Our dashboard currently assigns different levels of access based upon Azure AD group affiliation. Basically we hide certain pages or elements from certain users. This works fine currently, however it’s a pain to add a new authorized group as it requires another code change. My thought was to query AzureAD for all groups with a certain prefix, and dynamically create a New-UDAuthorizationPolicy
for each of the groups returned. This way, we can simply add a new group that matches the naming convention, and it will instantly be added to the dashboard. The trouble is, I can’t get the New-UDAuthorizationPolicy
cmdlet to see any variables outside the scope of it’s -Endpoint
param. In theory, the below should work, but as I said, $AzGroups
is simply null inside the -Endpoint
block.
Connect-AzAccount -Identity -AccountId '000-000-000-000-000' -ErrorAction Stop
$AzGroups = Get-AzADGroup -DisplayNameStartsWith 'DNS-' | Select-Object -Property DisplayName,Id
Disconnect-AzAccount
$AuthPolicies = [System.Collections.ArrayList]@()
foreach($AzGroup in $AzGroups) {
$AuthPolicies.Add(
(New-UDAuthorizationPolicy -Name "group-$($AzGroup.DisplayName)" -Endpoint {
param($User)
$User.hasClaim('groups',$AzGroup.Id)
})
)
}
Any help would be appreciated!