From 3300695551eda30373fb5985de75f1b68660f5f0 Mon Sep 17 00:00:00 2001 From: Jurjen Ladenius Date: Wed, 20 Mar 2024 17:02:09 +0100 Subject: [PATCH] Updated rights scripts --- Powershell/Lists/Azure/AlertRules.ps1 | 2 - Powershell/Lists/Azure/AzurePIM.ps1 | 201 +++++++++++++++++++++++++ Powershell/Lists/Azure/AzureRBAC.ps1 | 204 ++++++++++++++++++-------- Powershell/Lists/Azure/KeyVaults.ps1 | 2 - 4 files changed, 345 insertions(+), 64 deletions(-) create mode 100644 Powershell/Lists/Azure/AzurePIM.ps1 diff --git a/Powershell/Lists/Azure/AlertRules.ps1 b/Powershell/Lists/Azure/AlertRules.ps1 index 669c48a..020e9e5 100644 --- a/Powershell/Lists/Azure/AlertRules.ps1 +++ b/Powershell/Lists/Azure/AlertRules.ps1 @@ -93,9 +93,7 @@ foreach ($subscription in $subscriptions) foreach ($subscription in $subscriptions) { Set-AzContext -SubscriptionId $subscription.Id - ##Set-AzContext -SubscriptionId "a134faf1-7a89-4f2c-8389-06d00bd5e2a7" - # microsoft.alertsmanagement/smartdetectoralertrules $smartDetectorRules = Get-AzResource -ResourceType "microsoft.alertsmanagement/smartdetectoralertrules" foreach ($smartDetectorRule in $smartDetectorRules) { diff --git a/Powershell/Lists/Azure/AzurePIM.ps1 b/Powershell/Lists/Azure/AzurePIM.ps1 new file mode 100644 index 0000000..bda56e1 --- /dev/null +++ b/Powershell/Lists/Azure/AzurePIM.ps1 @@ -0,0 +1,201 @@ +#Connect-AzAccount + +class ResourceCheck { + [string] $Level = "" + [string] $ManagementGroupId = "" + [string] $ManagementGroupName = "" + [string] $SubscriptionId = "" + [string] $SubscriptionName = "" + [string] $ResourceId = "" + [string] $ResourceGroup = "" + [string] $ResourceName = "" + [string] $ResourceType = "" + [string] $RoleEligibilityScheduleId = "" + [string] $Scope = "" + [string] $RoleDefinitionId = "" + [string] $RoleDefinitionName = "" + [string] $RoleDefinitionType = "" + [string] $PrincipalId = "" + [string] $PrincipalName = "" + [string] $PrincipalType = "" + [string] $Status = "" + [string] $StartDateTime = "" + [string] $EndDateTime = "" + [string] $CreatedOn = "" +} + +function GetEligibleAssignments { + + param ( + [string] $scope + ) + + $access_token = (Get-AzAccessToken -TenantId "e9792fd7-4044-47e7-a40d-3fba46f1cd09").Token + + $url = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01&`$filter=atScope()" + + $head = @{ Authorization =" Bearer $access_token" } + $response = Invoke-RestMethod -Uri $url -Method GET -Headers $head + $response | ForEach-Object { + $responseValue = $_.value + if ($responseValue.Length -gt 0) { + return $responseValue | ForEach-Object { + return ($_.properties | Where-Object MemberType -NE "Inherited") + } + } + else { + return "" + } + } +} + +Write-Host "======================================================================================================================================================================" +Write-Host "Creating PIM assignments overview." +Write-Host "======================================================================================================================================================================" + +[string] $date = Get-Date -Format "yyyy-MM-dd HHmm" +$fileName = ".