jurjen.ladenius/Cloud-20Engineering
1
0
Fork 0
mirror of https://dev.azure.com/effectory/Survey%20Software/_git/Cloud%20Engineering synced 2026-02-27 18:52:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

Updated rights scripts

Browse Source
This commit is contained in:
Jurjen Ladenius
2024-03-20 17:02:09 +01:00
parent c1f54bf0f8
commit 3300695551
4 changed files with 345 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Powershell/Lists/Azure/AlertRules.ps1
View File

@@ -93,9 +93,7 @@ foreach ($subscription in $subscriptions)
foreach ($subscription in $subscriptions) foreach ($subscription in $subscriptions)
{ {
Set-AzContext -SubscriptionId $subscription.Id Set-AzContext -SubscriptionId $subscription.Id
##Set-AzContext -SubscriptionId "a134faf1-7a89-4f2c-8389-06d00bd5e2a7"
# microsoft.alertsmanagement/smartdetectoralertrules
$smartDetectorRules = Get-AzResource -ResourceType "microsoft.alertsmanagement/smartdetectoralertrules" $smartDetectorRules = Get-AzResource -ResourceType "microsoft.alertsmanagement/smartdetectoralertrules"
foreach ($smartDetectorRule in $smartDetectorRules) foreach ($smartDetectorRule in $smartDetectorRules)
{ {

201
Powershell/Lists/Azure/AzurePIM.ps1 Normal file
View File

@@ -0,0 +1,201 @@
#Connect-AzAccount
class ResourceCheck {
[string] $Level = ""
[string] $ManagementGroupId = ""
[string] $ManagementGroupName = ""
[string] $SubscriptionId = ""
[string] $SubscriptionName = ""
[string] $ResourceId = ""
[string] $ResourceGroup = ""
[string] $ResourceName = ""
[string] $ResourceType = ""
[string] $RoleEligibilityScheduleId = ""
[string] $Scope = ""
[string] $RoleDefinitionId = ""
[string] $RoleDefinitionName = ""
[string] $RoleDefinitionType = ""
[string] $PrincipalId = ""
[string] $PrincipalName = ""
[string] $PrincipalType = ""
[string] $Status = ""
[string] $StartDateTime = ""
[string] $EndDateTime = ""
[string] $CreatedOn = ""
}
function GetEligibleAssignments {
param (
[string] $scope
)
$access_token = (Get-AzAccessToken -TenantId "e9792fd7-4044-47e7-a40d-3fba46f1cd09").Token
$url = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01&`$filter=atScope()"
$head = @{ Authorization =" Bearer $access_token" }
$response = Invoke-RestMethod -Uri $url -Method GET -Headers $head
$response | ForEach-Object {
$responseValue = $_.value
if ($responseValue.Length -gt 0) {
return $responseValue | ForEach-Object {
return ($_.properties | Where-Object MemberType -NE "Inherited")
}
}
else {
return ""
}
}
}
Write-Host "======================================================================================================================================================================"
Write-Host "Creating PIM assignments overview."
