joerodgers/Register-ManagedIdentityWithDataverse.ps1

## Register-ManagedIdentityWithDataverse.ps1
#requries -modules "Microsoft.PowerApps.Administration.PowerShell"

function Get-AuthorizationHeader
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory=$true)]
        [string]
        $EnvironmentUrl
    )

    $headers = @{}
    $headers."Authorization" = "Bearer $(Get-JwtToken -Audience $EnvironmentUrl)"
    $headers."Content-Type"  = "application/json"

    return $headers
}

function Get-PowerPlatformManangedIdentity
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory=$true,ParameterSetName="All")]
        [Parameter(Mandatory=$true,ParameterSetName="ManagedIdentity")]
        [Parameter(Mandatory=$true,ParameterSetName="ApplicationId")]
        [string]
        $EnvironmentUrl,

        [Parameter(Mandatory=$true,ParameterSetName="ManagedIdentity")]
        [Guid]
        $ManagedIdentityId,

        [Parameter(Mandatory=$true,ParameterSetName="ApplicationId")]
        [Guid]
        $ApplicationId
    )

    $headers = Get-AuthorizationHeader -EnvironmentUrl $EnvironmentUrl

    if( $PSCmdlet.ParameterSetName -eq "ManagedIdentity" )
    {
        $response = Invoke-RestMethod -Method GET -Uri "$EnvironmentUrl/api/data/v9.0/managedidentities?`$filter=managedidentityid eq '$ManagedIdentityId'" -Headers $headers
    }
    elseif( $PSCmdlet.ParameterSetName -eq "ApplicationId" )
    {
        $response = Invoke-RestMethod -Method GET -Uri "$EnvironmentUrl/api/data/v9.0/managedidentities?`$filter=applicationid eq '$ApplicationId'" -Headers $headers
    }
    else
    {
        $response = Invoke-RestMethod -Method GET -Uri "$EnvironmentUrl/api/data/v9.0/managedidentities" -Headers $headers
    }

    $response.value | Sort-Object -Property createdon -Descending | Select-Object managedidentityid, applicationid, subjectscope, version, credentialsource, createdon, modifiedon
}

function Remove-PowerPlatformManangedIdentity
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory=$true)]
        [string]
        $EnvironmentUrl,

        [Parameter(Mandatory=$true)]
        [Guid]
        $ManagedIdentityId
    )

    $headers = Get-AuthorizationHeader -EnvironmentUrl $EnvironmentUrl

    $managedIdentity = Get-PowerPlatformManangedIdentity -EnvironmentUrl $EnvironmentUrl -ManagedIdentityId $ManagedIdentityId

    # delete any existing managed identities with the same managedidentityid value
    if( $managedIdentity )
    {
        Write-Verbose "Removing Power Platform managed identity record with Id '$ManagedIdentityId' in environment '$EnvironmentUrl'"

        Invoke-RestMethod -Method DELETE -Uri "$EnvironmentUrl/api/data/v9.0/managedidentities($ManagedIdentityId)" -Headers $headers
    }
    else
    {
        Write-Verbose "A Power Platform managed identity record with Id '$ManagedIdentityId' was not found in environment '$EnvironmentUrl'"
    }
}

function New-PowerPlatformManangedIdentity
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory=$true)]
        [string]
        $EnvironmentUrl,

        [Parameter(Mandatory=$true)]
        [Guid]
        $ApplicationId,

        [Parameter(Mandatory=$true)]
        [Guid]
        $ManagedIdentityId,

        [Parameter(Mandatory=$true)]
        [Guid]
        $TenantId
    )

    $headers = Get-AuthorizationHeader -EnvironmentUrl $EnvironmentUrl -ErrorAction Stop

    Remove-PowerPlatformManangedIdentity -EnvironmentUrl $EnvironmentUrl -ManagedIdentityId $ManagedIdentityId -ErrorAction Stop

    $body = '
    {{
       "applicationid"     : "{0}",
       "managedidentityid" : "{1}",
       "credentialsource"  : 2,
       "subjectscope"      : 1,
       "tenantid"          : "{2}",
       "version"           : 1
    }}' -f $ApplicationId, $ManagedIdentityId, $TenantId