\$date azure_pim_assignments.csv" + +$managementGroups = Get-AzManagementGroup + +foreach ($managementGroup in $managementGroups) +{ + Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" + Write-Host "Management group [$($managementGroup.Name)]" + $assignments = GetEligibleAssignments -scope "providers/Microsoft.Management/managementGroups/$($managementGroup.Name)" + + [ResourceCheck[]]$Result = @() + foreach ($assignment in $assignments) { + [ResourceCheck] $resourceCheck = [ResourceCheck]::new() + $resourceCheck.Level = "Management Group" + $resourceCheck.ManagementGroupId = $managementGroup.Id + $resourceCheck.ManagementGroupName = $managementGroup.DisplayName + $resourceCheck.RoleEligibilityScheduleId = $assignment.roleEligibilityScheduleId + $resourceCheck.Scope = $assignment.scope + $resourceCheck.RoleDefinitionId = $assignment.roleDefinitionId + $resourceCheck.RoleDefinitionName = $assignment.expandedProperties.roleDefinition.displayName + $resourceCheck.RoleDefinitionType = $assignment.expandedProperties.roleDefinition.type + $resourceCheck.PrincipalId = $assignment.principalId + $resourceCheck.PrincipalName = $assignment.expandedProperties.principal.displayName + $resourceCheck.PrincipalType = $assignment.principalType + $resourceCheck.Status = $assignment.status + $resourceCheck.StartDateTime = $assignment.startDateTime + $resourceCheck.EndDateTime = $assignment.endDateTime + $resourceCheck.CreatedOn = $assignment.createdOn + $Result += $resourceCheck + } + $Result | Export-Csv -Path $fileName -Append -NoTypeInformation + + $subscriptions = Get-AzManagementGroupSubscription -Group $managementGroup.Name | Where-Object State -eq "Active" + + foreach ($subscription in $subscriptions) + { + Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" + + $scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length) + $subscriptionId = $scope.Replace("/subscriptions/", "") + Write-Host "Subscription [$($subscription.DisplayName) - $subscriptionId]" + Set-AzContext -SubscriptionId $subscriptionId | Out-Null + Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" + + $assignments = GetEligibleAssignments -scope $scope + + [ResourceCheck[]]$Result = @() + foreach ($assignment in $assignments) { + [ResourceCheck] $resourceCheck = [ResourceCheck]::new() + $resourceCheck.Level = "Subscription" + $resourceCheck.ManagementGroupId = $managementGroup.Id + $resourceCheck.ManagementGroupName = $managementGroup.DisplayName + $resourceCheck.SubscriptionId = $subscriptionId + $resourceCheck.SubscriptionName = $subscription.DisplayName + $resourceCheck.RoleEligibilityScheduleId = $assignment.roleEligibilityScheduleId + $resourceCheck.Scope = $assignment.scope + $resourceCheck.RoleDefinitionId = $assignment.roleDefinitionId + $resourceCheck.RoleDefinitionName = $assignment.expandedProperties.roleDefinition.displayName + $resourceCheck.RoleDefinitionType = $assignment.expandedProperties.roleDefinition.type + $resourceCheck.PrincipalId = $assignment.principalId + $resourceCheck.PrincipalName = $assignment.expandedProperties.principal.displayName + $resourceCheck.PrincipalType = $assignment.principalType + $resourceCheck.Status = $assignment.status + $resourceCheck.StartDateTime = $assignment.startDateTime + $resourceCheck.EndDateTime = $assignment.endDateTime + $resourceCheck.CreatedOn = $assignment.createdOn + $Result += $resourceCheck + } + $Result | Export-Csv -Path $fileName -Append -NoTypeInformation + + $allResourceGroups = Get-AzResourceGroup + + foreach ($group in $allResourceGroups) { + + Write-Host $group.ResourceGroupName + + $assignments = GetEligibleAssignments -scope $group.ResourceId + + [ResourceCheck[]]$Result = @() + foreach ($assignment in $assignments) { + [ResourceCheck] $resourceCheck = [ResourceCheck]::new() + $resourceCheck.Level = "Resource Group" + $resourceCheck.ManagementGroupId = $managementGroup.Id + $resourceCheck.ManagementGroupName = $managementGroup.DisplayName + $resourceCheck.SubscriptionId = $subscriptionId + $resourceCheck.SubscriptionName = $subscription.DisplayName + $resourceCheck.ResourceGroup = $group.ResourceGroupName + $resourceCheck.RoleEligibilityScheduleId = $assignment.roleEligibilityScheduleId + $resourceCheck.Scope = $assignment.scope + $resourceCheck.RoleDefinitionId = $assignment.roleDefinitionId + $resourceCheck.RoleDefinitionName = $assignment.expandedProperties.roleDefinition.displayName + $resourceCheck.RoleDefinitionType = $assignment.expandedProperties.roleDefinition.type + $resourceCheck.PrincipalId = $assignment.principalId + $resourceCheck.PrincipalName = $assignment.expandedProperties.principal.displayName + $resourceCheck.PrincipalType = $assignment.principalType + $resourceCheck.Status = $assignment.status + $resourceCheck.StartDateTime = $assignment.startDateTime + $resourceCheck.EndDateTime = $assignment.endDateTime + $resourceCheck.CreatedOn = $assignment.createdOn + $Result += $resourceCheck + } + $Result | Export-Csv -Path $fileName -Append -NoTypeInformation + + $allResources = Get-AzResource -ResourceGroupName $group.ResourceGroupName + + foreach ($resource in $allResources) + { + $assignments = GetEligibleAssignments -scope $resource.ResourceId + + [ResourceCheck[]]$Result = @() + foreach ($assignment in $assignments) { + [ResourceCheck] $resourceCheck = [ResourceCheck]::new() + $resourceCheck.Level = "Resource" + $resourceCheck.ManagementGroupId = $managementGroup.Id + $resourceCheck.ManagementGroupName = $managementGroup.DisplayName + $resourceCheck.SubscriptionId = $subscriptionId + $resourceCheck.SubscriptionName = $subscription.DisplayName + $resourceCheck.ResourceGroup = $group.ResourceGroupName + $resourceCheck.ResourceId = $resource.ResourceId + $resourceCheck.ResourceName = $resource.Name + $resourceCheck.ResourceType = $resource.ResourceType + $resourceCheck.RoleEligibilityScheduleId = $assignment.roleEligibilityScheduleId + $resourceCheck.Scope = $assignment.scope + $resourceCheck.RoleDefinitionId = $assignment.roleDefinitionId + $resourceCheck.RoleDefinitionName = $assignment.expandedProperties.roleDefinition.displayName + $resourceCheck.RoleDefinitionType = $assignment.expandedProperties.roleDefinition.type + $resourceCheck.PrincipalId = $assignment.principalId + $resourceCheck.PrincipalName = $assignment.expandedProperties.principal.displayName + $resourceCheck.PrincipalType = $assignment.principalType + $resourceCheck.Status = $assignment.status + $resourceCheck.StartDateTime = $assignment.startDateTime + $resourceCheck.EndDateTime = $assignment.endDateTime + $resourceCheck.CreatedOn = $assignment.createdOn + $Result += $resourceCheck + } + $Result | Export-Csv -Path $fileName -Append -NoTypeInformation + + } + } + } +} + +Write-Host "======================================================================================================================================================================" +Write-Host "Done." + diff --git a/Powershell/Lists/Azure/AzureRBAC.ps1 b/Powershell/Lists/Azure/AzureRBAC.ps1 index b318f38..3b51da5 100644 --- a/Powershell/Lists/Azure/AzureRBAC.ps1 +++ b/Powershell/Lists/Azure/AzureRBAC.ps1 @@ -10,6 +10,8 @@ class ResourceCheck { [string] $ResourceName = "" [string] $ResourceGroupName = "" [string] $ResourceType = "" + [string] $ManagementGroupId = "" + [string] $ManagementGroupName = "" [string] $SubscriptionId = "" [string] $SubscriptionName = "" [string] $Tag_Team = "" @@ -29,80 +31,83 @@ Write-Host "==================================================================== Write-Host "Creating resource RBAC assignment overview." Write-Host "========================================================================================================================================================================" -$subscriptions = Get-AzSubscription | Where-Object State -eq "Enabled" +[string] $date = Get-Date -Format "yyyy-MM-dd HHmm" +$fileName = ".\$date azure_rbac_assignments.csv" -$fileName = "2022-08-05 azure_rbac.csv" -$fileExists = Test-Path $fileName -If ($fileExists -eq $True) { - Remove-Item $fileName -} +$managementGroups = Get-AzManagementGroup -foreach ($subscription in $subscriptions) +foreach ($managementGroup in $managementGroups) { - Set-AzContext -SubscriptionId $subscription.Id + Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" + Write-Host "Management group [$($managementGroup.Name)]" + + [ResourceCheck[]]$Result = @() - $resourceGroups = Get-AzResourceGroup - - foreach ($resourceGroup in $resourceGroups) { - - [ResourceCheck[]]$Result = @() - - try { - $roleAssignments = Get-AzRoleAssignment -Scope $resourceGroup.ResourceId - - foreach($roleAssignment in $roleAssignments) { - [ResourceCheck] $resourceCheck = [ResourceCheck]::new() - $resourceCheck.ResourceId = $resourceGroup.ResourceId - $resourceCheck.Kind = "ResourceGroup" - $resourceCheck.Location = $resourceGroup.Location - $resourceCheck.ResourceGroupName = $resourceGroup.ResourceGroupName - $resourceCheck.SubscriptionId = $subscription.Id - $resourceCheck.SubscriptionName = $subscription.Name - $resourceCheck.Tag_Team = $resourceGroup.Tags.team - $resourceCheck.Tag_Product = $resourceGroup.Tags.product - $resourceCheck.Tag_Environment = $resourceGroup.Tags.environment - $resourceCheck.Tag_Data = $resourceGroup.Tags.data - $resourceCheck.Tag_Delete = $resourceGroup.Tags.delete - $resourceCheck.Tag_Split = $resourceGroup.Tags.split - $resourceCheck.RBAC_RoleAssignmentId = $roleAssignment.RoleAssignmentId - $resourceCheck.RBAC_Scope = $roleAssignment.Scope - $resourceCheck.RBAC_DisplayName = $roleAssignment.DisplayName - $resourceCheck.RBAC_SignInName = $roleAssignment.SignInName - $resourceCheck.RBAC_RoleDefinitionName = $roleAssignment.RoleDefinitionName - - $Result += $resourceCheck - } - } catch { - } - $Result | Export-Csv -Path $fileName -Append -NoTypeInformation + try { + $roleAssignments = Get-AzRoleAssignment -Scope $managementGroup.Id | Where-Object Scope -eq $managementGroup.Id + + foreach($roleAssignment in $roleAssignments) { + [ResourceCheck] $resourceCheck = [ResourceCheck]::new() + $resourceCheck.ResourceId = "" + $resourceCheck.Kind = "ManagementGroup" + $resourceCheck.Location = "" + $resourceCheck.ResourceGroupName = "" + $resourceCheck.ManagementGroupId = $managementGroup.Id + $resourceCheck.ManagementGroupName = $managementGroup.DisplayName + $resourceCheck.SubscriptionId = "" + $resourceCheck.SubscriptionName = "" + $resourceCheck.Tag_Team = "" + $resourceCheck.Tag_Product = "" + $resourceCheck.Tag_Environment = "" + $resourceCheck.Tag_Data = "" + $resourceCheck.Tag_Delete = "" + $resourceCheck.Tag_Split = "" + $resourceCheck.RBAC_RoleAssignmentId = $roleAssignment.RoleAssignmentId + $resourceCheck.RBAC_Scope = $roleAssignment.Scope + $resourceCheck.RBAC_DisplayName = $roleAssignment.DisplayName + $resourceCheck.RBAC_SignInName = $roleAssignment.SignInName + $resourceCheck.RBAC_RoleDefinitionName = $roleAssignment.RoleDefinitionName + + $Result += $resourceCheck + } + } catch { } - - $allResources = Get-AzResource + $Result | Export-Csv -Path $fileName -Append -NoTypeInformation - foreach ($resource in $allResources) { + + $subscriptions = Get-AzManagementGroupSubscription -Group $managementGroup.Name | Where-Object State -eq "Active" + + foreach ($subscription in $subscriptions) + { + Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" + + $scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length) + $subscriptionId = $scope.Replace("/subscriptions/", "") + Write-Host "Subscription [$($subscription.DisplayName) - $subscriptionId]" + Set-AzContext -SubscriptionId $subscriptionId | Out-Null + Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" [ResourceCheck[]]$Result = @() try { - $roleAssignments = Get-AzRoleAssignment -Scope $resource.ResourceId - + $roleAssignments = Get-AzRoleAssignment -Scope $scope | Where-Object Scope -eq $scope + foreach($roleAssignment in $roleAssignments) { [ResourceCheck] $resourceCheck = [ResourceCheck]::new() - $resourceCheck.ResourceId = $resource.ResourceId - $resourceCheck.Id = $resource.Id - $resourceCheck.Kind = $resource.Kind - $resourceCheck.Location = $resource.Location - $resourceCheck.ResourceName = $resource.ResourceName - $resourceCheck.ResourceGroupName = $resource.ResourceGroupName - $resourceCheck.ResourceType = $resource.ResourceType + $resourceCheck.ResourceId = "" + $resourceCheck.Kind = "Subscription" + $resourceCheck.Location = "" + $resourceCheck.ResourceGroupName = "" + $resourceCheck.ManagementGroupId = $managementGroup.Id + $resourceCheck.ManagementGroupName = $managementGroup.DisplayName $resourceCheck.SubscriptionId = $subscription.Id $resourceCheck.SubscriptionName = $subscription.Name - $resourceCheck.Tag_Team = $resource.Tags.team - $resourceCheck.Tag_Product = $resource.Tags.product - $resourceCheck.Tag_Environment = $resource.Tags.environment - $resourceCheck.Tag_Data = $resource.Tags.data - $resourceCheck.Tag_Delete = $resource.Tags.delete - $resourceCheck.Tag_Split = $resource.Tags.split + $resourceCheck.Tag_Team = $subscription.Tags.team + $resourceCheck.Tag_Product = $subscription.Tags.product + $resourceCheck.Tag_Environment = $subscription.Tags.environment + $resourceCheck.Tag_Data = $subscription.Tags.data + $resourceCheck.Tag_Delete = $subscription.Tags.delete + $resourceCheck.Tag_Split = $subscription.Tags.split $resourceCheck.RBAC_RoleAssignmentId = $roleAssignment.RoleAssignmentId $resourceCheck.RBAC_Scope = $roleAssignment.Scope $resourceCheck.RBAC_DisplayName = $roleAssignment.DisplayName @@ -114,6 +119,85 @@ foreach ($subscription in $subscriptions) } catch { } $Result | Export-Csv -Path $fileName -Append -NoTypeInformation + + $resourceGroups = Get-AzResourceGroup + + foreach ($resourceGroup in $resourceGroups) { + + [ResourceCheck[]]$Result = @() + + try { + $roleAssignments = Get-AzRoleAssignment -Scope $resourceGroup.ResourceId | Where-Object Scope -Like "$($resourceGroup.ResourceId)*" + + foreach($roleAssignment in $roleAssignments) { + [ResourceCheck] $resourceCheck = [ResourceCheck]::new() + $resourceCheck.ResourceId = $resourceGroup.ResourceId + $resourceCheck.Kind = "ResourceGroup" + $resourceCheck.Location = $resourceGroup.Location + $resourceCheck.ResourceGroupName = $resourceGroup.ResourceGroupName + $resourceCheck.ManagementGroupId = $managementGroup.Id + $resourceCheck.ManagementGroupName = $managementGroup.DisplayName + $resourceCheck.SubscriptionId = $subscription.Id + $resourceCheck.SubscriptionName = $subscription.Name + $resourceCheck.Tag_Team = $resourceGroup.Tags.team + $resourceCheck.Tag_Product = $resourceGroup.Tags.product + $resourceCheck.Tag_Environment = $resourceGroup.Tags.environment + $resourceCheck.Tag_Data = $resourceGroup.Tags.data + $resourceCheck.Tag_Delete = $resourceGroup.Tags.delete + $resourceCheck.Tag_Split = $resourceGroup.Tags.split + $resourceCheck.RBAC_RoleAssignmentId = $roleAssignment.RoleAssignmentId + $resourceCheck.RBAC_Scope = $roleAssignment.Scope + $resourceCheck.RBAC_DisplayName = $roleAssignment.DisplayName + $resourceCheck.RBAC_SignInName = $roleAssignment.SignInName + $resourceCheck.RBAC_RoleDefinitionName = $roleAssignment.RoleDefinitionName + + $Result += $resourceCheck + } + } catch { + } + $Result | Export-Csv -Path $fileName -Append -NoTypeInformation + } + + $allResources = Get-AzResource + + foreach ($resource in $allResources) { + + [ResourceCheck[]]$Result = @() + + try { + $roleAssignments = Get-AzRoleAssignment -Scope $resource.ResourceId | Where-Object Scope -eq $resource.ResourceId + + foreach($roleAssignment in $roleAssignments) { + [ResourceCheck] $resourceCheck = [ResourceCheck]::new() + $resourceCheck.ResourceId = $resource.ResourceId + $resourceCheck.Id = $resource.Id + $resourceCheck.Kind = "Resource" + $resourceCheck.Location = $resource.Location + $resourceCheck.ResourceName = $resource.ResourceName + $resourceCheck.ResourceGroupName = $resource.ResourceGroupName + $resourceCheck.ResourceType = $resource.ResourceType + $resourceCheck.ManagementGroupId = $managementGroup.Id + $resourceCheck.ManagementGroupName = $managementGroup.DisplayName + $resourceCheck.SubscriptionId = $subscription.Id + $resourceCheck.SubscriptionName = $subscription.Name + $resourceCheck.Tag_Team = $resource.Tags.team + $resourceCheck.Tag_Product = $resource.Tags.product + $resourceCheck.Tag_Environment = $resource.Tags.environment + $resourceCheck.Tag_Data = $resource.Tags.data + $resourceCheck.Tag_Delete = $resource.Tags.delete + $resourceCheck.Tag_Split = $resource.Tags.split + $resourceCheck.RBAC_RoleAssignmentId = $roleAssignment.RoleAssignmentId + $resourceCheck.RBAC_Scope = $roleAssignment.Scope + $resourceCheck.RBAC_DisplayName = $roleAssignment.DisplayName + $resourceCheck.RBAC_SignInName = $roleAssignment.SignInName + $resourceCheck.RBAC_RoleDefinitionName = $roleAssignment.RoleDefinitionName + + $Result += $resourceCheck + } + } catch { + } + $Result | Export-Csv -Path $fileName -Append -NoTypeInformation + } } } diff --git a/Powershell/Lists/Azure/KeyVaults.ps1 b/Powershell/Lists/Azure/KeyVaults.ps1 index 604f637..80ac953 100644 --- a/Powershell/Lists/Azure/KeyVaults.ps1 +++ b/Powershell/Lists/Azure/KeyVaults.ps1 @@ -30,8 +30,6 @@ Write-Host "==================================================================== [string] $date = Get-Date -Format "yyyy-MM-dd HHmm" $fileName = ".\$date azure_key_vaults.csv" -# rm $fileName - foreach ($subscription in $subscriptions) { Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"