Creating Dynamic Auth Policies (AzureAD)

Our dashboard currently assigns different levels of access based upon Azure AD group affiliation. Basically we hide certain pages or elements from certain users. This works fine currently, however it’s a pain to add a new authorized group as it requires another code change. My thought was to query AzureAD for all groups with a certain prefix, and dynamically create a New-UDAuthorizationPolicy for each of the groups returned. This way, we can simply add a new group that matches the naming convention, and it will instantly be added to the dashboard. The trouble is, I can’t get the New-UDAuthorizationPolicy cmdlet to see any variables outside the scope of it’s -Endpoint param. In theory, the below should work, but as I said, $AzGroups is simply null inside the -Endpoint block.

Connect-AzAccount -Identity -AccountId '000-000-000-000-000' -ErrorAction Stop

$AzGroups = Get-AzADGroup -DisplayNameStartsWith 'DNS-' | Select-Object -Property DisplayName,Id

Disconnect-AzAccount

$AuthPolicies = [System.Collections.ArrayList]@()

foreach($AzGroup in $AzGroups) {
    $AuthPolicies.Add(
        (New-UDAuthorizationPolicy -Name "group-$($AzGroup.DisplayName)" -Endpoint {
            param($User)

            $User.hasClaim('groups',$AzGroup.Id)
        })
    )
}

Any help would be appreciated!

Kind of a hack but you could create the script block dynamically.

$Endpoint = [ScriptBlock]::Create("
            param(`$User)

            `$User.hasClaim('groups', '$($AzGroup.Id)')
"
(New-UDAuthorizationPolicy -Name "group-$($AzGroup.DisplayName)" -Endpoint $ScriptBlock)

I’m sorry for the late reply. Thank you very much for the suggestion! This nearly works but the issue I’m having is, because the scriptblock is being generated beforehand and not inside the Auth Policy, the dashboard needs to be restarted for new groups to be picked up. If I could manage to access external variables inside the New-UDAuthorizationPolicy, I could make a scheduled endpoint to sync ADGroups to a Cache variable, but I’m not sure what to do in this instance.

Any suggestions would be greatly appreciated!

Hi, I’ve hit a similar situation with my dashboard. I’m trying to put all my auth policies in an SQL table, read them and dynamically build my policies around that.

The problem comes when trying to loop through my policies and then access those properties, out of scope inside the endpoint.

I like the idea of pushing it into a cache variable with a schedule, however in order to access this I’d still need an identifier within my endpoint. Is there any way to access an endpoint name from inside an endpoint - this would definitely be one solution?