Write-Host "======================================================================================================================================================================"
[string] $date = Get-Date -Format "yyyy-MM-dd HHmm"
$fileName = ".\$date azure_pim_assignments.csv"
$managementGroups = Get-AzManagementGroup
foreach ($managementGroup in $managementGroups)
{
Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"
Write-Host "Management group [$($managementGroup.Name)]"
$assignments = GetEligibleAssignments -scope "providers/Microsoft.Management/managementGroups/$($managementGroup.Name)"
[ResourceCheck[]]$Result = @()
foreach ($assignment in $assignments) {
[ResourceCheck] $resourceCheck = [ResourceCheck]::new()
$resourceCheck.Level = "Management Group"
$resourceCheck.ManagementGroupId = $managementGroup.Id
$resourceCheck.ManagementGroupName = $managementGroup.DisplayName
$resourceCheck.RoleEligibilityScheduleId = $assignment.roleEligibilityScheduleId
$resourceCheck.Scope = $assignment.scope
$resourceCheck.RoleDefinitionId = $assignment.roleDefinitionId
$resourceCheck.RoleDefinitionName = $assignment.expandedProperties.roleDefinition.displayName
$resourceCheck.RoleDefinitionType = $assignment.expandedProperties.roleDefinition.type
$resourceCheck.PrincipalId = $assignment.principalId
$resourceCheck.PrincipalName = $assignment.expandedProperties.principal.displayName
$resourceCheck.PrincipalType = $assignment.principalType
$resourceCheck.Status = $assignment.status
$resourceCheck.StartDateTime = $assignment.startDateTime
$resourceCheck.EndDateTime = $assignment.endDateTime
$resourceCheck.CreatedOn = $assignment.createdOn
$Result += $resourceCheck
}
$Result | Export-Csv -Path $fileName -Append -NoTypeInformation
$subscriptions = Get-AzManagementGroupSubscription -Group $managementGroup.Name | Where-Object State -eq "Active"
foreach ($subscription in $subscriptions)
{
Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"
$scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length)
$subscriptionId = $scope.Replace("/subscriptions/", "")
Write-Host "Subscription [$($subscription.DisplayName) - $subscriptionId]"
Set-AzContext -SubscriptionId $subscriptionId | Out-Null
Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"
$assignments = GetEligibleAssignments -scope $scope
[ResourceCheck[]]$Result = @()
foreach ($assignment in $assignments) {
[ResourceCheck] $resourceCheck = [ResourceCheck]::new()
$resourceCheck.Level = "Subscription"
$resourceCheck.ManagementGroupId = $managementGroup.Id
$resourceCheck.ManagementGroupName = $managementGroup.DisplayName
$resourceCheck.SubscriptionId = $subscriptionId
$resourceCheck.SubscriptionName = $subscription.DisplayName
$resourceCheck.RoleEligibilityScheduleId = $assignment.roleEligibilityScheduleId
$resourceCheck.Scope = $assignment.scope
$resourceCheck.RoleDefinitionId = $assignment.roleDefinitionId
$resourceCheck.RoleDefinitionName = $assignment.expandedProperties.roleDefinition.displayName
$resourceCheck.RoleDefinitionType = $assignment.expandedProperties.roleDefinition.type
$resourceCheck.PrincipalId = $assignment.principalId
$resourceCheck.PrincipalName = $assignment.expandedProperties.principal.displayName
$resourceCheck.PrincipalType = $assignment.principalType
$resourceCheck.Status = $assignment.status
$resourceCheck.StartDateTime = $assignment.startDateTime
$resourceCheck.EndDateTime = $assignment.endDateTime
$resourceCheck.CreatedOn = $assignment.createdOn
$Result += $resourceCheck
}
$Result | Export-Csv -Path $fileName -Append -NoTypeInformation
$allResourceGroups = Get-AzResourceGroup
foreach ($group in $allResourceGroups) {
Write-Host $group.ResourceGroupName
$assignments = GetEligibleAssignments -scope $group.ResourceId
[ResourceCheck[]]$Result = @()
foreach ($assignment in $assignments) {
