diff --git a/test/module/Integration/Entra/Add-EntraGroupOwner.Tests.ps1 b/test/module/Integration/Entra/Add-EntraGroupOwner.Tests.ps1 new file mode 100644 index 000000000..327b3df92 --- /dev/null +++ b/test/module/Integration/Entra/Add-EntraGroupOwner.Tests.ps1 @@ -0,0 +1,67 @@ +# ------------------------------------------------------------------------------ +# Copyright (c) Microsoft Corporation. All Rights Reserved. Licensed under the MIT License. See License in the project root for license information. +# ------------------------------------------------------------------------------ +Describe "The Add-EntraGroupOwner command executing unmocked" { + + Context "When getting user and group" { + BeforeAll { + $testReportPath = join-path $psscriptroot "..\setenv.ps1" + . $testReportPath + $password = $env:USER_PASSWORD + + $domain = (Get-EntraTenantDetail).VerifiedDomains.Name + $thisTestInstanceId = (New-Guid).Guid.ToString() + $thisTestInstanceId = $thisTestInstanceId.Substring($thisTestInstanceId.Length - 5) + $testName = 'SimpleTests' + $thisTestInstanceId + $testName1 = 'SimpleTests1' + $thisTestInstanceId + + #create test user + $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile + $PasswordProfile.Password = $password + $global:newUser = New-EntraUser -AccountEnabled $true -DisplayName $testName -PasswordProfile $PasswordProfile -MailNickName $testName -UserPrincipalName "$testName@$domain" + + #create test user + $PasswordProfile1 = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile + $PasswordProfile1.Password = $password + $global:newUser1 = New-EntraUser -AccountEnabled $true -DisplayName $testName1 -PasswordProfile $PasswordProfile1 -MailNickName $testName1 -UserPrincipalName "$testName1@$domain" + #create test group + $global:newGroup = New-EntraGroup -DisplayName $testName -MailEnabled $false -SecurityEnabled $true -MailNickName $testName + } + + It "should update the properties of user and group" { + $updatedDisplayName = "SimpleTestsUpdated" + Set-EntraGroup -Id $newGroup.Id -DisplayName $updatedDisplayName + + $result = Get-EntraGroup -ObjectId $newGroup.Id + $result.Id | Should -Contain $newGroup.Id + $result.DisplayName | Should -Contain $updatedDisplayName + + $updatedDisplayNameInCreatedUser = 'SimpleTests1AnotherTestUser' + Set-EntraUser -ObjectId $newUser.Id -Displayname $updatedDisplayNameInCreatedUser + + $updatedUser = Get-EntraUser -ObjectId $newUser.Id + $updatedUser.Id | Should -Be $newUser.Id + $updatedUser.DisplayName | Should -Be $updatedDisplayNameInCreatedUser + + $user1 = Get-EntraUser -ObjectId $newUser1.Id + $user1.Id | Should -Be $newUser1.Id + $user1.DisplayName | Should -Be $testName1 + } + It "Should successfully Adds an owner to a group" { + Add-EntraGroupOwner -ObjectId $newGroup.Id -RefObjectId $newUser.Id + $result = Get-EntraGroupOwner -ObjectId $newGroup.Id + $result.Id | Should -Contain $newUser.Id + + Add-EntraGroupOwner -ObjectId $newGroup.Id -RefObjectId $newUser1.Id + $result1 = Get-EntraGroupOwner -ObjectId $newGroup.Id + $result1.Id | Should -Contain $newUser1.Id + } + + AfterAll { + Remove-EntraGroupOwner -ObjectId $newGroup.Id -OwnerId $newUser.Id + Remove-EntraUser -ObjectId $newUser.Id + Remove-EntraGroup -ObjectId $newGroup.Id + Remove-EntraUser -ObjectId $newUser1.Id + } + } +} \ No newline at end of file diff --git a/test/module/Integration/Entra/EntraApplicationExtensionProperty.Tests.ps1 b/test/module/Integration/Entra/EntraApplicationExtensionProperty.Tests.ps1 new file mode 100644 index 000000000..43bd6619b --- /dev/null +++ b/test/module/Integration/Entra/EntraApplicationExtensionProperty.Tests.ps1 @@ -0,0 +1,52 @@ +# ------------------------------------------------------------------------------ +# Copyright (c) Microsoft Corporation. All Rights Reserved. Licensed under the MIT License. See License in the project root for license information. +# ------------------------------------------------------------------------------ +Describe "The EntraApplicationExtensionProperty command executing unmocked" { + + Context "When getting ApplicationExtensionProperty" { + BeforeAll { + $testReportPath = join-path $psscriptroot "..\setenv.ps1" + . $testReportPath + + $thisTestInstanceId = New-Guid | Select-Object -expandproperty guid + $testApplicationName = 'Test Demo Name' + $thisTestInstanceId + $global:newMSApplication = New-EntraApplication -DisplayName $testApplicationName + } + + It "should successfully get an application by display name" { + $application = Get-EntraApplication -Filter "DisplayName eq '$($newMSApplication.DisplayName)'" + $application.ObjectId | Should -Be $newMSApplication.Id + $application.AppId | Should -Be $newMSApplication.AppId + $application.DisplayName | Should -Be $newMSApplication.DisplayName + } + + It "should successfully update a application display name" { + $updatedDisplayName = "Update Application Name" + Set-EntraApplication -ObjectId $newMSApplication.ObjectId -DisplayName $updatedDisplayName + $result = Get-EntraApplication -Filter "AppId eq '$($newMSApplication.AppId)'" + $result.ObjectId | Should -Be $newMSApplication.Id + $result.AppId | Should -Be $newMSApplication.AppId + $result.DisplayName | Should -Be "Update Application Name" + } + + It "should successfully create application extension property" { + $global:newMSApplicationExtensionProperty = New-EntraApplicationExtensionProperty -ObjectId $newMSApplication.Id -DataType "string" -Name "NewAttribute" -TargetObjects "Application" + } + + It "should successfully get application extension property" { + $applicationExtensionProperty = Get-EntraApplicationExtensionProperty -ObjectId $newMSApplication.Id + $applicationExtensionProperty.ObjectId | Should -Be $newMSApplicationExtensionProperty.Id + $applicationExtensionProperty.Name | Should -Be $newMSApplicationExtensionProperty.Name + + } + + AfterAll { + if ($newMSApplicationExtensionProperty) { + Remove-EntraApplicationExtensionProperty -ObjectId $newMSApplication.Id -ExtensionPropertyId $newMSApplicationExtensionProperty.Id | Out-Null + } + if ($newMSApplication) { + Remove-EntraApplication -ObjectId $newMSApplication.Id | Out-Null + } + } + } +} diff --git a/test/module/Integration/Entra/EntraGroupAppRoleAssignment.Tests.ps1 b/test/module/Integration/Entra/EntraGroupAppRoleAssignment.Tests.ps1 new file mode 100644 index 000000000..25f8a3e2d --- /dev/null +++ b/test/module/Integration/Entra/EntraGroupAppRoleAssignment.Tests.ps1 @@ -0,0 +1,108 @@ +# ------------------------------------------------------------------------------ +# Copyright (c) Microsoft Corporation. All Rights Reserved. Licensed under the MIT License. See License in the project root for license information. +# ------------------------------------------------------------------------------ +Describe "The EntraGroupAppRoleAssignment command executing unmocked" { + + Context "When getting GroupAppRoleAssignment" { + BeforeAll { + $testReportPath = join-path $psscriptroot "..