def init_active_directory_entities(deployment_name: str,
                                   install_config: InstallConfiguration,
                                   resource_group: str,
                                   tenant_id: str,
                                   non_interactive_mode: bool = False):
    print(
        "GDC requires several records in your Active Directory. Let's verify them now... "
    )

    graph_user_read_permission = ad_ops.find_graph_user_read_all_role()
    if not graph_user_read_permission:
        raise RuntimeError(
            "Couldn't find 'User.Read' permission in 'Microsoft Graph' for your tenant "
        )

    if not install_config.gdc_admin_ad_group:
        if not non_interactive_mode:
            print(
                "\nThe Project Staffing admins group defines a list of AD users which are going to have Owner role over all Azure resources created by this deployment."
            )
            print(
                "They will also have access to restricted application functionalities such as switching the ingestion mode or uploading new HR Data files."
            )
            print(
                "This Security group is mandatory and needs to be created before continuing. You can pause and create it now"
            )

        provided_admin_group_id = install_config.get_provided_param_value(
            "gdcAdmins.groupId")
        admin_ad_group = ad_ops.prompt_or_create_ad_group(
            "Enter the name or id of an existing Active Directory group for Project Staffing admins: ",
            add_signed_user=False,
            provided_ad_group_id=provided_admin_group_id,
            no_input=non_interactive_mode,
            create_if_not_exists=False)

        install_config.gdc_admin_ad_group = admin_ad_group

    if not install_config.gdc_employees_ad_group:
        if not non_interactive_mode:
            print(
                "\nThe Project Staffing application ingests and processes employee M365 profiles and email data to infer skills and build better teams."
            )
            print(
                "You should select an AD group to restrict the list of processed accounts. Only the data of the members of this group will be processed by the application, and therefore, only the employees in this group will be recommended by the application in searches."
            )
            print(
                "This Security group is mandatory and needs to be created before continuing. You can pause and create it now"
            )

        provided_employee_group_id = install_config.get_provided_param_value(
            "gdc_employees_ad_group_id")
        employees_ad_group = ad_ops.prompt_or_create_ad_group(
            "Enter the name or id of an existing Active Directory group for processed employees: ",
            add_signed_user=False,
            provided_ad_group_id=provided_employee_group_id,
            no_input=non_interactive_mode,
            create_if_not_exists=False)
        install_config.gdc_employees_ad_group = employees_ad_group

    if not install_config.gdc_service_principal:
        gdc_service_sp_name = None
        if non_interactive_mode:
            gdc_service_sp_name = install_config.get_provided_param_value(
                "gdc-service-sp.name")
        if not gdc_service_sp_name:
            gdc_service_sp_name = install_config.appservice_name + "-gdc-service"
        print("Creating %s service principal " % gdc_service_sp_name)
        graph_read_all_role = ad_ops.find_graph_user_read_all_role()
        if not graph_read_all_role:
            raise RuntimeError(
                "Couldn't find 'User.Read.All' permission in 'Microsoft Graph' for your tenant "
            )
        gdc_sp = ad_ops.get_or_create_service_principal(
            name=gdc_service_sp_name,
            tenant_id=tenant_id,
            non_interactive_mode=non_interactive_mode)
        install_config.gdc_service_principal = gdc_sp
        ad_ops.add_service_principal_app_permission(
            sp_app_id=gdc_sp['appId'],
            api_resource_id=graph_read_all_role['appId'],
            permission_id=graph_read_all_role['id'])

    if not install_config.m365_reader_service_principal:
        gdc_m365_reader_sp_name = None
        if non_interactive_mode:
            gdc_m365_reader_sp_name = install_config.get_provided_param_value(
                "gdc-m365-reader-sp.name")
        if not gdc_m365_reader_sp_name:
            gdc_m365_reader_sp_name = install_config.appservice_name + "-gdc-m365-reader"
        print("Creating %s service principal " % gdc_m365_reader_sp_name)
        graph_user_read_all_role = ad_ops.find_graph_user_read_all_role()
        if not graph_user_read_all_role:
            raise RuntimeError(
                "Couldn't find 'User.Read.All' permission in 'Microsoft Graph' for your tenant "
            )
        graph_mail_read_role = ad_ops.find_graph_mail_read_role()
        if not graph_mail_read_role:
            raise RuntimeError(
                "Couldn't find 'Mail.Read' permission in 'Microsoft Graph' for your tenant "
            )
        m365_reader_sp = ad_ops.get_or_create_service_principal(
            gdc_m365_reader_sp_name,
            tenant_id=tenant_id,
            non_interactive_mode=non_interactive_mode)
        install_config.m365_reader_service_principal = m365_reader_sp
        ad_ops.add_service_principal_app_permission(
            sp_app_id=m365_reader_sp['appId'],
            api_resource_id=graph_user_read_all_role['appId'],
            permission_id=graph_user_read_all_role['id'])
        ad_ops.add_service_principal_app_permission(
            sp_app_id=m365_reader_sp['appId'],
            api_resource_id=graph_mail_read_role['appId'],
            permission_id=graph_mail_read_role['id'])

