From 7abf50a6c0d824b2c5760aeb51c0c425c3f31766 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20MICHEL?= <loic.michel@gmail.com>
Date: Tue, 2 Jul 2024 19:31:55 +0200
Subject: [PATCH 1/2] fix removing Azure Resource assignment with a future
 StartDateTime

---
 ...Get-PIMAzureResourceEligibleAssignment.ps1 | 14 ++++-
 ...ove-PIMAzureResourceEligibleAssignment.ps1 | 62 ++++++++++++-------
 EasyPIM/internal/functions/Invoke-ARM.ps1     |  2 +-
 3 files changed, 51 insertions(+), 27 deletions(-)

diff --git a/EasyPIM/functions/Get-PIMAzureResourceEligibleAssignment.ps1 b/EasyPIM/functions/Get-PIMAzureResourceEligibleAssignment.ps1
index 9cb9fac..980c0be 100644
--- a/EasyPIM/functions/Get-PIMAzureResourceEligibleAssignment.ps1
+++ b/EasyPIM/functions/Get-PIMAzureResourceEligibleAssignment.ps1
@@ -40,6 +40,9 @@ function Get-PIMAzureResourceEligibleAssignment {
         [String]
         $scope,
         [switch]
+        # when enable we will use the roleEligibilitySchedules API which also list the future assignments
+        $includeFutureAssignments,
+        [switch]
         # select the most usefull info only
         $summary,
         [switch]
@@ -53,8 +56,15 @@ function Get-PIMAzureResourceEligibleAssignment {
         }
         # issue #23: due to a bug with the API regarding the membertype, we will use RoleEligibilitySchedulesInstance instead of RoleEligibilitySchedule
         # the downside is we will not get assignment with a future start date
-        #$restURI = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleEligibilitySchedules?api-version=2020-10-01"
-        $restURI = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01"
+        if ($PSBoundParameters.Keys.Contains('includeFutureAssignments')) {
+            $restURI = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleEligibilitySchedules?api-version=2020-10-01"
+        }
+        else {
+            $restURI = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01"
+        }
+
+
+        
 
         $script:tenantID = $tenantID
 
diff --git a/EasyPIM/functions/Remove-PIMAzureResourceEligibleAssignment.ps1 b/EasyPIM/functions/Remove-PIMAzureResourceEligibleAssignment.ps1
index dffb126..df29955 100644
--- a/EasyPIM/functions/Remove-PIMAzureResourceEligibleAssignment.ps1
+++ b/EasyPIM/functions/Remove-PIMAzureResourceEligibleAssignment.ps1
@@ -75,32 +75,43 @@ function Remove-PIMAzureResourceEligibleAssignment {
         $ARMhost = "https://management.azure.com"
         $ARMendpoint = "$ARMhost/$scope/providers/Microsoft.Authorization"
     
-        #1 get role id
-        $restUri = "$ARMendpoint/roleDefinitions?api-version=2022-04-01&`$filter=roleName eq '$rolename'"
-        $response = Invoke-ARM -restURI $restUri -method "get" -body $null
-        $roleID = $response.value.id
-        write-verbose "Getting role ID for $rolename at $restURI"
-        write-verbose "role ID = $roleid"
+        #1 check if there is a request for future assignment, in that case we need to cancel the request
+        write-verbose "Checking if there is a future assignment for $principalID and $rolename at $scope"
+        $response = get-pimazureResourceEligibleAssignment -tenantID $tenantID -scope $scope -includeFutureAssignments | Where-Object { $_.principalID -eq "$principalID" -and $_.rolename -eq "$rolename" }
+        if ( !($null -eq $response) ) {
+            Write-Verbose "Found a future assignment, we need to cancel it"
+            $restURI = "$ARMendpoint/roleEligibilityScheduleRequests/$( $response.id.Split('/')[-1] )/cancel?api-version=2020-10-01"
+            $response = invoke-arm -restURI $restURI -method POST -body $null
+            Write-Host "SUCCESS : Future assignment canceled!"
+            return $response
+        }
+        else {
+            #1 get role id
+            $restUri = "$ARMendpoint/roleDefinitions?api-version=2022-04-01&`$filter=roleName eq '$rolename'"
+            $response = Invoke-ARM -restURI $restUri -method "get" -body $null
+            $roleID = $response.value.id
+            write-verbose "Getting role ID for $rolename at $restURI"
+            write-verbose "role ID = $roleid"
     
