circle-exclamation
Documentation is updated to support Bsure version 2. Select version 1 in the menu if you are still running that version.
search
bsure.ioProductPricingStoriesInsightsAbout

New features

Bsure are continously developing new functionalities

hashtag
Upcoming features in near future:

hashtag
Bsure Insights will need more permissions to provide this information.

To prepare your environment you can give Bsure Insights managed identity all permissions now to support upcoming features.

hashtag
How to add permissions

Start cloud shell with a user having Global administrator privileges - https://portal.azure.com/#cloudshell/arrow-up-right

Copy script below and paste as plain text to run it in cloud shell.

There is no need to edit script. Script will search for all installations (managed identities) used by Bsure Insights and add this new permission

$BSureSpnName = 'Bsure-Umi-'

$BsurePermissions = @(
  "Directory.Read.All"
  "AuditLog.Read.All"
  "Domain.Read.All"
  "Reports.Read.All"
  "Policy.Read.All"
  "MailboxSettings.Read"
  "DeviceManagementManagedDevices.Read.All"
  "RoleManagement.Read.All"
)

$GraphAppId = "00000003-0000-0000-c000-000000000000"

$msGraphSpn = Get-AzADServicePrincipal -Filter "appId eq '$GraphAppId'"

$RolesToAdd = $msGraphSpn.AppRole | Where-Object {($_.Value -in $BsurePermissions) -and ($_.AllowedMemberType -contains "Application")}

(Get-AzADServicePrincipal -DisplayNameBeginsWith $BSureSpnName) | ForEach-Object{

    $script:graphAPIReqHeader = @{
        Authorization = "Bearer $($(Get-AzAccessToken -ResourceTypeName MSGraph).token | ConvertFrom-SecureString -AsPlainText)"
        Host = "graph.microsoft.com"
    }

    $currentSPN = $_
    $currentSPN
    $assignedPermissionsUri = "https://graph.microsoft.com/v1.0/servicePrincipals/$($currentSPN.Id)/appRoleAssignments"

    $currentAssignments = Invoke-RestMethod -Method Get -Uri $assignedPermissionsUri -Headers $script:graphAPIReqHeader | Select-Object -ExpandProperty value
    
    $RolesToAddClean = $RolesToAdd | Where-Object {($_.id -notin $($currentAssignments.appRoleId))}
    
    foreach($AppRole in $RolesToAddClean)
    {
        $body = @{
            principalId = $currentSPN.Id
            resourceId = $msGraphSpn.id
            appRoleId = $AppRole.id
        } | ConvertTo-Json -Depth 99 -Compress -EscapeHandling EscapeNonAscii
    
        Invoke-RestMethod -Method Post -Uri $assignedPermissionsUri -Headers $script:graphAPIReqHeader -Body $body -ContentType "application/json"
    }
    
    $RolesToRemoveClean = $currentAssignments.appRoleId | Where-Object {($_ -notin $($RolesToAdd.id))}
    
    foreach($AppRole in $RolesToRemoveClean)
    {
        $toRemoveId = $currentAssignments | Where-Object -Property appRoleId -eq $AppRole | Select-Object -ExpandProperty id
        Invoke-RestMethod -Method Delete -Uri "$assignedPermissionsUri/$toRemoveId" -Headers $script:graphAPIReqHeader
    }
}

Write-Host "Done setting permissions for $($spnBsure.DisplayName) ($($spnBsure.Id))"

PreviousRelease NotesNextUser purpose property

Last updated

Was this helpful?