        try:
            admin_group_members = ad_ops.get_group_members(
                group_object_id=install_config.gdc_admin_ad_group["objectId"])
            for member in admin_group_members:
                ad_ops.make_user_owner_for_app(
                    user_object_id=member['objectId'],
                    app_id=m365_reader_sp['appId'])
        except Exception as azError:
            print(
                "Failed to make members of admin group owners over %s service principal!"
                % gdc_m365_reader_sp_name)
            print(azError)

    if not install_config.jgraph_aad_app:
        app_registration_name = deployment_name + "-jgraph-aad-web-app"
        print("Creating %s app registration " % app_registration_name)
        appservice_name = install_config.appservice_name
        jgraph_aad_app = ad_ops.\
            get_or_create_service_principal(app_registration_name, is_web_app=True, credentials_valid_years=3,
                                            reply_url="https://%s.azurewebsites.net/.auth/login/aad/callback" % appservice_name,
                                            logout_url="https://%s.azurewebsites.net/.auth/logout" % appservice_name,
                                            tenant_id=tenant_id, non_interactive_mode=non_interactive_mode)
        install_config.jgraph_aad_app = jgraph_aad_app
Пример #2
0
def init_active_directory_entities(deployment_name: str, install_config: InstallConfiguration,
                                   resource_group: str, tenant_id: str, non_interactive_mode: bool = False):
    print("Watercooler requires several records in your Active Directory. Let's verify them now... ")

    graph_user_read_permission = ad_ops.find_graph_user_read_all_role()
    if not graph_user_read_permission:
        raise RuntimeError("Couldn't find 'User.Read' permission in 'Microsoft Graph' for your tenant ")

    if not install_config.wc_admin_ad_group:
        if not non_interactive_mode:
            print("\nThe Watercooler admins group defines a list of AD users which are going to have Owner role over all Azure resources created by this deployment.")
            print("This Security group is mandatory and needs to be created before continuing. You can pause and create it now")

        provided_admin_group_id = install_config.get_provided_param_value("wcAdmins.groupId")
        admin_ad_group = ad_ops.prompt_or_create_ad_group("Enter the name or id of an existing Active Directory group for Watercooler admins: ",
                                                          add_signed_user=False, provided_ad_group_id=provided_admin_group_id,
                                                          no_input=non_interactive_mode, create_if_not_exists=False)

        install_config.wc_admin_ad_group = admin_ad_group

    if not install_config.wc_service_principal:
        wc_service_sp_name = None
        if non_interactive_mode:
            wc_service_sp_name = install_config.get_provided_param_value("wc-service-sp.name")
        if not wc_service_sp_name:
            wc_service_sp_name = install_config.appservice_name + "-wc-service"
        print("Creating %s service principal " % wc_service_sp_name)

        graph_read_all_role = ad_ops.find_graph_user_read_all_role()
        online_meetings_read_all_role = ad_ops.find_online_meetings_read_all()
        online_meetings_readwrite_all_role = ad_ops.find_online_meetings_readwrite_all()
        calendars_read_role = ad_ops.find_calendar_read()
        calendars_readwrite_role = ad_ops.find_calendar_readwrite()
        if not graph_read_all_role:
            raise RuntimeError("Couldn't find 'User.Read.All' permission in 'Microsoft Graph' for your tenant ")

        if not online_meetings_read_all_role:
            raise RuntimeError("Couldn't find 'OnlineMeetings.Read.All' permission in 'Microsoft Graph' for your tenant ")

        if not online_meetings_readwrite_all_role:
            raise RuntimeError("Couldn't find 'OnlineMeetings.ReadWrite.All' permission in 'Microsoft Graph' for your tenant ")