[ResourceCheck] $resourceCheck = [ResourceCheck]::new()
$resourceCheck.Level = "Resource Group"
$resourceCheck.ManagementGroupId = $managementGroup.Id
$resourceCheck.ManagementGroupName = $managementGroup.DisplayName
$resourceCheck.SubscriptionId = $subscriptionId
$resourceCheck.SubscriptionName = $subscription.DisplayName
$resourceCheck.ResourceGroup = $group.ResourceGroupName
$resourceCheck.RoleEligibilityScheduleId = $assignment.roleEligibilityScheduleId
$resourceCheck.Scope = $assignment.scope
$resourceCheck.RoleDefinitionId = $assignment.roleDefinitionId
$resourceCheck.RoleDefinitionName = $assignment.expandedProperties.roleDefinition.displayName
$resourceCheck.RoleDefinitionType = $assignment.expandedProperties.roleDefinition.type
$resourceCheck.PrincipalId = $assignment.principalId
$resourceCheck.PrincipalName = $assignment.expandedProperties.principal.displayName
$resourceCheck.PrincipalType = $assignment.principalType
$resourceCheck.Status = $assignment.status
$resourceCheck.StartDateTime = $assignment.startDateTime
$resourceCheck.EndDateTime = $assignment.endDateTime
$resourceCheck.CreatedOn = $assignment.createdOn
$Result += $resourceCheck
}
$Result | Export-Csv -Path $fileName -Append -NoTypeInformation
$allResources = Get-AzResource -ResourceGroupName $group.ResourceGroupName
foreach ($resource in $allResources)
{
$assignments = GetEligibleAssignments -scope $resource.ResourceId
[ResourceCheck[]]$Result = @()
foreach ($assignment in $assignments) {
[ResourceCheck] $resourceCheck = [ResourceCheck]::new()
$resourceCheck.Level = "Resource"
$resourceCheck.ManagementGroupId = $managementGroup.Id
$resourceCheck.ManagementGroupName = $managementGroup.DisplayName
$resourceCheck.SubscriptionId = $subscriptionId
$resourceCheck.SubscriptionName = $subscription.DisplayName
$resourceCheck.ResourceGroup = $group.ResourceGroupName
$resourceCheck.ResourceId = $resource.ResourceId
$resourceCheck.ResourceName = $resource.Name
$resourceCheck.ResourceType = $resource.ResourceType
$resourceCheck.RoleEligibilityScheduleId = $assignment.roleEligibilityScheduleId
$resourceCheck.Scope = $assignment.scope
$resourceCheck.RoleDefinitionId = $assignment.roleDefinitionId
$resourceCheck.RoleDefinitionName = $assignment.expandedProperties.roleDefinition.displayName
$resourceCheck.RoleDefinitionType = $assignment.expandedProperties.roleDefinition.type
$resourceCheck.PrincipalId = $assignment.principalId
$resourceCheck.PrincipalName = $assignment.expandedProperties.principal.displayName
$resourceCheck.PrincipalType = $assignment.principalType
$resourceCheck.Status = $assignment.status
$resourceCheck.StartDateTime = $assignment.startDateTime
$resourceCheck.EndDateTime = $assignment.endDateTime
$resourceCheck.CreatedOn = $assignment.createdOn
$Result += $resourceCheck
}
$Result | Export-Csv -Path $fileName -Append -NoTypeInformation
}
}
}
}
Write-Host "======================================================================================================================================================================"
Write-Host "Done."

204
Powershell/Lists/Azure/AzureRBAC.ps1
View File

@@ -10,6 +10,8 @@ class ResourceCheck {
[string] $ResourceName = "" [string] $ResourceName = ""
[string] $ResourceGroupName = "" [string] $ResourceGroupName = ""
[string] $ResourceType = "" [string] $ResourceType = ""
[string] $ManagementGroupId = ""
[string] $ManagementGroupName = ""
[string] $SubscriptionId = "" [string] $SubscriptionId = ""
[string] $SubscriptionName = "" [string] $SubscriptionName = ""
[string] $Tag_Team = "" [string] $Tag_Team = ""
@@ -29,80 +31,83 @@ Write-Host "====================================================================
Write-Host "Creating resource RBAC assignment overview." Write-Host "Creating resource RBAC assignment overview."
