Creating Dynamic Auth Policies (AzureAD)

jmknight2 · September 3, 2019, 3:11pm

Our dashboard currently assigns different levels of access based upon Azure AD group affiliation. Basically we hide certain pages or elements from certain users. This works fine currently, however it’s a pain to add a new authorized group as it requires another code change. My thought was to query AzureAD for all groups with a certain prefix, and dynamically create a New-UDAuthorizationPolicy for each of the groups returned. This way, we can simply add a new group that matches the naming convention, and it will instantly be added to the dashboard. The trouble is, I can’t get the New-UDAuthorizationPolicy cmdlet to see any variables outside the scope of it’s -Endpoint param. In theory, the below should work, but as I said, $AzGroups is simply null inside the -Endpoint block.

Connect-AzAccount -Identity -AccountId '000-000-000-000-000' -ErrorAction Stop

$AzGroups = Get-AzADGroup -DisplayNameStartsWith 'DNS-' | Select-Object -Property DisplayName,Id

Disconnect-AzAccount

$AuthPolicies = [System.Collections.ArrayList]@()

foreach($AzGroup in $AzGroups) {
    $AuthPolicies.Add(
        (New-UDAuthorizationPolicy -Name "group-$($AzGroup.DisplayName)" -Endpoint {
            param($User)

            $User.hasClaim('groups',$AzGroup.Id)
        })
    )
}

Any help would be appreciated!

adam · September 3, 2019, 3:58pm

Kind of a hack but you could create the script block dynamically.

$Endpoint = [ScriptBlock]::Create("
            param(`$User)

            `$User.hasClaim('groups', '$($AzGroup.Id)')
"
(New-UDAuthorizationPolicy -Name "group-$($AzGroup.DisplayName)" -Endpoint $ScriptBlock)

jmknight2 · September 5, 2019, 4:04pm

I’m sorry for the late reply. Thank you very much for the suggestion! This nearly works but the issue I’m having is, because the scriptblock is being generated beforehand and not inside the Auth Policy, the dashboard needs to be restarted for new groups to be picked up. If I could manage to access external variables inside the New-UDAuthorizationPolicy, I could make a scheduled endpoint to sync ADGroups to a Cache variable, but I’m not sure what to do in this instance.

Any suggestions would be greatly appreciated!

insomniacc · December 6, 2019, 3:10pm

Hi, I’ve hit a similar situation with my dashboard. I’m trying to put all my auth policies in an SQL table, read them and dynamically build my policies around that.

The problem comes when trying to loop through my policies and then access those properties, out of scope inside the endpoint.

I like the idea of pushing it into a cache variable with a schedule, however in order to access this I’d still need an identifier within my endpoint. Is there any way to access an endpoint name from inside an endpoint - this would definitely be one solution?

Topic		Replies	Views
AD groups membership in PowerShell Universal PowerShell Universal	2	674	October 28, 2020
Azure AD group claim authorization not working for me Universal Dashboard Help	4	1492	December 17, 2018
Authorization and policy's Universal Dashboard Help	8	636	January 10, 2020
UD 2.7.0 - AuthorizationPolicy not Working - AD Authentication w/ Claims Universal Dashboard	2	567	December 20, 2019
Unable to get any authorization policies to work - Azure AD Auth/IIS Universal Dashboard Help	12	1041	July 13, 2020

Creating Dynamic Auth Policies (AzureAD)

Related topics