jurjen.ladenius/Cloud-20Engineering
1
0
Fork 0
mirror of https://dev.azure.com/effectory/Survey%20Software/_git/Cloud%20Engineering synced 2026-02-27 18:52:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

Updated rights scripts

Browse Source
This commit is contained in:
Jurjen Ladenius
2024-03-20 17:02:09 +01:00
parent c1f54bf0f8
commit 3300695551
4 changed files with 345 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

204
Powershell/Lists/Azure/AzureRBAC.ps1
View File

@@ -10,6 +10,8 @@ class ResourceCheck {
[string] $ResourceName = ""
[string] $ResourceGroupName = ""
[string] $ResourceType = ""
[string] $ManagementGroupId = ""
[string] $ManagementGroupName = ""
[string] $SubscriptionId = ""
[string] $SubscriptionName = ""
[string] $Tag_Team = ""
@@ -29,80 +31,83 @@ Write-Host "====================================================================
Write-Host "Creating resource RBAC assignment overview."
Write-Host "========================================================================================================================================================================"
$subscriptions = Get-AzSubscription | Where-Object State -eq "Enabled"
[string] $date = Get-Date -Format "yyyy-MM-dd HHmm"
$fileName = ".\$date azure_rbac_assignments.csv"
$fileName = "2022-08-05 azure_rbac.csv"
$fileExists = Test-Path $fileName
If ($fileExists -eq $True) {
Remove-Item $fileName
}
$managementGroups = Get-AzManagementGroup
foreach ($subscription in $subscriptions)
foreach ($managementGroup in $managementGroups)
{
Set-AzContext -SubscriptionId $subscription.Id
Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"
Write-Host "Management group [$($managementGroup.Name)]"
[ResourceCheck[]]$Result = @()
$resourceGroups = Get-AzResourceGroup
foreach ($resourceGroup in $resourceGroups) {
[ResourceCheck[]]$Result = @()
try {
$roleAssignments = Get-AzRoleAssignment -Scope $resourceGroup.ResourceId
foreach($roleAssignment in $roleAssignments) {
[ResourceCheck] $resourceCheck = [ResourceCheck]::new()
$resourceCheck.ResourceId = $resourceGroup.ResourceId
$resourceCheck.Kind = "ResourceGroup"
$resourceCheck.Location = $resourceGroup.Location
$resourceCheck.ResourceGroupName = $resourceGroup.ResourceGroupName
$resourceCheck.SubscriptionId = $subscription.Id
$resourceCheck.SubscriptionName = $subscription.Name
$resourceCheck.Tag_Team = $resourceGroup.Tags.team
$resourceCheck.Tag_Product = $resourceGroup.Tags.product
$resourceCheck.Tag_Environment = $resourceGroup.Tags.environment
$resourceCheck.Tag_Data = $resourceGroup.Tags.data
$resourceCheck.Tag_Delete = $resourceGroup.Tags.delete
$resourceCheck.Tag_Split = $resourceGroup.Tags.split
$resourceCheck.RBAC_RoleAssignmentId = $roleAssignment.RoleAssignmentId
$resourceCheck.RBAC_Scope = $roleAssignment.Scope
$resourceCheck.RBAC_DisplayName = $roleAssignment.DisplayName
$resourceCheck.RBAC_SignInName = $roleAssignment.SignInName
$resourceCheck.RBAC_RoleDefinitionName = $roleAssignment.RoleDefinitionName
$Result += $resourceCheck
}
} catch {
}
$Result | Export-Csv -Path $fileName -Append -NoTypeInformation
try {
$roleAssignments = Get-AzRoleAssignment -Scope $managementGroup.Id | Where-Object Scope -eq $managementGroup.Id
foreach($roleAssignment in $roleAssignments) {
[ResourceCheck] $resourceCheck = [ResourceCheck]::new()