Write-Host "========================================================================================================================================================================" Write-Host "========================================================================================================================================================================"
$subscriptions = Get-AzSubscription | Where-Object State -eq "Enabled" [string] $date = Get-Date -Format "yyyy-MM-dd HHmm"
$fileName = ".\$date azure_rbac_assignments.csv"
$fileName = "2022-08-05 azure_rbac.csv" $managementGroups = Get-AzManagementGroup
$fileExists = Test-Path $fileName
If ($fileExists -eq $True) {
Remove-Item $fileName
}
foreach ($subscription in $subscriptions) foreach ($managementGroup in $managementGroups)
{ {
Set-AzContext -SubscriptionId $subscription.Id Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"
Write-Host "Management group [$($managementGroup.Name)]"
[ResourceCheck[]]$Result = @()
$resourceGroups = Get-AzResourceGroup try {
$roleAssignments = Get-AzRoleAssignment -Scope $managementGroup.Id | Where-Object Scope -eq $managementGroup.Id
foreach ($resourceGroup in $resourceGroups) {
foreach($roleAssignment in $roleAssignments) {
[ResourceCheck[]]$Result = @() [ResourceCheck] $resourceCheck = [ResourceCheck]::new()
$resourceCheck.ResourceId = ""
try { $resourceCheck.Kind = "ManagementGroup"
$roleAssignments = Get-AzRoleAssignment -Scope $resourceGroup.ResourceId $resourceCheck.Location = ""
$resourceCheck.ResourceGroupName = ""
foreach($roleAssignment in $roleAssignments) { $resourceCheck.ManagementGroupId = $managementGroup.Id
[ResourceCheck] $resourceCheck = [ResourceCheck]::new() $resourceCheck.ManagementGroupName = $managementGroup.DisplayName
$resourceCheck.ResourceId = $resourceGroup.ResourceId $resourceCheck.SubscriptionId = ""
$resourceCheck.Kind = "ResourceGroup" $resourceCheck.SubscriptionName = ""
$resourceCheck.Location = $resourceGroup.Location $resourceCheck.Tag_Team = ""
$resourceCheck.ResourceGroupName = $resourceGroup.ResourceGroupName $resourceCheck.Tag_Product = ""
$resourceCheck.SubscriptionId = $subscription.Id $resourceCheck.Tag_Environment = ""
$resourceCheck.SubscriptionName = $subscription.Name $resourceCheck.Tag_Data = ""
$resourceCheck.Tag_Team = $resourceGroup.Tags.team $resourceCheck.Tag_Delete = ""
$resourceCheck.Tag_Product = $resourceGroup.Tags.product $resourceCheck.Tag_Split = ""
$resourceCheck.Tag_Environment = $resourceGroup.Tags.environment $resourceCheck.RBAC_RoleAssignmentId = $roleAssignment.RoleAssignmentId
$resourceCheck.Tag_Data = $resourceGroup.Tags.data $resourceCheck.RBAC_Scope = $roleAssignment.Scope
$resourceCheck.Tag_Delete = $resourceGroup.Tags.delete $resourceCheck.RBAC_DisplayName = $roleAssignment.DisplayName
$resourceCheck.Tag_Split = $resourceGroup.Tags.split $resourceCheck.RBAC_SignInName = $roleAssignment.SignInName
$resourceCheck.RBAC_RoleAssignmentId = $roleAssignment.RoleAssignmentId $resourceCheck.RBAC_RoleDefinitionName = $roleAssignment.RoleDefinitionName
$resourceCheck.RBAC_Scope = $roleAssignment.Scope
$resourceCheck.RBAC_DisplayName = $roleAssignment.DisplayName $Result += $resourceCheck
$resourceCheck.RBAC_SignInName = $roleAssignment.SignInName }
$resourceCheck.RBAC_RoleDefinitionName = $roleAssignment.RoleDefinitionName } catch {
$Result += $resourceCheck
}
} catch {
}