     
 
-        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
-            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ"
-        }
-        else {
-            $startDateTime = get-date (get-date).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
-        }
-        write-verbose "Calculated date time start is $startDateTime"
+            if ($PSBoundParameters.Keys.Contains('startDateTime')) {
+                $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ"
+            }
+            else {
+                $startDateTime = get-date (get-date).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
+            }
+            write-verbose "Calculated date time start is $startDateTime"
     
    
-        if (!($PSBoundParameters.Keys.Contains('justification'))) {
-            $justification = "Removed from EasyPIM module by  $($(get-azcontext).account)"
-        }
+            if (!($PSBoundParameters.Keys.Contains('justification'))) {
+                $justification = "Removed from EasyPIM module by  $($(get-azcontext).account)"
+            }
 
-        $type = "null"
+            $type = "null"
     
 
-        $body = '
+            $body = '
 {
     "properties": {
         "principalId": "'+ $principalID + '",
@@ -117,13 +128,16 @@ function Remove-PIMAzureResourceEligibleAssignment {
         }
 }
 '
-        $guid = New-Guid
-        $restURI = "$armendpoint/roleEligibilityScheduleRequests/$($guid)?api-version=2020-10-01"
-        write-verbose "sending PUT request at $restUri with body :`n $body"
+            $guid = New-Guid
+            $restURI = "$armendpoint/roleEligibilityScheduleRequests/$($guid)?api-version=2020-10-01"
+            write-verbose "sending PUT request at $restUri with body :`n $body"
     
-        $response = Invoke-ARM -restURI $restUri -method PUT -body $body -Verbose:$false
-        Write-Host "SUCCESS : Assignment removed!"
-        return $response
+            $response = Invoke-ARM -restURI $restUri -method PUT -body $body -Verbose:$false
+            Write-Host "SUCCESS : Assignment removed!"
+            return $response
+        }
+
+
     }
     catch { MyCatch $_ }
 }
diff --git a/EasyPIM/internal/functions/Invoke-ARM.ps1 b/EasyPIM/internal/functions/Invoke-ARM.ps1
index 274bd56..90ef37a 100644
--- a/EasyPIM/internal/functions/Invoke-ARM.ps1
+++ b/EasyPIM/internal/functions/Invoke-ARM.ps1
@@ -42,7 +42,7 @@ function Invoke-ARM {
         $ARMendpoint = "$ARMhost/$scope/providers/Microsoft.Authorization"#>
 
         write-verbose "`n>> request body: $body"
-        write-verbose "request URI : $restURI"
+        write-verbose "requested URI : $restURI ; method : $method"
 
 
         if ( $null -eq (get-azcontext) -or ( (get-azcontext).Tenant.Id -ne $script:tenantID ) ) {

From 8b06c56201dcc8f54b013346784c73f413aca76d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20MICHEL?= <loic.michel@gmail.com>
Date: Tue, 2 Jul 2024 19:32:51 +0200
Subject: [PATCH 2/2] V1.6.5

---
 EasyPIM/EasyPIM.psd1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/EasyPIM/EasyPIM.psd1 b/EasyPIM/EasyPIM.psd1
index d562f16..c76d1c4 100644
--- a/EasyPIM/EasyPIM.psd1
+++ b/EasyPIM/EasyPIM.psd1
@@ -4,7 +4,7 @@
 RootModule = 'EasyPIM.psm1'
 
 # Version number of this module.
-ModuleVersion = '1.6.4'
+ModuleVersion = '1.6.5'
 
 # Supported PSEditions
 # CompatiblePSEditions = @()