$resourceCheck.ResourceId = ""
$resourceCheck.Kind = "ManagementGroup"
$resourceCheck.Location = ""
$resourceCheck.ResourceGroupName = ""
$resourceCheck.ManagementGroupId = $managementGroup.Id
$resourceCheck.ManagementGroupName = $managementGroup.DisplayName
$resourceCheck.SubscriptionId = ""
$resourceCheck.SubscriptionName = ""
$resourceCheck.Tag_Team = ""
$resourceCheck.Tag_Product = ""
$resourceCheck.Tag_Environment = ""
$resourceCheck.Tag_Data = ""
$resourceCheck.Tag_Delete = ""
$resourceCheck.Tag_Split = ""
$resourceCheck.RBAC_RoleAssignmentId = $roleAssignment.RoleAssignmentId
$resourceCheck.RBAC_Scope = $roleAssignment.Scope
$resourceCheck.RBAC_DisplayName = $roleAssignment.DisplayName
$resourceCheck.RBAC_SignInName = $roleAssignment.SignInName
$resourceCheck.RBAC_RoleDefinitionName = $roleAssignment.RoleDefinitionName
$Result += $resourceCheck
}
} catch {
}
$allResources = Get-AzResource
$Result | Export-Csv -Path $fileName -Append -NoTypeInformation
foreach ($resource in $allResources) {
$subscriptions = Get-AzManagementGroupSubscription -Group $managementGroup.Name | Where-Object State -eq "Active"
foreach ($subscription in $subscriptions)
{
Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"
$scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length)
$subscriptionId = $scope.Replace("/subscriptions/", "")
Write-Host "Subscription [$($subscription.DisplayName) - $subscriptionId]"
Set-AzContext -SubscriptionId $subscriptionId | Out-Null
Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"
[ResourceCheck[]]$Result = @()
try {
$roleAssignments = Get-AzRoleAssignment -Scope $resource.ResourceId
$roleAssignments = Get-AzRoleAssignment -Scope $scope | Where-Object Scope -eq $scope
foreach($roleAssignment in $roleAssignments) {
[ResourceCheck] $resourceCheck = [ResourceCheck]::new()
$resourceCheck.ResourceId = $resource.ResourceId
$resourceCheck.Id = $resource.Id
$resourceCheck.Kind = $resource.Kind
$resourceCheck.Location = $resource.Location
$resourceCheck.ResourceName = $resource.ResourceName
$resourceCheck.ResourceGroupName = $resource.ResourceGroupName
$resourceCheck.ResourceType = $resource.ResourceType
$resourceCheck.ResourceId = ""
$resourceCheck.Kind = "Subscription"
$resourceCheck.Location = ""
$resourceCheck.ResourceGroupName = ""
$resourceCheck.ManagementGroupId = $managementGroup.Id
$resourceCheck.ManagementGroupName = $managementGroup.DisplayName
$resourceCheck.SubscriptionId = $subscription.Id
$resourceCheck.SubscriptionName = $subscription.Name
$resourceCheck.Tag_Team = $resource.Tags.team
$resourceCheck.Tag_Product = $resource.Tags.product
$resourceCheck.Tag_Environment = $resource.Tags.environment
$resourceCheck.Tag_Data = $resource.Tags.data
$resourceCheck.Tag_Delete = $resource.Tags.delete
$resourceCheck.Tag_Split = $resource.Tags.split
$resourceCheck.Tag_Team = $subscription.Tags.team
$resourceCheck.Tag_Product = $subscription.Tags.product
$resourceCheck.Tag_Environment = $subscription.Tags.environment
$resourceCheck.Tag_Data = $subscription.Tags.data
$resourceCheck.Tag_Delete = $subscription.Tags.delete
$resourceCheck.Tag_Split = $subscription.Tags.split
$resourceCheck.RBAC_RoleAssignmentId = $roleAssignment.RoleAssignmentId
$resourceCheck.RBAC_Scope = $roleAssignment.Scope
$resourceCheck.RBAC_DisplayName = $roleAssignment.DisplayName
