jurjen.ladenius/Cloud-20Engineering
1
0
Fork 0
mirror of https://dev.azure.com/effectory/Survey%20Software/_git/Cloud%20Engineering synced 2026-02-27 18:52:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

Updated rights scripts

Browse Source
This commit is contained in:
Jurjen Ladenius
2024-03-20 17:02:09 +01:00
parent c1f54bf0f8
commit 3300695551
4 changed files with 345 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

201
Powershell/Lists/Azure/AzurePIM.ps1 Normal file
View File

@@ -0,0 +1,201 @@
#Connect-AzAccount
class ResourceCheck {
[string] $Level = ""
[string] $ManagementGroupId = ""
[string] $ManagementGroupName = ""
[string] $SubscriptionId = ""
[string] $SubscriptionName = ""
[string] $ResourceId = ""
[string] $ResourceGroup = ""
[string] $ResourceName = ""
[string] $ResourceType = ""
[string] $RoleEligibilityScheduleId = ""
[string] $Scope = ""
[string] $RoleDefinitionId = ""
[string] $RoleDefinitionName = ""
[string] $RoleDefinitionType = ""
[string] $PrincipalId = ""
[string] $PrincipalName = ""
[string] $PrincipalType = ""
[string] $Status = ""
[string] $StartDateTime = ""
[string] $EndDateTime = ""
[string] $CreatedOn = ""
}
function GetEligibleAssignments {
param (
[string] $scope
)
$access_token = (Get-AzAccessToken -TenantId "e9792fd7-4044-47e7-a40d-3fba46f1cd09").Token
$url = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01&`$filter=atScope()"
$head = @{ Authorization =" Bearer $access_token" }
$response = Invoke-RestMethod -Uri $url -Method GET -Headers $head
$response | ForEach-Object {
$responseValue = $_.value
if ($responseValue.Length -gt 0) {
return $responseValue | ForEach-Object {
return ($_.properties | Where-Object MemberType -NE "Inherited")
}
}
else {
return ""
}
}
}
Write-Host "======================================================================================================================================================================"
Write-Host "Creating PIM assignments overview."
Write-Host "======================================================================================================================================================================"
[string] $date = Get-Date -Format "yyyy-MM-dd HHmm"
$fileName = ".\$date azure_pim_assignments.csv"
$managementGroups = Get-AzManagementGroup
foreach ($managementGroup in $managementGroups)
{
Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"
Write-Host "Management group [$($managementGroup.Name)]"
$assignments = GetEligibleAssignments -scope "providers/Microsoft.Management/managementGroups/$($managementGroup.Name)"
[ResourceCheck[]]$Result = @()
foreach ($assignment in $assignments) {
[ResourceCheck] $resourceCheck = [ResourceCheck]::new()
$resourceCheck.Level = "Management Group"
$resourceCheck.ManagementGroupId = $managementGroup.Id
$resourceCheck.ManagementGroupName = $managementGroup.DisplayName
$resourceCheck.RoleEligibilityScheduleId = $assignment.roleEligibilityScheduleId
$resourceCheck.Scope = $assignment.scope
$resourceCheck.RoleDefinitionId = $assignment.roleDefinitionId
$resourceCheck.RoleDefinitionName = $assignment.expandedProperties.roleDefinition.displayName
$resourceCheck.RoleDefinitionType = $assignment.expandedProperties.roleDefinition.type
$resourceCheck.PrincipalId = $assignment.principalId
$resourceCheck.PrincipalName = $assignment.expandedProperties.principal.displayName
$resourceCheck.PrincipalType = $assignment.principalType
$resourceCheck.Status = $assignment.status
$resourceCheck.StartDateTime = $assignment.startDateTime
$resourceCheck.EndDateTime = $assignment.endDateTime
$resourceCheck.CreatedOn = $assignment.createdOn
$Result += $resourceCheck
}
$Result | Export-Csv -Path $fileName -Append -NoTypeInformation
$subscriptions = Get-AzManagementGroupSubscription -Group $managementGroup.Name | Where-Object State -eq "Active"
foreach ($subscription in $subscriptions)
{
Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"
$scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length)
$subscriptionId = $scope.Replace("/subscriptions/", "")
Write-Host "Subscription [$($subscription.DisplayName) - $subscriptionId]"
Set-AzContext -SubscriptionId $subscriptionId | Out-Null
Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"
$assignments = GetEligibleAssignments -scope $scope
[ResourceCheck[]]$Result = @()
foreach ($assignment in $assignments) {
[ResourceCheck] $resourceCheck = [ResourceCheck]::new()