        if not calendars_read_role:
            raise RuntimeError("Couldn't find 'Calendars.Read' permission in 'Microsoft Graph' for your tenant ")

        if not calendars_readwrite_role:
            raise RuntimeError("Couldn't find 'Calendars.ReadWrite' permission in 'Microsoft Graph' for your tenant ")


        wc_sp = ad_ops.get_or_create_service_principal(wc_service_sp_name, tenant_id=tenant_id, non_interactive_mode=non_interactive_mode)
        install_config.wc_service_principal = wc_sp

        ad_ops.add_service_principal_app_permission(sp_app_id=wc_sp['appId'],
                                                    api_resource_id=graph_read_all_role['appId'],
                                                    permission_id=graph_read_all_role['id'])
        ad_ops.add_service_principal_app_permission(sp_app_id=wc_sp['appId'],
                                                    api_resource_id=online_meetings_read_all_role['appId'],
                                                    permission_id=online_meetings_read_all_role['id'])
        ad_ops.add_service_principal_app_permission(sp_app_id=wc_sp['appId'],
                                                    api_resource_id=online_meetings_readwrite_all_role['appId'],
                                                    permission_id=online_meetings_readwrite_all_role['id'])
        ad_ops.add_service_principal_app_permission(sp_app_id=wc_sp['appId'],
                                                    api_resource_id=calendars_read_role['appId'],
                                                    permission_id=calendars_read_role['id'])
        ad_ops.add_service_principal_app_permission(sp_app_id=wc_sp['appId'],
                                                    api_resource_id=calendars_readwrite_role['appId'],
                                                    permission_id=calendars_readwrite_role['id'])

    if not install_config.m365_reader_service_principal:
        wc_m365_reader_sp_name = None
        if non_interactive_mode:
            wc_m365_reader_sp_name = install_config.get_provided_param_value("wc-m365-reader-sp.name")
        if not wc_m365_reader_sp_name:
            wc_m365_reader_sp_name = install_config.appservice_name + "-wc-m365-reader"
        print("Creating %s service principal " % wc_m365_reader_sp_name)

        graph_user_read_all_role = ad_ops.find_graph_user_read_all_role()
        if not graph_user_read_all_role:
            raise RuntimeError("Couldn't find 'User.Read.All' permission in 'Microsoft Graph' for your tenant ")

        m365_reader_sp = ad_ops.get_or_create_service_principal(wc_m365_reader_sp_name, tenant_id=tenant_id, non_interactive_mode=non_interactive_mode)
        install_config.m365_reader_service_principal = m365_reader_sp
        ad_ops.add_service_principal_app_permission(sp_app_id=m365_reader_sp['appId'],
                                                    api_resource_id=graph_user_read_all_role['appId'],
                                                    permission_id=graph_user_read_all_role['id'])


        try:
            admin_group_members = ad_ops.get_group_members(group_object_id=install_config.wc_admin_ad_group["objectId"])
            for member in admin_group_members:
                ad_ops.make_user_owner_for_app(user_object_id=member['objectId'], app_id=m365_reader_sp['appId'])
        except Exception as azError:
            print("Failed to make members of admin group owners over %s service principal!" % wc_m365_reader_sp_name)
            print(azError)

    if not install_config.jwc_aad_app:
        app_registration_name = deployment_name + "-jwc-aad-web-app"
        print("Creating %s app registration " % app_registration_name)
        appservice_name = install_config.appservice_name
        jwc_aad_app = ad_ops. \
            get_or_create_service_principal(app_registration_name, is_web_app=True, credentials_valid_years=3,
                                            reply_url="https://%s.azurewebsites.net/.auth/login/aad/callback" % appservice_name,
                                            logout_url="https://%s.azurewebsites.net/.auth/logout" % appservice_name,
                                            tenant_id=tenant_id, non_interactive_mode=non_interactive_mode)
        install_config.jwc_aad_app = jwc_aad_app

    if not install_config.watercooler_user:
        print("Updating Watercooler Meetings Organizer user")
        watercooler_user_sp = ad_ops.get_watercooler_user()
        install_config.watercooler_user = watercooler_user_sp

    print('Creating custom application policy for creating online meetings on behalf of Watercooler Meetings Organizer')
    script_path = "../meetings/run_policy_assign.ps1"
    subprocess.call(["pwsh", script_path, str(install_config.watercooler_user['objectId']), str(install_config.wc_service_principal['appId'])])