@@ -114,6 +119,85 @@ foreach ($subscription in $subscriptions)
} catch {
}
$Result | Export-Csv -Path $fileName -Append -NoTypeInformation
$resourceGroups = Get-AzResourceGroup
foreach ($resourceGroup in $resourceGroups) {
[ResourceCheck[]]$Result = @()
try {
$roleAssignments = Get-AzRoleAssignment -Scope $resourceGroup.ResourceId | Where-Object Scope -Like "$($resourceGroup.ResourceId)*"
foreach($roleAssignment in $roleAssignments) {
[ResourceCheck] $resourceCheck = [ResourceCheck]::new()
$resourceCheck.ResourceId = $resourceGroup.ResourceId
$resourceCheck.Kind = "ResourceGroup"
$resourceCheck.Location = $resourceGroup.Location
$resourceCheck.ResourceGroupName = $resourceGroup.ResourceGroupName
$resourceCheck.ManagementGroupId = $managementGroup.Id
$resourceCheck.ManagementGroupName = $managementGroup.DisplayName
$resourceCheck.SubscriptionId = $subscription.Id
$resourceCheck.SubscriptionName = $subscription.Name
$resourceCheck.Tag_Team = $resourceGroup.Tags.team
$resourceCheck.Tag_Product = $resourceGroup.Tags.product
$resourceCheck.Tag_Environment = $resourceGroup.Tags.environment
$resourceCheck.Tag_Data = $resourceGroup.Tags.data
$resourceCheck.Tag_Delete = $resourceGroup.Tags.delete
$resourceCheck.Tag_Split = $resourceGroup.Tags.split
$resourceCheck.RBAC_RoleAssignmentId = $roleAssignment.RoleAssignmentId
$resourceCheck.RBAC_Scope = $roleAssignment.Scope
$resourceCheck.RBAC_DisplayName = $roleAssignment.DisplayName
$resourceCheck.RBAC_SignInName = $roleAssignment.SignInName
$resourceCheck.RBAC_RoleDefinitionName = $roleAssignment.RoleDefinitionName
$Result += $resourceCheck
}
} catch {
}
$Result | Export-Csv -Path $fileName -Append -NoTypeInformation
}
$allResources = Get-AzResource
foreach ($resource in $allResources) {
[ResourceCheck[]]$Result = @()
try {
$roleAssignments = Get-AzRoleAssignment -Scope $resource.ResourceId | Where-Object Scope -eq $resource.ResourceId
foreach($roleAssignment in $roleAssignments) {
[ResourceCheck] $resourceCheck = [ResourceCheck]::new()
$resourceCheck.ResourceId = $resource.ResourceId
$resourceCheck.Id = $resource.Id
$resourceCheck.Kind = "Resource"
$resourceCheck.Location = $resource.Location
$resourceCheck.ResourceName = $resource.ResourceName
$resourceCheck.ResourceGroupName = $resource.ResourceGroupName
$resourceCheck.ResourceType = $resource.ResourceType
$resourceCheck.ManagementGroupId = $managementGroup.Id
$resourceCheck.ManagementGroupName = $managementGroup.DisplayName
$resourceCheck.SubscriptionId = $subscription.Id
$resourceCheck.SubscriptionName = $subscription.Name
$resourceCheck.Tag_Team = $resource.Tags.team
$resourceCheck.Tag_Product = $resource.Tags.product
$resourceCheck.Tag_Environment = $resource.Tags.environment
$resourceCheck.Tag_Data = $resource.Tags.data
$resourceCheck.Tag_Delete = $resource.Tags.delete
$resourceCheck.Tag_Split = $resource.Tags.split
$resourceCheck.RBAC_RoleAssignmentId = $roleAssignment.RoleAssignmentId
$resourceCheck.RBAC_Scope = $roleAssignment.Scope
$resourceCheck.RBAC_DisplayName = $roleAssignment.DisplayName
$resourceCheck.RBAC_SignInName = $roleAssignment.SignInName
$resourceCheck.RBAC_RoleDefinitionName = $roleAssignment.RoleDefinitionName
$Result += $resourceCheck
}
} catch {
}
$Result | Export-Csv -Path $fileName -Append -NoTypeInformation
}
}
}