UserPrincipalName): $($_.Exception.Message)"
}
}
# Export invites
$invites | Export-Csv -Path "C:\temp\cippinvites.csv" -NoTypeInformation