    # create new managed identity
    Invoke-RestMethod -Method POST -Uri "$EnvironmentUrl/api/data/v9.0/managedidentities" -Headers $headers -Body $body -ErrorAction Stop
}

function Set-PowerPlatformPlugInAssemblyManagedIdentity
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory=$true)]
        [string]
        $EnvironmentUrl,

        [Parameter(Mandatory=$true)]
        [Guid]
        $AssemblyId,

        [Parameter(Mandatory=$true)]
        [Guid]
        $ManagedIdentityId
    )

    $headers = Get-AuthorizationHeader -EnvironmentUrl $EnvironmentUrl -ErrorAction Stop

    $body = '{{ "managedidentityid@odata.bind": "/managedidentities({0})" }}' -f $ManagedIdentityId

    Invoke-RestMethod -Method PATCH -Uri "$EnvironmentUrl/api/data/v9.0/pluginassemblies($AssemblyId)" -Headers $headers -Body $body -ErrorAction Stop
}

function Get-PowerPlatformPlugInAssembly
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory=$true)]
        [string]
        $EnvironmentUrl
    )

    $headers = Get-AuthorizationHeader -EnvironmentUrl $EnvironmentUrl -ErrorAction Stop

    $response = Invoke-RestMethod -Method GET -Uri "$EnvironmentUrl/api/data/v9.0/pluginassemblies?`$select=name,createdon,pluginassemblyid,_managedidentityid_value" -Headers $headers -ErrorAction Stop

    $response.value | Sort-Object createdOn -Descending | Select-Object name, createdon, pluginassemblyid, _managedidentityid_value
}

function New-EntraIdFederatedCredential
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory=$true)]
        [string]
        $EnvironmentId,

        [Parameter(Mandatory=$true)]
        [Guid]
        $TenantId,

        [Parameter(Mandatory=$true)]
        [string]
        $CertificatePath
    )

    # Convert to Base64
    $base64 = [Convert]::ToBase64String($TenantId.ToByteArray())

    # Make it URL-safe (Base64URL)
    $base64Url = $base64.TrimEnd('=') -replace '\+', '-' -replace '/', '_'

    if( $PSVersionTable.PSVersion.Major -le 5 )
    {
        $bytes = Get-Content -Path $CertificatePath -Encoding Byte
    }
    else
    {
        $bytes = Get-Content -Path $CertificatePath -AsByteStream
    }

    $hashBytes = [System.Security.Cryptography.SHA256]::Create().ComputeHash($bytes)

    $certificateSHA256Hash = ($hashBytes | ForEach-Object -Process { $_.ToString("X") }) -join ""

    [PSCustomObject]@{
        Issuer            = "https://login.microsoftonline.com/$TenantId/v2.0"
        SubjectIdentifier = "/eid1/c/pub/t/{0}/a/qzXoWDkuqUa3l6zM5mM0Rw/n/plugin/e/{1}/h/{2}" -f $encodedTenantId, $EnvironmentId, $certificateSHA256Hash
    }
}

$applicationId     = "<APPLICATION/CLIENT ID>"
$assemblyId        = "<ASSEMBLY ID FROM PRT>"
$environmentUrl    = "https://<ORG>.crm.dynamics.com"
$environmentId     = "<POWER PLAFORM ENV ID>"
$certificatePath   = ".\plugin-signing.cer"
$tenantId          = "<ENTRA TENATNT ID>"

New-PowerPlatformManangedIdentity `
    -EnvironmentUrl    $environmentUrl `
    -ApplicationId     $applicationId `
    -ManagedIdentityId $applicationId `
    -TenantId          $tenantId `
    -ErrorAction Stop

Set-PowerPlatformPlugInAssemblyManagedIdentity `
    -EnvironmentUrl    $environmentUrl `
    -AssemblyId        $assemblyId `
    -ManagedIdentityId $applicationId `
    -ErrorAction Stop

New-EntraIdFederatedCredential `
    -EnvironmentId $environmentId `
    -TenantId $tenantId `
    -CertificatePath $certificatePath `
    -ErrorAction Stop | FL *
	#requries -modules "Microsoft.PowerApps.Administration.PowerShell"

	function Get-AuthorizationHeader
	{
	[CmdletBinding()]
	param
	(
	[Parameter(Mandatory=$true)]
	[string]
	$EnvironmentUrl
	)