\setenv.ps1" + . $testReportPath + + $thisTestInstanceId = New-Guid | Select-Object -expandproperty guid + $global:displayName = 'DemoName' + $thisTestInstanceId + + $global:newGroup = New-EntraGroup -DisplayName $displayName -MailEnabled $false -SecurityEnabled $true -MailNickName $displayName + } + + It "should successfully get a specific group by using an Id" { + $group = Get-EntraGroup -ObjectId $newGroup.Id + $group.Id | Should -Be $newGroup.Id + $group.DisplayName | Should -Be $displayName + } + + It "should successfully update a group display name" { + $global:updatedDisplayName = "Demo Name 2" + Set-EntraGroup -Id $newGroup.Id -DisplayName $updatedDisplayName + $result = Get-EntraGroup -ObjectId $newGroup.Id + $result.Id | Should -Contain $newGroup.Id + } + + It "should successfully create application" { + $types = @() + $types += 'User' + $approle = New-Object Microsoft.Open.MSGraph.Model.AppRole + $approle.AllowedMemberTypes = $types + $approle.Description = 'msiam_access' + $approle.DisplayName = 'msiam_access' + $approle.Id = '643985ce-3eaf-4a67-9550-ecca25cb6814' + $approle.Value = 'Application' + $approle.IsEnabled = $true + $applicationDisplayName = "Demo new application" + $global:createdApplication = New-EntraApplication -DisplayName $applicationDisplayName -AppRoles $approle + $createdApplication.DisplayName | Should -Be $applicationDisplayName + } + + It "should successfully get application" { + $global:getCreatedApplication = Get-EntraApplication -ObjectId $createdApplication.Id + $getCreatedApplication.DisplayName | Should -Be $createdApplication.DisplayName + $getCreatedApplication.Id | Should -Be $createdApplication.Id + $getCreatedApplication.AppId | Should -Be $createdApplication.AppId + } + + It "should successfully update application display name" { + $global:updateApplicationDisplayName = "Update demo application" + Set-EntraApplication -ObjectId $getCreatedApplication.Id -DisplayName $updateApplicationDisplayName + + $global:getUpdatedCreatedApplication = Get-EntraApplication -ObjectId $getCreatedApplication.Id + $getUpdatedCreatedApplication.DisplayName | Should -Be $updateApplicationDisplayName + $getUpdatedCreatedApplication.Id | Should -Be $getCreatedApplication.Id + $getUpdatedCreatedApplication.AppId | Should -Be $getCreatedApplication.AppId + } + + It "should successfully create and get service principal" { + $global:MyApp = Get-EntraApplication -Filter "DisplayName eq '$($getUpdatedCreatedApplication.DisplayName)'" + + New-EntraServicePrincipal -AccountEnabled $true -AppId $MyApp.AppId -AppRoleAssignmentRequired $true -DisplayName $MyApp.DisplayName -Tags {"WindowsAzureActiveDirectoryIntegratedApp"} + $global:createdServicePrincipal = Get-EntraServicePrincipal -Filter "DisplayName eq '$($MyApp.DisplayName)'" + $createdServicePrincipal.AppId | Should -Be $MyApp.AppId + $createdServicePrincipal.DisplayName | Should -Be $MyApp.DisplayName + } + + It "should successfully update the account of a service principal" { + Set-EntraServicePrincipal -ObjectId $createdServicePrincipal.Id -AccountEnabled $False + $disableServicePrincipal = Get-EntraServicePrincipal -Filter "DisplayName eq '$($MyApp.DisplayName)'" + $disableServicePrincipal.AppId | Should -Be $MyApp.AppId + $disableServicePrincipal.DisplayName | Should -Be $MyApp.DisplayName + + Set-EntraServicePrincipal -ObjectId $createdServicePrincipal.Id -AccountEnabled $True + $global:updatedServicePrincipal = Get-EntraServicePrincipal -Filter "DisplayName eq '$($MyApp.DisplayName)'" + $updatedServicePrincipal.AppId | Should -Be $MyApp.AppId + $updatedServicePrincipal.DisplayName | Should -Be $MyApp.DisplayName + } + + It "should successfully assign a group of users to an application" { + New-EntraGroupAppRoleAssignment -ObjectId $newGroup.ObjectId -PrincipalId $newGroup.ObjectId -ResourceId $updatedServicePrincipal.ObjectId -Id $updatedServicePrincipal.Approles[0].id + } + + It "should successfully retrieve application role assignments of a group" { + $global:getGroupAppRoleAssignment = Get-EntraGroupAppRoleAssignment -ObjectId $newGroup.Id + $getGroupAppRoleAssignment.ResourceDisplayName | Should -Be $createdServicePrincipal.DisplayName + $getGroupAppRoleAssignment.PrincipalDisplayName | Should -Be $updatedDisplayName + } + + AfterAll { + if ( $getGroupAppRoleAssignment) { + Remove-EntraGroupAppRoleAssignment -ObjectId $newGroup.Id -AppRoleAssignmentId $getGroupAppRoleAssignment.Id | Out-Null + } + if ( $updatedServicePrincipal) { + Remove-EntraServicePrincipal -ObjectId $updatedServicePrincipal.Id | Out-Null + } + if ( $getUpdatedCreatedApplication) { + Remove-EntraApplication -ObjectId $getUpdatedCreatedApplication.Id | Out-Null + } + if ($newGroup) { + Remove-EntraGroup -ObjectId $newGroup.Id | Out-Null + } + } + } +} \ No newline at end of file diff --git a/test/module/Integration/Entra/EntraLifecyclePolicyGroup.Tests.ps1 b/test/module/Integration/Entra/EntraLifecyclePolicyGroup.Tests.ps1 new file mode 100644 index 000000000..323568986 --- /dev/null +++ b/test/module/Integration/Entra/EntraLifecyclePolicyGroup.Tests.ps1 @@ -0,0 +1,84 @@ +# ------------------------------------------------------------------------------ +# Copyright (c) Microsoft Corporation. All Rights Reserved. Licensed under the MIT License. See License in the project root for license information. +# ------------------------------------------------------------------------------ +Describe "The EntraLifecyclePolicyGroup command executing unmocked" { + + Context "When getting LifecyclePolicyGroup" { + BeforeAll { + $testReportPath = join-path $psscriptroot "..\setenv.ps1" + . $testReportPath + + $thisTestInstanceId = New-Guid | Select-Object -ExpandProperty Guid + $global:displayName = 'Demo Help Group' + $thisTestInstanceId + $testNickname = "test" + $thisTestInstanceId + $global:newMSGroup = New-EntraGroup -DisplayName $displayName -MailEnabled $false -MailNickname $testNickname -SecurityEnabled $true -GroupTypes "unified" + Start-Sleep -Seconds 10 + } + + It "should successfully get a specific group by using an group Id" { + $group = Get-EntraGroup -ObjectId $newMSGroup.Id + $group.ObjectId | Should -Be $newMSGroup.Id + $group.DisplayName | Should -Be $displayName + } + + It "should successfully update a group display name" { + $updatedDisplayName = "Update Help Group Name" + Set-EntraGroup -Id $newMSGroup.Id -DisplayName $updatedDisplayName + $result = Get-EntraGroup -ObjectId $newMSGroup.Id + $result.Id | Should -Contain $newMSGroup.Id + } + + It "should successfully Create a lifecycle policy" { + try { + $existingPolicy = Get-EntraGroupLifecyclePolicy + Remove-EntraGroupLifecyclePolicy -Id $existingPolicy.Id + } + catch {} + $global:testGroupPolicy = New-EntraGroupLifecyclePolicy -GroupLifetimeInDays 99 -ManagedGroupTypes "Selected" -AlternateNotificationEmails "example@contoso.un" + } + + It "should successfully retrieve properties of an groupLifecyclePolicy" { + $groupLifecyclePolicy = Get-EntraGroupLifecyclePolicy -Id $testGroupPolicy.Id + + $groupLifecyclePolicy.Id | Should -Be $testGroupPolicy.Id + $groupLifecyclePolicy.GroupLifetimeInDays | Should -Be 99 + $groupLifecyclePolicy.ManagedGroupTypes | Should -Contain "Selected" + $groupLifecyclePolicy.AlternateNotificationEmails | Should -Contain "example@contoso.un" + } + + It "should successfully update groupLifecyclePolicy" { + $alternateNotificationEmails = "admingroup@contoso.en" + $global:updatedGroupLifecyclePolicy = Set-EntraGroupLifecyclePolicy -Id $testGroupPolicy.Id -GroupLifetimeInDays 200 -AlternateNotificationEmails $alternateNotificationEmails -ManagedGroupTypes "Selected" + + $updatedGroupLifecyclePolicy.Id | Should -Be $testGroupPolicy.Id + $updatedGroupLifecyclePolicy.GroupLifetimeInDays | Should -Be 200 + $updatedGroupLifecyclePolicy.ManagedGroupTypes | Should -Contain "Selected" + $updatedGroupLifecyclePolicy.AlternateNotificationEmails | Should -Contain $alternateNotificationEmails + } + + It "should successfully associate the group with the lifecycle policy" { + $testLifePolicyGroup = Add-EntraLifecyclePolicyGroup -Id $testGroupPolicy.Id -GroupId $newMSGroup.Id + $testLifePolicyGroup.ObjectId | Should -BeNullOrEmpty + } + + It "should successfully retrieve details of a LifecyclePolicyGroup" { + $global:lifecyclePolicyGroup = Get-EntraLifecyclePolicyGroup -Id $newMSGroup.Id + $lifecyclePolicyGroup.ObjectId | Should -Be $testGroupPolicy.Id + $lifecyclePolicyGroup.GroupLifetimeInDays | Should -Be 200 + $lifecyclePolicyGroup.ManagedGroupTypes | Should -Contain "Selected" + $lifecyclePolicyGroup.AlternateNotificationEmails | Should -Contain $updatedGroupLifecyclePolicy.AlternateNotificationEmails + } + + AfterAll { + if ($lifecyclePolicyGroup) { + Remove-EntraLifecyclePolicyGroup -Id $lifecyclePolicyGroup.Id -GroupId $newMSGroup.Id | Out-Null + } + if ($updatedGroupLifecyclePolicy) { + Remove-EntraGroupLifecyclePolicy -Id $updatedGroupLifecyclePolicy.Id | Out-Null + } + if ($newMSGroup) { + Remove-EntraGroup -ObjectId $newMSGroup.Id | Out-Null + } + } + } +} diff --git a/test/module/Integration/Entra/Scenario1.Tests.ps1 b/test/module/Integration/Entra/Scenario1.Tests.ps1 new file mode 100644 index 000000000..246f4ba32 --- /dev/null +++ b/test/module/Integration/Entra/Scenario1.Tests.ps1 @@ -0,0 +1,264 @@ +# ------------------------------------------------------------------------------ +# Copyright (c) Microsoft Corporation. All Rights Reserved. Licensed under the MIT License. See License in the project root for license information. +# ------------------------------------------------------------------------------ +BeforeAll { + $testReportPath = join-path $psscriptroot "..\setenv.ps1" + . $testReportPath + $password = $env:USER_PASSWORD +} +Describe "Integration Testing" { + + Context "Scen1: Creating Applications and attaching secrets to that newly created application"{ + It "Creating New Application"{ + $thisTestInstanceId = New-Guid | Select-Object -expandproperty guid + $global:testAppName = 'SimpleTestApp' + $thisTestInstanceId + $global:newApp = New-EntraApplication -DisplayName $testAppName + $newApp.DisplayName | Should -Be $testAppName + } + It "Attaching a Secret to the Application"{ + $global:Result = New-EntraApplicationPasswordCredential -ObjectId $newApp.Id -CustomKeyIdentifier "MySecret" + } + It "Verification of Application Creation"{ + $global:application = Get-EntraApplication -ObjectId $newApp.Id + $application.DisplayName | Should -Be $testAppName + } + It "Verification of Attached Secret"{ + $application.PasswordCredentials.KeyId | Should -be $Result.KeyId + } + } + Context "Scen3: Create Service Principal to the newly created application"{ + It "Creation of the Service Principal"{ + $global:newServicePrincipal = New-EntraServicePrincipal -AppId $newApp.AppId + $newServicePrincipal.AppId | Should -Be $application.AppId + } + } + Context "Scen2: Create Gallery application and setup PreferredSingleSignOn Mode to the application"{ + It "Setting PreferredSingleSignOn Mode to the application"{ + Set-EntraServicePrincipal -ObjectId $newServicePrincipal.ObjectId -PreferredSingleSignOnMode 'password' + } + It "Verification of ServicePricipal Creation and Updated PreferredSingleSignOn"{ + $global:servicePrincipal= Get-EntraServicePrincipal -ObjectId $newServicePrincipal.ObjectId + $servicePrincipal.DisplayName | Should -Be $testAppName + $servicePrincipal.PreferredSingleSignOnMode | Should -Be 'password' + } + } + Context "Scen4: Configure App ID URI and Redirect URIs on the newly created application"{ + It "Configuring the App ID URI and Redirect URI"{ + Set-EntraApplication -ObjectId $newApp.Id -IdentifierUris @("IdentifierUri.com") -Web @{RedirectUris = 'https://contoso.com'} + } + It "Verifying the App ID URI configuration and Redirect URI"{ + $updatedApp = Get-EntraApplication -ObjectId $newApp.Id | ConvertTo-json | ConvertFrom-json + $updatedApp.IdentifierUris | Should -Be "IdentifierUri.com" + $updatedApp.Web.RedirectUris | Should -Be "https://contoso.com" + } + } + Context "Scen5: Create AppRoles to the Application"{ + It "Create Approles"{ + $types = @() + $types += 'Application' + $approle = New-Object Microsoft.Open.MSGraph.Model.AppRole + $approle.AllowedMemberTypes = $types + $approle.Description = 'msiam_access' + $approle.DisplayName = 'msiam_access' + $approle.Id = '643985ce-3eaf-4a67-9550-ecca25cb6814' + $approle.Value = 'Application' + $approle.IsEnabled = $true + + # Assign approles to existing applictaion + $global:AppUpdate = Set-EntraApplication -ObjectId $newApp.Id -AppRoles $approle + } + It "Verification of created Approles"{ + $global:updatedApp = Get-EntraApplication -ObjectId $newApp.Id + $updatedApp.AppRoles.DisplayName | Should -Be 'msiam_access' + $updatedApp.AppRoles.Id | Should -Be '643985ce-3eaf-4a67-9550-ecca25cb6814' + $updatedApp.AppRoles.Value | Should -Be 'Application' + } + } + Context "Scen6: Assign user and groups to the newly created Service Principal and set right AppRole to it"{ + It "Creating user"{ + $domain = (Get-EntraTenantDetail).VerifiedDomains.Name + $thisTestInstanceId = (New-Guid).Guid.ToString() + $thisTestInstanceId = $thisTestInstanceId.Substring($thisTestInstanceId.Length - 5) + $user = 'SimpleTestUserss' + $thisTestInstanceId + $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile + $PasswordProfile.Password = $password + $global:existingUser = New-EntraUser -AccountEnabled $true -DisplayName $user -PasswordProfile $PasswordProfile -MailNickName $user -UserPrincipalName "$user@$domain" + } + It "Assigning users to the Service Principal and setting the correct AppRole for the Service Principal"{ + $global:existUser = Get-EntraUser -ObjectId $existingUser.Id + Add-EntraServicePrincipalOwner -ObjectId $servicePrincipal.Id -RefObjectId $existUser.Id + + $global:AppRoletoServicePrincipal = New-EntraServiceAppRoleAssignment -ObjectId $servicePrincipal.Id -ResourceId $servicePrincipal.Id -Id $updatedApp.AppRoles.Id -PrincipalId $existUser.ObjectId + } + It "Verification of assigned group to service principal"{ + $PrincipalOwners= Get-EntraServicePrincipalOwner -ObjectId $servicePrincipal.Id + $PrincipalOwners.Id | Should -Contain $existUser.Id + + $RoleAssignment = Get-EntraServiceAppRoleAssignment -ObjectId $servicePrincipal.Id + $RoleAssignment.AppRoleId | Should -Be $AppRoletoServicePrincipal.AppRoleId + } + } + Context "Scen7: Create a new user and add that user to an existing group"{ + It "Creating the user"{ + $domain = (Get-EntraTenantDetail).VerifiedDomains.Name + $thisTestInstanceId = (New-Guid).Guid.ToString() + $thisTestInstanceId = $thisTestInstanceId.Substring($thisTestInstanceId.Length - 5) + $user = 'SimpleTestUserss' + $thisTestInstanceId + $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile + $PasswordProfile.Password = $password + $global:NewUser = New-EntraUser -AccountEnabled $true -DisplayName $user -PasswordProfile $PasswordProfile -MailNickName $user -UserPrincipalName "$user@$domain" + } + It "Creating a new Group"{ + $testGrpName = 'SimpleTestGroup' + $thisTestInstanceId + $global:ExistingGroup = New-EntraGroup -DisplayName $testGrpName -MailEnabled $false -SecurityEnabled $true -MailNickName "NickName" + } + It "Adding the user to an existing group"{ + $global:ExistGroup = Get-EntraGroup -ObjectId $ExistingGroup.Id + Add-EntraGroupMember -ObjectId $ExistGroup.ObjectId -RefObjectId $NewUser.ObjectId + } + It "Verification of new user's addition to the existing group"{ + $GetMemb = Get-EntraGroupMember -ObjectId $ExistGroup.ObjectId + $GetMemb.Id | Should -Contain $NewUser.Id + } + } + Context "Scen8:Create a new group and add existing user to that group"{ + It "Creating a new Group"{ + $testGrpName = 'SimpleTestGroup' + $thisTestInstanceId + $global:NewGroup = New-EntraGroup -DisplayName $testGrpName -MailEnabled $false -SecurityEnabled $true -MailNickName "NickName" + } + It "Adding existing user to new group"{ + $ExistUser = Get-EntraUser -ObjectId $existingUser.Id + Add-EntraGroupMember -ObjectId $NewGroup.ObjectId -RefObjectId $ExistUser.ObjectId + } + It "Verification of exixting user's addition to the new group"{ + $User = Get-EntraUser -ObjectId $existingUser.Id + $GetMember = Get-EntraGroupMember -ObjectId $NewGroup.ObjectId + $GetMember.Id | Should -Contain $User.Id + } + } + Context "Scen9: Create a new user and create a new group and add that new user to the new group"{ + It "Creating a new user and group"{ + $domain = (Get-EntraTenantDetail).VerifiedDomains.Name + $thisTestInstanceId = (New-Guid).Guid.ToString() + $thisTestInstanceId = $thisTestInstanceId.Substring($thisTestInstanceId.Length - 5) + $testUserName = 'SimpleTestUsers' + $thisTestInstanceId + # Create new User + $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile + $PasswordProfile.Password = $password + $global:NewUser1 = New-EntraUser -AccountEnabled $true -DisplayName $testUserName -PasswordProfile $PasswordProfile -MailNickName $testUserName -UserPrincipalName "$testUserName@$domain" + + $testGrpName = 'SimpleTestGroup' + $thisTestInstanceId + $global:NewGroup1 = New-EntraGroup -DisplayName $testGrpName -MailEnabled $false -SecurityEnabled $true -MailNickName "NickName" + } + It "Adding New User to New group"{ + Add-EntraGroupMember -ObjectId $NewGroup1.ObjectId -RefObjectId $NewUser1.ObjectId + } + } + Context "Scen10: Create a new user and add the user to the newly created group and check that user is Member of the group"{ + It "Creating a new user and group"{ + $domain = (Get-EntraTenantDetail).VerifiedDomains.Name + $thisTestInstanceId = (New-Guid).Guid.ToString() + $thisTestInstanceId = $thisTestInstanceId.Substring($thisTestInstanceId.Length - 5) + $testUserName = 'SimpleTestUsers' + $thisTestInstanceId + # Create new User + $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile + $PasswordProfile.Password = $password + $global:NewUser2 = New-EntraUser -AccountEnabled $true -DisplayName $testUserName -PasswordProfile $PasswordProfile -MailNickName $testUserName -UserPrincipalName "$testUserName@$domain" + + $testGrpName = 'SimpleTestGroup' + $thisTestInstanceId + $global:NewGroup2 = New-EntraGroup -DisplayName $testGrpName -MailEnabled $false -SecurityEnabled $true -MailNickName "NickName" + } + It "Adding New User to New group"{ + Add-EntraGroupMember -ObjectId $NewGroup2.ObjectId -RefObjectId $NewUser2.ObjectId + } + It "Verification of User is Member of the group"{ + $GetMember = Get-EntraUserMembership -ObjectId $NewUser2.Id + $GetMember.Id | Should -Contain $NewGroup2.Id + } + } + Context "Scen11: Create a new user and assign that user to the existing Service Principal"{ + It "Creating a new user and assign that user to the existing Service Principal"{ + $domain = (Get-EntraTenantDetail).VerifiedDomains.Name + $thisTestInstanceId = (New-Guid).Guid.ToString() + $thisTestInstanceId = $thisTestInstanceId.Substring($thisTestInstanceId.Length - 5) + $thisTestInstanceId = New-Guid | Select-Object -expandproperty guid + $Tuser = 'SimpleTestUsers' + $thisTestInstanceId + $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile + $PasswordProfile.Password = $password + $global:NewUser3 = New-EntraUser -AccountEnabled $true -DisplayName $Tuser -PasswordProfile $PasswordProfile -MailNickName $Tuser -UserPrincipalName "$Tuser@$domain" + Add-EntraServicePrincipalOwner -ObjectId $servicePrincipal.Id -RefObjectId $NewUser3.Id + } + It "Verfication of assigned User"{ + $GetOwner = Get-EntraServicePrincipalOwner -ObjectId $servicePrincipal.Id + $GetOwner.Id | Should -Contain $NewUser3.Id + } + } + # Context "Scen12: Create a new conditional access policy and attach that policy to the Service Principal"{ + # It "Creating a new conditional access policy and attach that policy to the Service Principal"{ + # $thisTestInstanceId = New-Guid | Select-Object -expandproperty guid + # $testpolicyName = 'Simplepolicy' + $thisTestInstanceId + + # $Condition = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet + # $Condition.clientAppTypes = @("mobileAppsAndDesktopClients","browser") + # $Condition.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition + # $Condition.Applications.IncludeApplications = $NewServicePrincipal.AppId + # $Condition.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition + # $Condition.Users.IncludeUsers = "all" + + # $Controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls + # $Controls._Operator = "AND" + # $Controls.BuiltInControls = @("mfa") + + # $SessionControls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessSessionControls + # $ApplicationEnforcedRestrictions = New-Object Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationEnforcedRestrictions + # $ApplicationEnforcedRestrictions.IsEnabled = $true + # $SessionControls.applicationEnforcedRestrictions = $ApplicationEnforcedRestrictions + + # $global:NewConditionalAccessPolicy = New-EntraConditionalAccessPolicy -DisplayName $testpolicyName -State enabled -Conditions $Condition -GrantControls $Controls -SessionControls $SessionControls + # } + # It "Verification of attached policy"{ + # $result = Get-EntraConditionalAccessPolicy -policyid $NewConditionalAccessPolicy.Id + # $result.Conditions.Applications.IncludeApplications | should -Be $NewServicePrincipal.AppId + # } + # } + # Context "Scen13: Create new claims issuance policy and attach that to the Service Principal"{ + # It "Creating policy"{ + # $thisTestInstanceId = New-Guid | Select-Object -expandproperty guid + # $testpolicyName = 