$Result | Export-Csv -Path $fileName -Append -NoTypeInformation
} }
$Result | Export-Csv -Path $fileName -Append -NoTypeInformation
$allResources = Get-AzResource
foreach ($resource in $allResources) {
$subscriptions = Get-AzManagementGroupSubscription -Group $managementGroup.Name | Where-Object State -eq "Active"
foreach ($subscription in $subscriptions)
{
Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"
$scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length)
$subscriptionId = $scope.Replace("/subscriptions/", "")
Write-Host "Subscription [$($subscription.DisplayName) - $subscriptionId]"
Set-AzContext -SubscriptionId $subscriptionId | Out-Null
Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"
[ResourceCheck[]]$Result = @() [ResourceCheck[]]$Result = @()
try { try {
$roleAssignments = Get-AzRoleAssignment -Scope $resource.ResourceId $roleAssignments = Get-AzRoleAssignment -Scope $scope | Where-Object Scope -eq $scope
foreach($roleAssignment in $roleAssignments) { foreach($roleAssignment in $roleAssignments) {
[ResourceCheck] $resourceCheck = [ResourceCheck]::new() [ResourceCheck] $resourceCheck = [ResourceCheck]::new()
$resourceCheck.ResourceId = $resource.ResourceId $resourceCheck.ResourceId = ""
$resourceCheck.Id = $resource.Id $resourceCheck.Kind = "Subscription"
$resourceCheck.Kind = $resource.Kind $resourceCheck.Location = ""
$resourceCheck.Location = $resource.Location $resourceCheck.ResourceGroupName = ""
$resourceCheck.ResourceName = $resource.ResourceName $resourceCheck.ManagementGroupId = $managementGroup.Id
$resourceCheck.ResourceGroupName = $resource.ResourceGroupName $resourceCheck.ManagementGroupName = $managementGroup.DisplayName
$resourceCheck.ResourceType = $resource.ResourceType
$resourceCheck.SubscriptionId = $subscription.Id $resourceCheck.SubscriptionId = $subscription.Id
$resourceCheck.SubscriptionName = $subscription.Name $resourceCheck.SubscriptionName = $subscription.Name
$resourceCheck.Tag_Team = $resource.Tags.team $resourceCheck.Tag_Team = $subscription.Tags.team
$resourceCheck.Tag_Product = $resource.Tags.product $resourceCheck.Tag_Product = $subscription.Tags.product
$resourceCheck.Tag_Environment = $resource.Tags.environment $resourceCheck.Tag_Environment = $subscription.Tags.environment
$resourceCheck.Tag_Data = $resource.Tags.data $resourceCheck.Tag_Data = $subscription.Tags.data
$resourceCheck.Tag_Delete = $resource.Tags.delete $resourceCheck.Tag_Delete = $subscription.Tags.delete
$resourceCheck.Tag_Split = $resource.Tags.split $resourceCheck.Tag_Split = $subscription.Tags.split
$resourceCheck.RBAC_RoleAssignmentId = $roleAssignment.RoleAssignmentId $resourceCheck.RBAC_RoleAssignmentId = $roleAssignment.RoleAssignmentId
$resourceCheck.RBAC_Scope = $roleAssignment.Scope $resourceCheck.RBAC_Scope = $roleAssignment.Scope
$resourceCheck.RBAC_DisplayName = $roleAssignment.DisplayName $resourceCheck.RBAC_DisplayName = $roleAssignment.DisplayName
@@ -114,6 +119,85 @@ foreach ($subscription in $subscriptions)
} catch { } catch {
} }
$Result | Export-Csv -Path $fileName -Append -NoTypeInformation $Result | Export-Csv -Path $fileName -Append -NoTypeInformation
$resourceGroups = Get-AzResourceGroup
foreach ($resourceGroup in $resourceGroups) {
[ResourceCheck[]]$Result = @()
try {
$roleAssignments = Get-AzRoleAssignment -Scope $resourceGroup.ResourceId | Where-Object Scope -Like "$($resourceGroup.ResourceId)*"