$resourceCheck.Level = "Subscription"
$resourceCheck.ManagementGroupId = $managementGroup.Id
$resourceCheck.ManagementGroupName = $managementGroup.DisplayName
$resourceCheck.SubscriptionId = $subscriptionId
$resourceCheck.SubscriptionName = $subscription.DisplayName
$resourceCheck.RoleEligibilityScheduleId = $assignment.roleEligibilityScheduleId
$resourceCheck.Scope = $assignment.scope
$resourceCheck.RoleDefinitionId = $assignment.roleDefinitionId
$resourceCheck.RoleDefinitionName = $assignment.expandedProperties.roleDefinition.displayName
$resourceCheck.RoleDefinitionType = $assignment.expandedProperties.roleDefinition.type
$resourceCheck.PrincipalId = $assignment.principalId
$resourceCheck.PrincipalName = $assignment.expandedProperties.principal.displayName
$resourceCheck.PrincipalType = $assignment.principalType
$resourceCheck.Status = $assignment.status
$resourceCheck.StartDateTime = $assignment.startDateTime
$resourceCheck.EndDateTime = $assignment.endDateTime
$resourceCheck.CreatedOn = $assignment.createdOn
$Result += $resourceCheck
}
$Result | Export-Csv -Path $fileName -Append -NoTypeInformation
$allResourceGroups = Get-AzResourceGroup
foreach ($group in $allResourceGroups) {
Write-Host $group.ResourceGroupName
$assignments = GetEligibleAssignments -scope $group.ResourceId
[ResourceCheck[]]$Result = @()
foreach ($assignment in $assignments) {
[ResourceCheck] $resourceCheck = [ResourceCheck]::new()
$resourceCheck.Level = "Resource Group"
$resourceCheck.ManagementGroupId = $managementGroup.Id
$resourceCheck.ManagementGroupName = $managementGroup.DisplayName
$resourceCheck.SubscriptionId = $subscriptionId
$resourceCheck.SubscriptionName = $subscription.DisplayName
$resourceCheck.ResourceGroup = $group.ResourceGroupName
$resourceCheck.RoleEligibilityScheduleId = $assignment.roleEligibilityScheduleId
$resourceCheck.Scope = $assignment.scope
$resourceCheck.RoleDefinitionId = $assignment.roleDefinitionId
$resourceCheck.RoleDefinitionName = $assignment.expandedProperties.roleDefinition.displayName
$resourceCheck.RoleDefinitionType = $assignment.expandedProperties.roleDefinition.type
$resourceCheck.PrincipalId = $assignment.principalId
$resourceCheck.PrincipalName = $assignment.expandedProperties.principal.displayName
$resourceCheck.PrincipalType = $assignment.principalType
$resourceCheck.Status = $assignment.status
$resourceCheck.StartDateTime = $assignment.startDateTime
$resourceCheck.EndDateTime = $assignment.endDateTime
$resourceCheck.CreatedOn = $assignment.createdOn
$Result += $resourceCheck
}
$Result | Export-Csv -Path $fileName -Append -NoTypeInformation
$allResources = Get-AzResource -ResourceGroupName $group.ResourceGroupName
foreach ($resource in $allResources)
{
$assignments = GetEligibleAssignments -scope $resource.ResourceId
[ResourceCheck[]]$Result = @()
foreach ($assignment in $assignments) {
[ResourceCheck] $resourceCheck = [ResourceCheck]::new()
$resourceCheck.Level = "Resource"
$resourceCheck.ManagementGroupId = $managementGroup.Id
$resourceCheck.ManagementGroupName = $managementGroup.DisplayName
$resourceCheck.SubscriptionId = $subscriptionId
$resourceCheck.SubscriptionName = $subscription.DisplayName
$resourceCheck.ResourceGroup = $group.ResourceGroupName
$resourceCheck.ResourceId = $resource.ResourceId
$resourceCheck.ResourceName = $resource.Name
$resourceCheck.ResourceType = $resource.ResourceType
$resourceCheck.RoleEligibilityScheduleId = $assignment.roleEligibilityScheduleId
$resourceCheck.Scope = $assignment.scope
$resourceCheck.RoleDefinitionId = $assignment.roleDefinitionId
$resourceCheck.RoleDefinitionName = $assignment.expandedProperties.roleDefinition.displayName
$resourceCheck.RoleDefinitionType = $assignment.expandedProperties.roleDefinition.type
$resourceCheck.PrincipalId = $assignment.principalId
$resourceCheck.PrincipalName = $assignment.expandedProperties.principal.displayName
$resourceCheck.PrincipalType = $assignment.principalType
$resourceCheck.Status = $assignment.status
$resourceCheck.StartDateTime = $assignment.startDateTime
$resourceCheck.EndDateTime = $assignment.endDateTime
$resourceCheck.CreatedOn = $assignment.createdOn
$Result += $resourceCheck
}
$Result | Export-Csv -Path $fileName -Append -NoTypeInformation
}
}
}
}
Write-Host "======================================================================================================================================================================"
Write-Host "Done."