ssc-spc-ccoe-cei · singhgss · Nov 29, 2023 · Nov 8, 2023 · Nov 8, 2023 · Nov 8, 2023
@@ -59,8 +59,7 @@ resource guardrailsAC 'Microsoft.Automation/automationAccounts@2021-06-22' = if
     properties: {
       contentLink: {
         uri: '${ModuleBaseURL}/Check-BreakGlassAccountOwnersInformation.zip'
-        version: '1.0.0'
-
+        version: '1.0.0'        
       }
     }
   }

@@ -5,7 +5,7 @@ function Get-GSAAutomationVariable {
 
     Write-Verbose "Getting automation variable '$name'"
     # when running in an Azure Automation Account
-    If ($ENV:AZUREPS_HOST_ENVIRONMENT -eq 'AzureAutomation/') {
+    If ($ENV:AZUREPS_HOST_ENVIRONMENT -eq 'AzureAutomation/' -or $PSPrivateMetadata.JobId) {
         $value = Get-AutomationVariable -Name $name
         return $value
     }
@@ -44,6 +44,15 @@ try {
 catch {
     throw "Critical: Failed to connect to Azure with the 'Connect-AzAccount' command and '-identity' (MSI) parameter; verify that Azure Automation identity is configured. Error message: $_"
 }
+
+try {
+    $RuntimeConfig = Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name 'gsaConfigExportLatest' -AsPlainText -ErrorAction Stop | ConvertFrom-Json | Select-Object -Expand runtime
+    Set-AzContext -SubscriptionId $RuntimeConfig.subscriptionId
+}
+catch {
+    throw "Failed to retrieve config json with secret name gsaConfigExportLatest from KeyVault '$KeyVaultName'. Error message: $_"
+}
+
 $SubID = (Get-AzContext).Subscription.Id
 $tenantID = (Get-AzContext).Tenant.Id
 try {

@@ -10,7 +10,7 @@ function Get-GSAAutomationVariable {
 
     Write-Debug "Getting automation variable '$name'"
     # when running in an Azure Automation Account
-    If ($ENV:AZUREPS_HOST_ENVIRONMENT -eq 'AzureAutomation/') {
+    If ($ENV:AZUREPS_HOST_ENVIRONMENT -eq 'AzureAutomation/' -or $PSPrivateMetadata.JobId ) {
         $value = Get-AutomationVariable -Name $name
         return $value
     }

@@ -339,7 +339,7 @@ Function Confirm-GSAConfigurationParameters {
         # running in Cloud Shell, finding delegated user ID
         $userId = (Get-AzAdUser -SignedIn).Id
     }
-    ElseIf ($context.Account.Type -eq 'ServicePrincipal') {
+    ElseIf ($context.Account.Type -eq 'ServicePrincipal' -or $context.Account.Type -eq 'ClientAssertion') { # Federated Identity
         $sp = Get-AzADServicePrincipal -ApplicationId $context.Account.Id
         $userId = $sp.Id
     }

@@ -182,7 +182,7 @@ Function Confirm-GSAPrerequisites {
             $uri = 'https://management.azure.com/providers/Microsoft.Management/managementGroups/{0}/providers/Microsoft.Authorization/roleAssignments/{1}?&api-version=2015-07-01' -f $lighthouseTargetManagementGroupID, '2cb8e1b1-fcf1-439e-bab7-b1b8b008c294'
             $roleAssignments = Invoke-AzRestMethod -Uri $uri -Method GET | Select-Object -Expand Content | ConvertFrom-Json
             If ($roleAssignments.id) {
-                Write-Verbose "role assignment: $(($roleAssignments).id)"
+                Write-Verbose "role assignment: '$roleAssignments.id'"
                 Write-Error "A role assignment exists with the name '2cb8e1b1-fcf1-439e-bab7-b1b8b008c294' at the Management group '$lighthouseTargetManagementGroupID'. This was likely
                 created by a previous Guardrails deployment and must be removed. Navigate to the Managment Group in the Portal and delete the Owner role assignment listed as 'Identity Not Found'"
                 Exit

@@ -64,7 +64,7 @@ Function Remove-GSACentralizedDefenderCustomerComponents {
         Read-Host
     }
 
-$lighthouseTargetManagementGroupID = 'mb_co'
+#$lighthouseTargetManagementGroupID = 'mb_co'
 If ($lighthouseTargetManagementGroupID -eq (Get-AzContext).Tenant.Id) {
     $assignmentScopeMgmtmGroupId = '/'
 }