'Simplepolicy' + $thisTestInstanceId + # $global:NewPolicy = New-EntraPolicy -Definition @('{ "definition": [ "{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\":[{\"Source\":\"user\",\"ID\":\"userPrincipalName\",\"SAMLClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\",\"JwtClaimType\":\"upn\"},{\"Source\":\"user\",\"ID\":\"displayName\",\"SAMLClaimType\":\"http://schemas.microsoft.com/identity/claims/displayname\",\"JwtClaimType\":\"name\"}]}}" ], "displayName": "Custom Claims Issuance Policy", "isOrganizationDefault": false }') -DisplayName $testpolicyName -Type "claimsMappingPolicies" -IsOrganizationDefault $false + # } + # It "Attaching Policy to service principal"{ + # Add-EntraBetaServicePrincipalPolicy -Id $servicePrincipal.Id -RefObjectId $NewPolicy.Id + # } + # It "Verification of added policy to service principal"{ + # $result = Get-EntraBetaServicePrincipalPolicy -Id $servicePrincipal.Id + # $result.Id | should -Contain $NewPolicy.Id + # } + # } + # Context "Scene14: Remove the policy attached to the existing Service Principal"{ + # It "Removing the policy attached"{ + # Remove-EntraBetaServicePrincipalPolicy -Id $servicePrincipal.Id -PolicyId $NewPolicy.Id + # $retrivePolicy = Get-EntraBetaServicePrincipalPolicy -Id $servicePrincipal.Id + # $retrivePolicy.Id | should -Not -Contain $NewPolicy.Id + # } + # } + + AfterAll { + Remove-EntraGroupMember -ObjectId $ExistGroup.ObjectId -MemberId $NewUser.ObjectId + Remove-EntraGroupMember -ObjectId $NewGroup.ObjectId -MemberId $ExistUser.ObjectId + Remove-EntraGroupMember -ObjectId $NewGroup1.ObjectId -MemberId $NewUser1.ObjectId + Remove-EntraGroupMember -ObjectId $NewGroup2.ObjectId -MemberId $NewUser2.ObjectId + + foreach ($app in (Get-EntraApplication -SearchString "SimpleTestApp")) { + Remove-EntraApplication -ObjectId $app.Id | Out-Null + } + foreach ($user in (Get-EntraUser -SearchString "SimpleTestUsers")) { + Remove-EntraUser -ObjectId $user.Id | Out-Null + } + foreach ($group in (Get-EntraGroup -SearchString "SimpleTestGroup")) { + Remove-EntraGroup -ObjectId $group.Id | Out-Null + } + # Remove-EntraConditionalAccessPolicy -PolicyId $NewConditionalAccessPolicy.Id + # Remove-EntraPolicy -Id $NewPolicy.Id + } +} diff --git a/test/module/Integration/Entra/Scenario2.Tests.ps1 b/test/module/Integration/Entra/Scenario2.Tests.ps1 new file mode 100644 index 000000000..66b3aa1ab --- /dev/null +++ b/test/module/Integration/Entra/Scenario2.Tests.ps1 @@ -0,0 +1,94 @@ +# ------------------------------------------------------------------------------ +# Copyright (c) Microsoft Corporation. All Rights Reserved. Licensed under the MIT License. See License in the project root for license information. +# ------------------------------------------------------------------------------ +BeforeAll { + $testReportPath = join-path $psscriptroot "..\setenv.ps1" + . $testReportPath + $password = $env:USER_PASSWORD +} +Describe "Integration Testing" { + + Context "Scen1: Assign Entra roles including assign roles with different scopes"{ + It "Get user and role"{ + $domain = (Get-EntraTenantDetail).VerifiedDomains.Name + $thisTestInstanceId = (New-Guid).Guid.ToString() + $thisTestInstanceId = $thisTestInstanceId.Substring($thisTestInstanceId.Length - 5) + $testUserName = 'SimpleTestUsers' + $thisTestInstanceId + # Create new User + $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile + $PasswordProfile.Password = $password + $global:NewUser = New-EntraUser -AccountEnabled $true -DisplayName $testUserName -PasswordProfile $PasswordProfile -MailNickName $testUserName -UserPrincipalName "$testUserName@$domain" + + $global:role = Get-EntraDirectoryRole | Where-Object {$_.DisplayName -eq "Application Administrator"} + } + It "Assign Entra roles"{ + $scope = "/" + # Assign the role to the user with the defined scope + $params = @{ + RoleDefinitionId = $role.Id + PrincipalId = $NewUser.Id + DirectoryScopeId = $scope + } + $global:newRole=New-EntraRoleAssignment @params + } + It "Verification of assigned role Creation"{ + $global:assignedRole = Get-EntraRoleAssignment -Filter "PrincipalId eq '$($NewUser.Id)'" + $assignedRole.Id | Should -Be $newRole.Id + } + } + # Context "Create custom roles"{ + # It "Creating custom roles"{ + # $RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission + # $RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") + # $params = @{ + # RolePermissions = $RolePermissions + # IsEnabled = $false + # DisplayName = 'SimpleTestRoleDefinition' + # ResourceScopes = '/' + # } + # $global:customRole=New-EntraRoleDefinition @params + # } + # It "Verification of custom role created"{ + # $global:getRole = Get-EntraRoleDefinition -Filter "DisplayName eq 'SimpleTestRoleDefinition'" + # $getRole.Id | Should -Contain $customRole.Id + # } + # } + Context "Add or deactivate custom security attribute definitions in Microsoft Entra ID"{ + It "Adding custom security attribute definitions"{ + $thisTestInstanceId = Get-Random -Minimum 10000 -Maximum 100000 + $testName = 'TestDefinition' + $thisTestInstanceId + $AttributeSet = Get-EntraAttributeSet -Id 'Testing' + $params = @{ + Name = $testName + Description = 'Target completion' + Type = 'String' + Status = 'Available' + AttributeSet = $AttributeSet.Id + IsCollection = $False + IsSearchable = $True + UsePreDefinedValuesOnly = $True + } + $global:Definition = New-EntraCustomSecurityAttributeDefinition @params + } + It "Deactivate custom security attribute definition"{ + $params = @{ + Id = $Definition.Id + Description = 'Target completion' + Status = 'Deprecated' + } + Set-EntraCustomSecurityAttributeDefinition @params + } + It "Verification of deactivation of custom security attribute definition"{ + $global:getDefinition = Get-EntraCustomSecurityAttributeDefinition -Id $Definition.Id + $getDefinition.Status | Should -Be 'Deprecated' + } + } + AfterAll { + Remove-EntraRoleAssignment -Id $assignedRole.Id + foreach ($user in (Get-EntraUser -SearchString "SimpleTestUsers")) { + Remove-EntraUser -ObjectId $user.Id | Out-Null + } + # Remove-EntraRoleDefinition -Id $getRole.Id + + } +} diff --git a/test/module/Integration/EntraBeta/EntraBetaObjectSetting.Tests.ps1 b/test/module/Integration/EntraBeta/EntraBetaObjectSetting.Tests.ps1 new file mode 100644 index 000000000..9a53d50b9 --- /dev/null +++ b/test/module/Integration/EntraBeta/EntraBetaObjectSetting.Tests.ps1 @@ -0,0 +1,49 @@ +# ------------------------------------------------------------------------------ +# Copyright (c) Microsoft Corporation. All Rights Reserved. Licensed under the MIT License. See License in the project root for license information. +# ------------------------------------------------------------------------------ +Describe "The EntraBetaObjectSetting commands executing unmocked" { + + Context "When Changing group settings" { + BeforeAll { + $testReportPath = join-path $psscriptroot "..