如何使用 PowerShell 5 和模块 AzureADPreview 让 powershell 脚本在 Azure 函数中工作?

问题描述 投票:0回答:1

如何使此 PowerShell 脚本在 Azure 函数中运行?该脚本使用 PowerShell 模块“AzureADPreview”,仅适用于 PowerShell 5。

Write-Host "START"

Connect-AzureAD -identity
$disabledUsers = Get-AzureADUser -Filter "AccountEnabled eq false" | Select UserPrincipalName

foreach($disabledUser in $disabledUsers) {
    $logs = Get-AzureADAuditDirectoryLogs -Filter "targetResources/any(tr:tr/userPrincipalName eq '$($disabledUser.UserPrincipalName)' and ActivityDisplayName eq 'Disable account')" -Top 1 | select ActivityDateTime 
    if($logs) {
        foreach ($log in $logs) {
            if($log.ActivityDateTime.DateTime -lt (Get-Date).AddDays(-5).DateTime) {
                write-host "Account $($disabledUser.UserPrincipalName) disabled more as 5 days ago. Logs found."
                break
            }
        }
    } else {
        write-host "Account $($disabledUser.UserPrincipalName) disabled more as 30 days ago. Cannot find logs."
    }

    Start-Sleep -Seconds 20
}

Write-Host "FINISH"
powershell azure-functions account microsoft-entra-id audit-logging
1个回答
0
投票

请注意,

AzureADPreview
仅适用于 Windows PowerShell 5.1,不适用于 PowerShell Core Edition(v6.x、v7.x)。但是,Azure Functions 仅提供 PowerShell Core(v7.2、v7.4),因此存在冲突。

或者,您可以迁移到在 PowerShell Core 中工作的 Microsoft Graph PowerShell 模块以检索相同的结果。

我创建了一个名为 

demofunc1811
的功能应用程序,具有以下属性:

enter image description here

在上述功能应用程序中启用系统分配的托管标识,并向该服务主体添加所需的权限。您可以参考此SO线程相同的内容:

enter image description here

确保在

App files
requirements.psd1文件中添加以下依赖项并重新启动Azure Function App:

# This file enables modules to be automatically managed by the Functions service.
# See https://aka.ms/functionsmanageddependency for additional information.
#
@{
    'Microsoft.Graph.Authentication' = '2.19.0'
    'Microsoft.Graph.Reports' = '2.19.0'
    'Microsoft.Graph.Users' = '2.19.0' 
}

现在,我创建了一个 HTTP 触发函数,并将 

run.ps1
替换为以下示例代码,并成功获得了 响应

using namespace System.Net

param($Request, $TriggerMetadata)

Write-Host "PowerShell HTTP trigger function processed a request."

# Interact with query parameters or the body of the request.
$name = $Request.Query.Name
if (-not $name) {
    $name = $Request.Body.Name
}

# Write a simple message for testing
$body = "This HTTP triggered function executed successfully. Pass a name in the query string or in the request body for a personalized response."

if ($name) {
    $body = "Hello, $name. This HTTP triggered function executed successfully."
}

# Connect to Microsoft Graph using Managed Identity
Write-Host "Connecting to Microsoft Graph..."
Connect-MgGraph -Identity

Get-MgContext 

# Retrieve disabled users from Azure AD
Write-Host "Retrieving disabled users..."
$disabledUsers = Get-MgUser -Filter "accountEnabled eq false" | Select-Object UserPrincipalName

# Iterate through disabled users and check activity logs
foreach ($disabledUser in $disabledUsers) {
    $logs = Get-MgAuditLogDirectoryAudit -Filter "targetResources/any(tr:tr/userPrincipalName eq '$($disabledUser.UserPrincipalName)' and activityDisplayName eq 'Disable account')" -Top 1

    if ($logs) {
        foreach ($log in $logs) {
            $disabledDate = [DateTime]$log.ActivityDateTime
            $currentDate = (Get-Date)

            if ($disabledDate -ge (Get-Date).AddDays(-1)) {
                Write-Host "Account $($disabledUser.UserPrincipalName) was disabled today."
                break
            }
            elseif ($disabledDate -lt (Get-Date).AddDays(-5)) {
                Write-Host "Account $($disabledUser.UserPrincipalName) disabled more than 5 days ago. Logs found."
                break
            }
        }
    }
    else {
        Write-Host "Account $($disabledUser.UserPrincipalName) disabled more than 30 days ago. Cannot find logs."
    }
}

# Associate values to output bindings by calling 'Push-OutputBinding'.
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
    StatusCode = [HttpStatusCode]::OK
    Body = $body
})

回复:

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.