	$headers = @{}
	$headers."Authorization" = "Bearer $(Get-JwtToken -Audience $EnvironmentUrl)"
	$headers."Content-Type" = "application/json"

	return $headers
	}

	function Get-PowerPlatformManangedIdentity
	{
	[CmdletBinding()]
	param
	(
	[Parameter(Mandatory=$true,ParameterSetName="All")]
	[Parameter(Mandatory=$true,ParameterSetName="ManagedIdentity")]
	[Parameter(Mandatory=$true,ParameterSetName="ApplicationId")]
	[string]
	$EnvironmentUrl,

	[Parameter(Mandatory=$true,ParameterSetName="ManagedIdentity")]
	[Guid]
	$ManagedIdentityId,

	[Parameter(Mandatory=$true,ParameterSetName="ApplicationId")]
	[Guid]
	$ApplicationId
	)

	$headers = Get-AuthorizationHeader -EnvironmentUrl $EnvironmentUrl

	if( $PSCmdlet.ParameterSetName -eq "ManagedIdentity" )
	{
	$response = Invoke-RestMethod -Method GET -Uri "$EnvironmentUrl/api/data/v9.0/managedidentities?`$filter=managedidentityid eq '$ManagedIdentityId'" -Headers $headers
	}
	elseif( $PSCmdlet.ParameterSetName -eq "ApplicationId" )
	{
	$response = Invoke-RestMethod -Method GET -Uri "$EnvironmentUrl/api/data/v9.0/managedidentities?`$filter=applicationid eq '$ApplicationId'" -Headers $headers
	}
	else
	{
	$response = Invoke-RestMethod -Method GET -Uri "$EnvironmentUrl/api/data/v9.0/managedidentities" -Headers $headers
	}

	$response.value \| Sort-Object -Property createdon -Descending \| Select-Object managedidentityid, applicationid, subjectscope, version, credentialsource, createdon, modifiedon
	}

	function Remove-PowerPlatformManangedIdentity
	{
	[CmdletBinding()]
	param
	(
	[Parameter(Mandatory=$true)]
	[string]
	$EnvironmentUrl,

	[Parameter(Mandatory=$true)]
	[Guid]
	$ManagedIdentityId
	)

	$headers = Get-AuthorizationHeader -EnvironmentUrl $EnvironmentUrl

	$managedIdentity = Get-PowerPlatformManangedIdentity -EnvironmentUrl $EnvironmentUrl -ManagedIdentityId $ManagedIdentityId

	# delete any existing managed identities with the same managedidentityid value
	if( $managedIdentity )
	{
	Write-Verbose "Removing Power Platform managed identity record with Id '$ManagedIdentityId' in environment '$EnvironmentUrl'"

	Invoke-RestMethod -Method DELETE -Uri "$EnvironmentUrl/api/data/v9.0/managedidentities($ManagedIdentityId)" -Headers $headers
	}
	else
	{
	Write-Verbose "A Power Platform managed identity record with Id '$ManagedIdentityId' was not found in environment '$EnvironmentUrl'"
	}
	}

	function New-PowerPlatformManangedIdentity
	{
	[CmdletBinding()]
	param
	(
	[Parameter(Mandatory=$true)]
	[string]
	$EnvironmentUrl,

	[Parameter(Mandatory=$true)]
	[Guid]
	$ApplicationId,

	[Parameter(Mandatory=$true)]
	[Guid]
	$ManagedIdentityId,

	[Parameter(Mandatory=$true)]
	[Guid]
	$TenantId
	)

	$headers = Get-AuthorizationHeader -EnvironmentUrl $EnvironmentUrl -ErrorAction Stop

	Remove-PowerPlatformManangedIdentity -EnvironmentUrl $EnvironmentUrl -ManagedIdentityId $ManagedIdentityId -ErrorAction Stop

	$body = '
	{{
	"applicationid" : "{0}",
	"managedidentityid" : "{1}",
	"credentialsource" : 2,
	"subjectscope" : 1,
	"tenantid" : "{2}",
	"version" : 1
	}}' -f $ApplicationId, $ManagedIdentityId, $TenantId