\setenv.ps1" + . $testReportPath + + $thisTestInstanceId = New-Guid | Select-Object -expandproperty guid + $testGroupName = 'SimpleTestAppRead' + $thisTestInstanceId + $global:testGroup = New-EntraBetaGroup -DisplayName $testGroupName -MailEnabled $false -SecurityEnabled $true -MailNickName $testGroupName -Description $testGroupName + } + + It "Should successfully block guest access" { + $template = Get-EntraBetaDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"} + $settingsCopy = $template.CreateDirectorySetting() + $settingsCopy["AllowToAddGuests"]=$False + + $groupID= (Get-EntraBetaGroup -ObjectId $testGroup.Id).ObjectId + $global:newObjectSetting = New-EntraBetaObjectSetting -TargetType Groups -TargetObjectId $groupID -DirectorySetting $settingsCopy + + $ObjectSettings = Get-EntraBetaObjectSetting -TargetType Groups -TargetObjectId $testGroup.Id + $ObjectSettings.values.value | Should -be 'False' + } + + It "Should successfully allow guest access" { + $template = Get-EntraBetaDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"} + $settingsCopy = $template.CreateDirectorySetting() + $settingsCopy["AllowToAddGuests"]=$True + + $groupID= (Get-EntraBetaGroup -ObjectId $testGroup.Id).ObjectId + Set-EntraBetaObjectSetting -TargetType Groups -TargetObjectId $groupID -DirectorySetting $settingsCopy -Id $newObjectSetting.Id + + $ObjectSettings = Get-EntraBetaObjectSetting -TargetType Groups -TargetObjectId $testGroup.Id + $ObjectSettings.values.value | Should -be 'True' + } + + AfterAll { + $groupId = (Get-EntraBetaGroup -ObjectId $testGroup.Id).ObjectId + Remove-EntraBetaObjectSetting -TargetType Groups -TargetObjectId $groupId -Id $newObjectSetting.Id + $ObjectSettings = Get-EntraBetaObjectSetting -TargetType Groups -TargetObjectId $testGroup.Id + $ObjectSettings | Should -BeNullorEmpty + + Remove-EntraBetaGroup -ObjectId $groupId + } + } +} \ No newline at end of file diff --git a/test/module/Integration/EntraBeta/Scenario1.Tests.ps1 b/test/module/Integration/EntraBeta/Scenario1.Tests.ps1 new file mode 100644 index 000000000..c6bc74270 --- /dev/null +++ b/test/module/Integration/EntraBeta/Scenario1.Tests.ps1 @@ -0,0 +1,264 @@ +# ------------------------------------------------------------------------------ +# Copyright (c) Microsoft Corporation. All Rights Reserved. Licensed under the MIT License. See License in the project root for license information. +# ------------------------------------------------------------------------------ +BeforeAll { + $testReportPath = join-path $psscriptroot "..\setenv.ps1" + . $testReportPath + $password = $env:USER_PASSWORD +} +Describe "Integration Testing" { + + Context "Scen1: Creating Applications and attaching secrets to that newly created application"{ + It "Creating New Application"{ + $thisTestInstanceId = New-Guid | Select-Object -expandproperty guid + $global:testAppName = 'SimpleTestApp' + $thisTestInstanceId + $global:newApp = New-EntraBetaApplication -DisplayName $testAppName + $newApp.DisplayName | Should -Be $testAppName + } + It "Attaching a Secret to the Application"{ + $global:Result = New-EntraBetaApplicationPasswordCredential -ObjectId $newApp.Id -CustomKeyIdentifier "MySecret" + } + It "Verification of Application Creation"{ + $global:application = Get-EntraBetaApplication -ObjectId $newApp.Id + $application.DisplayName | Should -Be $testAppName + } + It "Verification of Attached Secret"{ + $application.PasswordCredentials.KeyId | Should -be $Result.KeyId + } + } + Context "Scen3: Create Service Principal to the newly created application"{ + It "Creation of the Service Principal"{ + $global:newServicePrincipal = New-EntraBetaServicePrincipal -AppId $newApp.AppId + $newServicePrincipal.AppId | Should -Be $application.AppId + } + } + Context "Scen2: Create Gallery application and setup PreferredSingleSignOn Mode to the application"{ + It "Setting PreferredSingleSignOn Mode to the application"{ + Set-EntraBetaServicePrincipal -ObjectId $newServicePrincipal.ObjectId -PreferredSingleSignOnMode 'password' + } + It "Verification of ServicePricipal Creation and Updated PreferredSingleSignOn"{ + $global:servicePrincipal= Get-EntraBetaServicePrincipal -ObjectId $newServicePrincipal.ObjectId + $servicePrincipal.DisplayName | Should -Be $testAppName + $servicePrincipal.PreferredSingleSignOnMode | Should -Be 'password' + } + } + Context "Scen4: Configure App ID URI and Redirect URIs on the newly created application"{ + It "Configuring the App ID URI and Redirect URI"{ + Set-EntraBetaApplication -ObjectId $newApp.Id -IdentifierUris @("IdentifierUri.com") -Web @{RedirectUris = 'https://contoso.com'} + } + It "Verifying the App ID URI configuration and Redirect URI"{ + $updatedApp = Get-EntraBetaApplication -ObjectId $newApp.Id | ConvertTo-json | ConvertFrom-json + $updatedApp.IdentifierUris | Should -Be "IdentifierUri.com" + $updatedApp.Web.RedirectUris | Should -Be "https://contoso.com" + } + } + Context "Scen5: Create AppRoles to the Application"{ + It "Create Approles"{ + $types = @() + $types += 'Application' + $approle = New-Object Microsoft.Open.MSGraph.Model.AppRole + $approle.AllowedMemberTypes = $types + $approle.Description = 'msiam_access' + $approle.DisplayName = 'msiam_access' + $approle.Id = '643985ce-3eaf-4a67-9550-ecca25cb6814' + $approle.Value = 'Application' + $approle.IsEnabled = $true + + # Assign approles to existing applictaion + $global:AppUpdate = Set-EntraBetaApplication -ObjectId $newApp.Id -AppRoles $approle + } + It "Verification of created Approles"{ + $global:updatedApp = Get-EntraBetaApplication -ObjectId $newApp.Id + $updatedApp.AppRoles.DisplayName | Should -Be 'msiam_access' + $updatedApp.AppRoles.Id | Should -Be '643985ce-3eaf-4a67-9550-ecca25cb6814' + $updatedApp.AppRoles.Value | Should -Be 'Application' + } + } + Context "Scen6: Assign user and groups to the newly created Service Principal and set right AppRole to it"{ + It "Creating user"{ + $domain = (Get-EntraBetaTenantDetail).VerifiedDomains.Name + $thisTestInstanceId = (New-Guid).Guid.ToString() + $thisTestInstanceId = $thisTestInstanceId.Substring($thisTestInstanceId.Length - 5) + $user = 'SimpleTestUserss' + $thisTestInstanceId + $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile + $PasswordProfile.Password = $password + $global:existingUser = New-EntraBetaUser -AccountEnabled $true -DisplayName $user -PasswordProfile $PasswordProfile -MailNickName $user -UserPrincipalName "$user@$domain" + } + It "Assigning users to the Service Principal and setting the correct AppRole for the Service Principal"{ + $global:existUser = Get-EntraBetaUser -ObjectId $existingUser.Id + Add-EntraBetaServicePrincipalOwner -ObjectId $servicePrincipal.Id -RefObjectId $existUser.Id + + $global:AppRoletoServicePrincipal = New-EntraBetaServiceAppRoleAssignment -ObjectId $servicePrincipal.Id -ResourceId $servicePrincipal.Id -Id $updatedApp.AppRoles.Id -PrincipalId $existUser.ObjectId + } + It "Verification of assigned group to service principal"{ + $PrincipalOwners= Get-EntraBetaServicePrincipalOwner -ObjectId $servicePrincipal.Id + $PrincipalOwners.Id | Should -Contain $existUser.Id + + $RoleAssignment = Get-EntraBetaServiceAppRoleAssignment -ObjectId $servicePrincipal.Id + $RoleAssignment.AppRoleId | Should -Be $AppRoletoServicePrincipal.AppRoleId + } + } + Context "Scen7: Create a new user and add