foreach($roleAssignment in $roleAssignments) {
[ResourceCheck] $resourceCheck = [ResourceCheck]::new()
$resourceCheck.ResourceId = $resourceGroup.ResourceId
$resourceCheck.Kind = "ResourceGroup"
$resourceCheck.Location = $resourceGroup.Location
$resourceCheck.ResourceGroupName = $resourceGroup.ResourceGroupName
$resourceCheck.ManagementGroupId = $managementGroup.Id
$resourceCheck.ManagementGroupName = $managementGroup.DisplayName
$resourceCheck.SubscriptionId = $subscription.Id
$resourceCheck.SubscriptionName = $subscription.Name
$resourceCheck.Tag_Team = $resourceGroup.Tags.team
$resourceCheck.Tag_Product = $resourceGroup.Tags.product
$resourceCheck.Tag_Environment = $resourceGroup.Tags.environment
$resourceCheck.Tag_Data = $resourceGroup.Tags.data
$resourceCheck.Tag_Delete = $resourceGroup.Tags.delete
$resourceCheck.Tag_Split = $resourceGroup.Tags.split
$resourceCheck.RBAC_RoleAssignmentId = $roleAssignment.RoleAssignmentId
$resourceCheck.RBAC_Scope = $roleAssignment.Scope
$resourceCheck.RBAC_DisplayName = $roleAssignment.DisplayName
$resourceCheck.RBAC_SignInName = $roleAssignment.SignInName
$resourceCheck.RBAC_RoleDefinitionName = $roleAssignment.RoleDefinitionName
$Result += $resourceCheck
}
} catch {
}
$Result | Export-Csv -Path $fileName -Append -NoTypeInformation
}
$allResources = Get-AzResource
foreach ($resource in $allResources) {
[ResourceCheck[]]$Result = @()
try {
$roleAssignments = Get-AzRoleAssignment -Scope $resource.ResourceId | Where-Object Scope -eq $resource.ResourceId
foreach($roleAssignment in $roleAssignments) {
[ResourceCheck] $resourceCheck = [ResourceCheck]::new()
$resourceCheck.ResourceId = $resource.ResourceId
$resourceCheck.Id = $resource.Id
$resourceCheck.Kind = "Resource"
$resourceCheck.Location = $resource.Location
$resourceCheck.ResourceName = $resource.ResourceName
$resourceCheck.ResourceGroupName = $resource.ResourceGroupName
$resourceCheck.ResourceType = $resource.ResourceType
$resourceCheck.ManagementGroupId = $managementGroup.Id
$resourceCheck.ManagementGroupName = $managementGroup.DisplayName
$resourceCheck.SubscriptionId = $subscription.Id
$resourceCheck.SubscriptionName = $subscription.Name
$resourceCheck.Tag_Team = $resource.Tags.team
$resourceCheck.Tag_Product = $resource.Tags.product
$resourceCheck.Tag_Environment = $resource.Tags.environment
$resourceCheck.Tag_Data = $resource.Tags.data
$resourceCheck.Tag_Delete = $resource.Tags.delete
$resourceCheck.Tag_Split = $resource.Tags.split
$resourceCheck.RBAC_RoleAssignmentId = $roleAssignment.RoleAssignmentId
$resourceCheck.RBAC_Scope = $roleAssignment.Scope
$resourceCheck.RBAC_DisplayName = $roleAssignment.DisplayName
$resourceCheck.RBAC_SignInName = $roleAssignment.SignInName
$resourceCheck.RBAC_RoleDefinitionName = $roleAssignment.RoleDefinitionName
$Result += $resourceCheck
}
} catch {
}
$Result | Export-Csv -Path $fileName -Append -NoTypeInformation
}
} }
} }

2
Powershell/Lists/Azure/KeyVaults.ps1
View File

@@ -30,8 +30,6 @@ Write-Host "====================================================================
[string] $date = Get-Date -Format "yyyy-MM-dd HHmm" [string] $date = Get-Date -Format "yyyy-MM-dd HHmm"
$fileName = ".\$date azure_key_vaults.csv" $fileName = ".\$date azure_key_vaults.csv"
# rm $fileName
foreach ($subscription in $subscriptions) foreach ($subscription in $subscriptions)
{ {
Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"