In the weeds with custom roles and Azure AD

Product: PowerShell Universal
Version: 4.2.7

Hi all,

I’m relatively new to PowerShell Universal so I may be missing something obvious, but I’m having serious trouble getting custom roles to work as I’d expect via Azure AD group membership.

The issue: group-based role evaluation seems to be happening successfully, but ALL custom roles can access the admin page (e.g., psu/admin/home). Even users in the built-in “Users” role (assigned via group claim) can access the admin page. However, if I restrict an app (User Interfaces > Apps) via the “Role” field in the settings of the app (Settings tab > Role) it works as expected, showing an “Unauthorized Access” message when I browse to it manually, and loading properly when I remove that role assignment.

The end goal: have various user groups that are granted access to PowerShell Universal via Azure AD group membership that can only access the apps within PSU which they’re explicitly assigned to, or apps that are only marked as needing authentication (available to all authenticated users) in addition to having a single group that CAN access the admin page.

I have configured an Azure AD enterprise app, have it sending the group memberships assigned to the enterprise app back with the “Attributes & Claims” settings, and configured a SAML2 source in Security > Authentication in PSU.

I have this specific role configured via Security > Roles per the screenshot below, using the Azure AD group ID; again, I think this is all working as expected.

roles_1791×337 11.8 KB

I have nothing configured in the policy for this role, and the corresponding line in roles.ps1 is as follows:

New-PSURole -Name “xxx” -ClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/groups” -ClaimValue “2a6xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”

Do I need to define something in the policy to prevent members of this group from accessing the admin page?

The line that corresponds to the administrator role is as follows; again, with nothing defined in the policy for it:

New-PSURole -Name “Administrator” -Description “Administrators can manage settings, create and edit any entity and view all the entities with PowerShell Universal.” -ClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/groups” -ClaimValue “a97xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”

I’m not sure what I’m missing. Any assistance or pointing-in-the-right-direction would be greatly appreciated.

Thanks!

I figured this out after some more critical thinking - I had already spent a good many hours troubleshooting this only to think of the solution immediately after posting this.

It ended up being that the “Operators” built-in role still enabled with no policy or user evaluation of any sort, and the “Administrators” built-in role also had no policy/evaluation as noted above.

My roles.ps1 now looks like this for anyone that may need an example in the future.

New-PSURole -Name "Administrator" -Description "Administrators can manage settings, create and edit any entity and view all the entities with PowerShell Universal." -ClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" -ClaimValue "a97xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
New-PSURole -Name "Operator" -Description "Operators have access to manage and execute scripts, create other entities within PowerShell Universal but cannot manage PowerShell Universal itself." -Policy {
$true
} -Disabled 
New-PSURole -Name "Reader" -Description "Readers have read-only access to PowerShell Universal. They cannot make changes to any entity within the system." -Policy {
$true
} -Disabled 
New-PSURole -Name "Execute" -Description "Execute scripts within PowerShell Universal." -Policy {
$true
} -Disabled 
New-PSURole -Name "User" -Description "Does not have access to the admin console but can be assigned resources like APIs, scripts, dashboards and pages." -Policy {
$true
} -Disabled 
New-PSURole -Name "xxx-Platform Ops" -ClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" -ClaimValue "2a6xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 
New-PSURole -Name "xxx-Data Center" -ClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" -ClaimValue "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 
New-PSURole -Name "xxx-Support" -ClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" -ClaimValue "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"