Merge branch 'main' into beta

SCEPman/Private/permissions.ps1

@@ -36,18 +36,24 @@ function SetManagedIdentityPermissions($principalId, $resourcePermissions, $Grap
     ForEach($resourcePermission in $resourcePermissions) {
         if($alreadyAssignedPermissions -contains $resourcePermission.appRoleId) {
             Write-Verbose "Permission is already there (ResourceID $($resourcePermission.resourceId), AppRoleId $($resourcePermission.appRoleId))"
-            $permissionLevelReached = $resourcePermission.permissionLevel -gt $permissionLevelReached ? $resourcePermission.permissionLevel : $permissionLevelReached
+            if ($resourcePermission.permissionLevel -gt $permissionLevelReached) {
+                $permissionLevelReached = $resourcePermission.permissionLevel
+            }
         } else {
             Write-Verbose "Assigning new permission (ResourceID $($resourcePermission.resourceId), AppRoleId $($resourcePermission.appRoleId))"
             $bodyToAddPermission = "{'principalId': '$principalId','resourceId': '$($resourcePermission.resourceId)','appRoleId':'$($resourcePermission.appRoleId)'}"
             $azCommand = "az rest --method post --uri '$graphEndpointForAppRoleAssignments' --body `"$bodyToAddPermission`" --headers 'Content-Type=application/json'"
             if ($SkipAppRoleAssignments) {
                 Write-Warning "Skipping app role assignment (please execute manually): $azCommand"
-                $permissionLevelFail = $resourcePermission.permissionLevel -lt $permissionLevelFail ? $resourcePermission.permissionLevel : $permissionLevelFail
+                if ($resourcePermission.permissionLevel -lt $permissionLevelFail) {
+                    $permissionLevelFail = $resourcePermission.permissionLevel
+                }
             } else {
                 try {
                     $null = ExecuteAzCommandRobustly -azCommand $azCommand -principalId $principalId -appRoleId $resourcePermission.appRoleId -GraphBaseUri $GraphBaseUri
-                    $permissionLevelReached = $resourcePermission.permissionLevel -gt $permissionLevelReached ? $resourcePermission.permissionLevel : $permissionLevelReached
+                    if ($resourcePermission.permissionLevel -gt $permissionLevelReached) {
+                        $permissionLevelReached = $resourcePermission.permissionLevel
+                    }
                 }
                 catch {
                     $exceptionMessage = $_.ToString()
@@ -57,7 +63,9 @@ function SetManagedIdentityPermissions($principalId, $resourcePermissions, $Grap
                             Write-Error "Couldn't assign permission of permission level 0"
                             throw $_
                         } else {
-                            $permissionLevelFail = $resourcePermission.permissionLevel -lt $permissionLevelFail ? $resourcePermission.permissionLevel : $permissionLevelFail
+                            if ($resourcePermission.permissionLevel -lt $permissionLevelFail) {
+                                $permissionLevelFail = $resourcePermission.permissionLevel
+                            }
                         }
                     } else {
                         throw $_
@@ -67,7 +75,11 @@ function SetManagedIdentityPermissions($principalId, $resourcePermissions, $Grap
         }
     }
 
-    return $permissionLevelReached -gt $permissionLevelFail ? ($permissionLevelFail - 1) : $permissionLevelReached
+    if ($permissionLevelReached -ge $permissionLevelFail) {
+        return $permissionLevelFail - 1
+    } else {
+        return $permissionLevelReached
+    }
 }
 
 function GetSCEPmanResourcePermissions() {

SCEPman/Public/Complete-SCEPmanInstallation.ps1

@@ -203,7 +203,9 @@ function Complete-SCEPmanInstallation
     ForEach($tempServicePrincipal in $serviceprincipalOfScDeploymentSlots) {
         Write-Verbose "Setting SCEPman permissions to Service Principal with id $tempServicePrincipal"
         $permissionLevelReached = SetManagedIdentityPermissions -principalId $tempServicePrincipal -resourcePermissions $resourcePermissionsForSCEPman -GraphBaseUri $GraphBaseUri -SkipAppRoleAssignments $SkipAppRoleAssignments
-        $permissionLevelScepman = $permissionLevelReached -lt $permissionLevelScepman ? $permissionLevelReached : $permissionLevelScepman
+        if ($permissionLevelReached -lt $permissionLevelScepman) {
+            $permissionLevelScepman = $permissionLevelReached
+        }
         Write-Verbose "Reaching permission level $permissionLevelReached for this deployment slot"
     }
     Write-Information "SCEPman's permission level is $permissionLevelScepman"

SCEPman/Public/New-SCEPmanClone.ps1

@@ -130,9 +130,9 @@ function New-SCEPmanClone
         $DelayForSecurityPrincipals = 3000
         Write-Verbose "Waiting for $DelayForSecurityPrincipals milliseconds until the Security Principals are available"
         Start-Sleep -Milliseconds $DelayForSecurityPrincipals
-        $null = SetManagedIdentityPermissions -principalId $serviceprincipalsc.principalId -resourcePermissions $resourcePermissionsForSCEPman -GraphBaseUri $GraphBaseUri
+        $permissionLevelScepman = SetManagedIdentityPermissions -principalId $serviceprincipalsc.principalId -resourcePermissions $resourcePermissionsForSCEPman -GraphBaseUri $GraphBaseUri
 
-        MarkDeploymentSlotAsConfigured -SCEPmanAppServiceName $TargetAppServiceName -SCEPmanResourceGroup $TargetResourceGroup
+        MarkDeploymentSlotAsConfigured -SCEPmanAppServiceName $TargetAppServiceName -SCEPmanResourceGroup $TargetResourceGroup -PermissionLevel $permissionLevelScepman
 
         Write-Information "Copying app settings from source App Service to target"
         SetAppSettings -AppServiceName $TargetAppServiceName -resourceGroup $TargetResourceGroup -Settings $SCEPmanSourceSettings.settings