that user to an existing group"{ + It "Creating the user"{ + $domain = (Get-EntraBetaTenantDetail).VerifiedDomains.Name + $thisTestInstanceId = (New-Guid).Guid.ToString() + $thisTestInstanceId = $thisTestInstanceId.Substring($thisTestInstanceId.Length - 5) + $user = 'SimpleTestUserss' + $thisTestInstanceId + $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile + $PasswordProfile.Password = $password + $global:NewUser = New-EntraBetaUser -AccountEnabled $true -DisplayName $user -PasswordProfile $PasswordProfile -MailNickName $user -UserPrincipalName "$user@$domain" + } + It "Creating a new Group"{ + $testGrpName = 'SimpleTestGroup' + $thisTestInstanceId + $global:ExistingGroup = New-EntraBetaGroup -DisplayName $testGrpName -MailEnabled $false -SecurityEnabled $true -MailNickName "NickName" + } + It "Adding the user to an existing group"{ + $global:ExistGroup = Get-EntraBetaGroup -ObjectId $ExistingGroup.Id + Add-EntraBetaGroupMember -ObjectId $ExistGroup.ObjectId -RefObjectId $NewUser.ObjectId + } + It "Verification of new user's addition to the existing group"{ + $GetMemb = Get-EntraBetaGroupMember -ObjectId $ExistGroup.ObjectId + $GetMemb.Id | Should -Contain $NewUser.Id + } + } + Context "Scen8:Create a new group and add existing user to that group"{ + It "Creating a new Group"{ + $testGrpName = 'SimpleTestGroup' + $thisTestInstanceId + $global:NewGroup = New-EntraBetaGroup -DisplayName $testGrpName -MailEnabled $false -SecurityEnabled $true -MailNickName "NickName" + } + It "Adding existing user to new group"{ + $ExistUser = Get-EntraBetaUser -ObjectId $existingUser.Id + Add-EntraBetaGroupMember -ObjectId $NewGroup.ObjectId -RefObjectId $ExistUser.ObjectId + } + It "Verification of exixting user's addition to the new group"{ + $User = Get-EntraBetaUser -ObjectId $existingUser.Id + $GetMember = Get-EntraBetaGroupMember -ObjectId $NewGroup.ObjectId + $GetMember.Id | Should -Contain $User.Id + } + } + Context "Scen9: Create a new user and create a new group and add that new user to the new group"{ + It "Creating a new user and group"{ + $domain = (Get-EntraBetaTenantDetail).VerifiedDomains.Name + $thisTestInstanceId = (New-Guid).Guid.ToString() + $thisTestInstanceId = $thisTestInstanceId.Substring($thisTestInstanceId.Length - 5) + $testUserName = 'SimpleTestUsers' + $thisTestInstanceId + # Create new User + $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile + $PasswordProfile.Password = $password + $global:NewUser1 = New-EntraBetaUser -AccountEnabled $true -DisplayName $testUserName -PasswordProfile $PasswordProfile -MailNickName $testUserName -UserPrincipalName "$testUserName@$domain" + + $testGrpName = 'SimpleTestGroup' + $thisTestInstanceId + $global:NewGroup1 = New-EntraBetaGroup -DisplayName $testGrpName -MailEnabled $false -SecurityEnabled $true -MailNickName "NickName" + } + It "Adding New User to New group"{ + Add-EntraBetaGroupMember -ObjectId $NewGroup1.ObjectId -RefObjectId $NewUser1.ObjectId + } + } + Context "Scen10: Create a new user and add the user to the newly created group and check that user is Member of the group"{ + It "Creating a new user and group"{ + $domain = (Get-EntraBetaTenantDetail).VerifiedDomains.Name + $thisTestInstanceId = (New-Guid).Guid.ToString() + $thisTestInstanceId = $thisTestInstanceId.Substring($thisTestInstanceId.Length - 5) + $testUserName = 'SimpleTestUsers' + $thisTestInstanceId + # Create new User + $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile + $PasswordProfile.Password = $password + $global:NewUser2 = New-EntraBetaUser -AccountEnabled $true -DisplayName $testUserName -PasswordProfile $PasswordProfile -MailNickName $testUserName -UserPrincipalName "$testUserName@$domain" + + $testGrpName = 'SimpleTestGroup' + $thisTestInstanceId + $global:NewGroup2 = New-EntraBetaGroup -DisplayName $testGrpName -MailEnabled $false -SecurityEnabled $true -MailNickName "NickName" + } + It "Adding New User to New group"{ + Add-EntraBetaGroupMember -ObjectId $NewGroup2.ObjectId -RefObjectId $NewUser2.ObjectId + } + It "Verification of User is Member of the group"{ + $GetMember = Get-EntraBetaUserMembership -ObjectId $NewUser2.Id + $GetMember.Id | Should -Contain $NewGroup2.Id + } + } + Context "Scen11: Create a new user and assign that user to the existing Service Principal"{ + It "Creating a new user and assign that user to the existing Service Principal"{ + $domain = (Get-EntraBetaTenantDetail).VerifiedDomains.Name + $thisTestInstanceId = (New-Guid).Guid.ToString() + $thisTestInstanceId = $thisTestInstanceId.Substring($thisTestInstanceId.Length - 5) + $thisTestInstanceId = New-Guid | Select-Object -expandproperty guid + $Tuser = 'SimpleTestUsers' + $thisTestInstanceId + $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile + $PasswordProfile.Password = $password + $global:NewUser3 = New-EntraBetaUser -AccountEnabled $true -DisplayName $Tuser -PasswordProfile $PasswordProfile -MailNickName $Tuser -UserPrincipalName "$Tuser@$domain" + Add-EntraBetaServicePrincipalOwner -ObjectId $servicePrincipal.Id -RefObjectId $NewUser3.Id + } + It "Verfication of assigned User"{ + $GetOwner = Get-EntraBetaServicePrincipalOwner -ObjectId $servicePrincipal.Id + $GetOwner.Id | Should -Contain $NewUser3.Id + } + } + # Context "Scen12: Create a new conditional access policy and attach that policy to the Service Principal"{ + # It "Creating a new conditional access policy and attach that policy to the Service Principal"{ + # $thisTestInstanceId = New-Guid | Select-Object -expandproperty guid + # $testpolicyName = 'Simplepolicy' + $thisTestInstanceId + + # $Condition = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet + # $Condition.clientAppTypes = @("mobileAppsAndDesktopClients","browser") + # $Condition.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition + # $Condition.Applications.IncludeApplications = $NewServicePrincipal.AppId + # $Condition.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition + # $Condition.Users.IncludeUsers = "all" + + # $Controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls + # $Controls._Operator = "AND" + # $Controls.BuiltInControls = @("mfa") + + # $SessionControls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessSessionControls + # $ApplicationEnforcedRestrictions = New-Object Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationEnforcedRestrictions + # $ApplicationEnforcedRestrictions.IsEnabled = $true + # $SessionControls.applicationEnforcedRestrictions = $ApplicationEnforcedRestrictions + + # $global:NewConditionalAccessPolicy = New-EntraBetaConditionalAccessPolicy -DisplayName $testpolicyName -State enabled -Conditions $Condition -GrantControls $Controls -SessionControls $SessionControls + # } + # It "Verification of attached policy"{ + # $result = Get-EntraBetaConditionalAccessPolicy -policyid $NewConditionalAccessPolicy.Id + # $result.Conditions.Applications.IncludeApplications | should -Be $NewServicePrincipal.AppId + # } + # } + Context "Scen13: Create new claims issuance policy and attach that to the Service Principal"{ + It "Creating policy"{ + $thisTestInstanceId = New-Guid | Select-Object -expandproperty guid + $testpolicyName = 'Simplepolicy' + $thisTestInstanceId + $global:NewPolicy = New-EntraBetaPolicy -Definition @('{ "definition": [ "{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\":[{\"Source\":\"user\",\"ID\":\"userPrincipalName\",\"SAMLClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\",\"JwtClaimType\":\"upn\"},{\"Source\":\"user\",\"ID\":\"displayName\",\"SAMLClaimType\":\"http://schemas.microsoft.com/identity/claims/displayname\",\"JwtClaimType\":\"name\"}]}}" ], "displayName": "Custom Claims Issuance Policy", "isOrganizationDefault": false }') -DisplayName $testpolicyName -Type "claimsMappingPolicies" -IsOrganizationDefault $false + } + It "Attaching Policy to service principal"{ + Add-EntraBetaServicePrincipalPolicy -Id $servicePrincipal.Id -RefObjectId $NewPolicy.Id + } + It "Verification of added policy to service principal"{ + $result = Get-EntraBetaServicePrincipalPolicy -Id $servicePrincipal.Id + $result.Id | should -Contain $NewPolicy.Id + } + } + Context "Scene14: Remove the policy attached to the existing Service Principal"{ + It "Removing the policy attached"{ + Remove-EntraBetaServicePrincipalPolicy -Id $servicePrincipal.Id -PolicyId $NewPolicy.Id + $retrivePolicy = Get-EntraBetaServicePrincipalPolicy -Id $servicePrincipal.Id + $retrivePolicy.Id | should -Not -Contain $NewPolicy.Id + } + } + + AfterAll { + Remove-EntraBetaGroupMember -ObjectId $ExistGroup.ObjectId -MemberId $NewUser.ObjectId + Remove-EntraBetaGroupMember -ObjectId $NewGroup.ObjectId -MemberId $ExistUser.ObjectId + Remove-EntraBetaGroupMember -ObjectId $NewGroup1.ObjectId -MemberId $NewUser1.ObjectId + Remove-EntraBetaGroupMember -ObjectId $NewGroup2.ObjectId -MemberId $NewUser2.ObjectId + + foreach ($app in (Get-EntraBetaApplication -SearchString "SimpleTestApp")) { + Remove-EntraBetaApplication -ObjectId $app.Id | Out-Null + } + foreach ($user in (Get-EntraBetaUser -SearchString "SimpleTestUsers")) { + Remove-EntraBetaUser -ObjectId $user.Id | Out-Null + } + foreach ($group in (Get-EntraBetaGroup -SearchString "SimpleTestGroup")) { + Remove-EntraBetaGroup -ObjectId $group.Id | Out-Null + } + # Remove-EntraBetaConditionalAccessPolicy -PolicyId $NewConditionalAccessPolicy.Id + Remove-EntraBetaPolicy -Id $NewPolicy.Id + } +} diff --git a/test/module/Integration/EntraBeta/Scenario2.Tests.ps1 b/test/module/Integration/EntraBeta/Scenario2.Tests.ps1 new file mode 100644 index 000000000..794904f9b --- /dev/null +++ b/test/module/Integration/EntraBeta/Scenario2.Tests.ps1 @@ -0,0 +1,94 @@ +# ------------------------------------------------------------------------------ +# Copyright (c) Microsoft Corporation. All Rights Reserved. Licensed under the MIT License. See License in the project root for license information. +# ------------------------------------------------------------------------------ +BeforeAll { + $testReportPath = join-path $psscriptroot "..\setenv.ps1" + . $testReportPath + $password = $env:USER_PASSWORD +} +Describe "Integration Testing" { + + Context "Scen1: Assign Entra roles including assign roles with different scopes"{ + It "Get user and role"{ + $domain = (Get-EntraBetaTenantDetail).VerifiedDomains.Name + $thisTestInstanceId = (New-Guid).Guid.ToString() + $thisTestInstanceId = $thisTestInstanceId.Substring($thisTestInstanceId.Length - 5) + $testUserName = 'SimpleTestUsers' + $thisTestInstanceId + # Create new User + $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile + $PasswordProfile.Password = $password + $global:NewUser = New-EntraBetaUser -AccountEnabled $true -DisplayName $testUserName -PasswordProfile $PasswordProfile -MailNickName $testUserName -UserPrincipalName "$testUserName@$domain" + + $global:role = Get-EntraBetaDirectoryRole | Where-Object {$_.DisplayName -eq "Application Administrator"} + } + It "Assign Entra roles"{ + $scope = "/" + # Assign the role to the user with the defined scope + $params = @{ + RoleDefinitionId = $role.Id + PrincipalId = $NewUser.Id + DirectoryScopeId = $scope + } + $global:newRole=New-EntraBetaDirectoryRoleAssignment @params + } + It "Verification of assigned role Creation"{ + $global:assignedRole = Get-EntraBetaDirectoryRoleAssignment -Id $newRole.Id + $assignedRole.Id | Should -Be $newRole.Id + } + } + # Context "Create custom roles"{ + # It "Creating custom roles"{ + # $RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission + # $RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") + # $params = @{ + # RolePermissions = $RolePermissions + # IsEnabled = $false + # DisplayName = 'SimpleTestRoleDefinition' + # ResourceScopes = '/' + # } + # $global:customRole=New-EntraBetaRoleDefinition @params + # } + # It "Verification of custom role created"{ + # $global:getRole = Get-EntraBetaRoleDefinition -Filter "DisplayName eq 'SimpleTestRoleDefinition'" + # $getRole.Id | Should -Contain $customRole.Id + # } + # } + Context "Add or deactivate custom security attribute definitions in Microsoft Entra ID"{ + It "Adding custom security attribute definitions"{ + $thisTestInstanceId = Get-Random -Minimum 10000 -Maximum 100000 + $testName = 'TestDefinition' + $thisTestInstanceId + $AttributeSet = Get-EntraBetaAttributeSet -Id 'Testing' + $params = @{ + Name = $testName + Description = 'Target completion' + Type = 'String' + Status = 'Available' + AttributeSet = $AttributeSet.Id + IsCollection = $False + IsSearchable = $True + UsePreDefinedValuesOnly = $True + } + $global:Definition = New-EntraBetaCustomSecurityAttributeDefinition @params + } + It "Deactivate custom security attribute definition"{ + $params = @{ + Id = $Definition.Id + Description = 'Target completion' + Status = 'Deprecated' + } + Set-EntraBetaCustomSecurityAttributeDefinition @params + } + It "Verification of deactivation of custom security attribute definition"{ + $global:getDefinition = Get-EntraBetaCustomSecurityAttributeDefinition -Id $Definition.Id + $getDefinition.Status | Should -Be 'Deprecated' + } + } + AfterAll { + Remove-EntraBetaRoleAssignment -Id $assignedRole.Id + foreach ($user in (Get-EntraBetaUser -SearchString "SimpleTestUsers")) { + Remove-EntraBetaUser -ObjectId $user.Id | Out-Null + } + # Remove-EntraBetaRoleDefinition -Id $getRole.Id + + } +} diff --git a/test/module/Integration/setenv.ps1 b/test/module/Integration/setenv.ps1 new file mode 100644 index 000000000..ff5d95d26 --- /dev/null +++ b/test/module/Integration/setenv.ps1 @@ -0,0 +1,13 @@ +# ------------------------------------------------------------------------------ +# Copyright (c) Microsoft Corporation. All Rights Reserved. Licensed under the MIT License. See License in the project root for license information. +# ------------------------------------------------------------------------------ + +$env:USER_PASSWORD = "Pass@1234" + +$appId = "45451aa1-24e7-46c8-b9e5-dccb2118f536" +$tenantId = "0e5ab497-530a-4f6f-bd51-2230c84acad8" +$cert = "5C76C328BE9A29C0077398FC52BA531EAF8480F2" +$clientId = "4d3ac7a8-9f8a-405c-9224-72cd737db2ea" + +# Connect-Entra -TenantId $tenantId -AppId $appId -CertificateThumbprint $cert +Connect-Entra -Identity -ClientId $clientId