	# create new managed identity
	Invoke-RestMethod -Method POST -Uri "$EnvironmentUrl/api/data/v9.0/managedidentities" -Headers $headers -Body $body -ErrorAction Stop
	}

	function Set-PowerPlatformPlugInAssemblyManagedIdentity
	{
	[CmdletBinding()]
	param
	(
	[Parameter(Mandatory=$true)]
	[string]
	$EnvironmentUrl,

	[Parameter(Mandatory=$true)]
	[Guid]
	$AssemblyId,

	[Parameter(Mandatory=$true)]
	[Guid]
	$ManagedIdentityId
	)

	$headers = Get-AuthorizationHeader -EnvironmentUrl $EnvironmentUrl -ErrorAction Stop

	$body = '{{ "managedidentityid@odata.bind": "/managedidentities({0})" }}' -f $ManagedIdentityId

	Invoke-RestMethod -Method PATCH -Uri "$EnvironmentUrl/api/data/v9.0/pluginassemblies($AssemblyId)" -Headers $headers -Body $body -ErrorAction Stop
	}

	function Get-PowerPlatformPlugInAssembly
	{
	[CmdletBinding()]
	param
	(
	[Parameter(Mandatory=$true)]
	[string]
	$EnvironmentUrl
	)

	$headers = Get-AuthorizationHeader -EnvironmentUrl $EnvironmentUrl -ErrorAction Stop

	$response = Invoke-RestMethod -Method GET -Uri "$EnvironmentUrl/api/data/v9.0/pluginassemblies?`$select=name,createdon,pluginassemblyid,_managedidentityid_value" -Headers $headers -ErrorAction Stop

	$response.value \| Sort-Object createdOn -Descending \| Select-Object name, createdon, pluginassemblyid, _managedidentityid_value
	}

	function New-EntraIdFederatedCredential
	{
	[CmdletBinding()]
	param
	(
	[Parameter(Mandatory=$true)]
	[string]
	$EnvironmentId,

	[Parameter(Mandatory=$true)]
	[Guid]
	$TenantId,

	[Parameter(Mandatory=$true)]
	[string]
	$CertificatePath
	)

	# Convert to Base64
	$base64 = [Convert]::ToBase64String($TenantId.ToByteArray())

	# Make it URL-safe (Base64URL)
	$base64Url = $base64.TrimEnd('=') -replace '\+', '-' -replace '/', '_'

	if( $PSVersionTable.PSVersion.Major -le 5 )
	{
	$bytes = Get-Content -Path $CertificatePath -Encoding Byte
	}
	else
	{
	$bytes = Get-Content -Path $CertificatePath -AsByteStream
	}

	$hashBytes = [System.Security.Cryptography.SHA256]::Create().ComputeHash($bytes)

	$certificateSHA256Hash = ($hashBytes \| ForEach-Object -Process { $_.ToString("X") }) -join ""

	[PSCustomObject]@{
	Issuer = "https://login.microsoftonline.com/$TenantId/v2.0"
	SubjectIdentifier = "/eid1/c/pub/t/{0}/a/qzXoWDkuqUa3l6zM5mM0Rw/n/plugin/e/{1}/h/{2}" -f $encodedTenantId, $EnvironmentId, $certificateSHA256Hash
	}
	}

	$applicationId = "<APPLICATION/CLIENT ID>"
	$assemblyId = "<ASSEMBLY ID FROM PRT>"
	$environmentUrl = "https://<ORG>.crm.dynamics.com"
	$environmentId = "<POWER PLAFORM ENV ID>"
	$certificatePath = ".\plugin-signing.cer"
	$tenantId = "<ENTRA TENATNT ID>"

	New-PowerPlatformManangedIdentity `
	-EnvironmentUrl $environmentUrl `
	-ApplicationId $applicationId `
	-ManagedIdentityId $applicationId `
	-TenantId $tenantId `
	-ErrorAction Stop

	Set-PowerPlatformPlugInAssemblyManagedIdentity `
	-EnvironmentUrl $environmentUrl `
	-AssemblyId $assemblyId `
	-ManagedIdentityId $applicationId `
	-ErrorAction Stop

	New-EntraIdFederatedCredential `
	-EnvironmentId $environmentId `
	-TenantId $tenantId `
	-CertificatePath $certificatePath `
	-ErrorAction Stop \| FL *
No results found