From 3df9ea6d449edfa201cf8bb6f8b18e51ceb5f210 Mon Sep 17 00:00:00 2001 From: Jurjen Ladenius Date: Fri, 22 Mar 2024 16:48:56 +0100 Subject: [PATCH] new script for listing key vault access policies --- .../Lists/Azure/KeyVaultAccessPolicies.ps1 | 106 ++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 Powershell/Lists/Azure/KeyVaultAccessPolicies.ps1 diff --git a/Powershell/Lists/Azure/KeyVaultAccessPolicies.ps1 b/Powershell/Lists/Azure/KeyVaultAccessPolicies.ps1 new file mode 100644 index 0000000..ca711f9 --- /dev/null +++ b/Powershell/Lists/Azure/KeyVaultAccessPolicies.ps1 @@ -0,0 +1,106 @@ +#Connect-AzAccount + +class ResourceCheck { + [string] $ManagementGroupId = "" + [string] $ManagementGroupName = "" + [string] $SubscriptionId = "" + [string] $SubscriptionName = "" + [string] $ResourceGroup = "" + [string] $ResourceId = "" + [string] $Location = "" + [string] $ResourceName = "" + [string] $AccessPolicy_ObjectId = "" + [string] $AccessPolicy_DisplayName = "" + [string] $AccessPolicy_ApplicationId = "" + [string] $AccessPolicy_ApplicationDisplayName = "" + [string] $AccessPolicy_Keys = "" + [string] $AccessPolicy_Secrets = "" + [string] $AccessPolicy_Certificates = "" + [string] $AccessPolicy_Storage = "" + [string] $Tag_Team = "" + [string] $Tag_Product = "" + [string] $Tag_Environment = "" + [string] $Tag_Data = "" + [string] $Tag_Deployment = "" + [string] $Tag_CreatedOnDate = "" +} + + +Write-Host "======================================================================================================================================================================" +Write-Host "Creating key vault access policy resource overview." +Write-Host "======================================================================================================================================================================" + +[string] $date = Get-Date -Format "yyyy-MM-dd HHmm" +$fileName = ".\$date azure_key_vault_access_policies.csv" + +$managementGroups = Get-AzManagementGroup + +foreach ($managementGroup in $managementGroups) +{ + Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" + Write-Host "Management group [$($managementGroup.Name)]" + + $subscriptions = Get-AzManagementGroupSubscription -Group $managementGroup.Name | Where-Object State -eq "Active" + + foreach ($subscription in $subscriptions) + { + Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" + $scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length) + $subscriptionId = $scope.Replace("/subscriptions/", "") + Write-Host "Subscription [$($subscription.DisplayName) - $subscriptionId]" + Set-AzContext -SubscriptionId $subscriptionId | Out-Null + Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" + + $allResourceGroups = Get-AzResourceGroup + [ResourceCheck[]]$Result = @() + + foreach ($group in $allResourceGroups) { + + $allVaults = Get-AzKeyVault -ResourceGroupName $group.ResourceGroupName + + foreach ($vault in $allVaults) { + + $vaultWithAllProps = Get-AzKeyVault -ResourceGroupName $group.ResourceGroupName -Name $vault.VaultName + + if ($vaultWithAllProps.EnableRbacAuthorization -ne "TRUE") { + + Write-Host $vaultWithAllProps.ResourceId + + foreach($accessPolicy in $vaultWithAllProps.AccessPolicies) { + + [ResourceCheck] $resourceCheck = [ResourceCheck]::new() + $resourceCheck.ManagementGroupId = $managementGroup.Id + $resourceCheck.ManagementGroupName = $managementGroup.DisplayName + $resourceCheck.SubscriptionId = $subscription.Id + $resourceCheck.SubscriptionName = $subscription.Name + $resourceCheck.ResourceGroup = $vaultWithAllProps.ResourceGroupName + $resourceCheck.ResourceId = $vaultWithAllProps.ResourceId + $resourceCheck.Location = $vaultWithAllProps.Location + $resourceCheck.ResourceName = $vaultWithAllProps.VaultName + $resourceCheck.AccessPolicy_ObjectId = $accessPolicy.ObjectId + $resourceCheck.AccessPolicy_DisplayName = $accessPolicy.DisplayName + $resourceCheck.AccessPolicy_ApplicationId = $accessPolicy.ApplicationId + $resourceCheck.AccessPolicy_ApplicationDisplayName = $accessPolicy.ApplicationIdDisplayName + $resourceCheck.AccessPolicy_Keys = $accessPolicy.PermissionsToKeysStr + $resourceCheck.AccessPolicy_Secrets = $accessPolicy.PermissionsToSecretsStr + $resourceCheck.AccessPolicy_Certificates = $accessPolicy.PermissionsToCertificatesStr + $resourceCheck.AccessPolicy_Storage = $accessPolicy.PermissionsToStorageStr + $resourceCheck.Tag_Team = $vaultWithAllProps.Tags.team + $resourceCheck.Tag_Product = $vaultWithAllProps.Tags.product + $resourceCheck.Tag_Environment = $vaultWithAllProps.Tags.environment + $resourceCheck.Tag_Data = $vaultWithAllProps.Tags.data + $resourceCheck.Tag_CreatedOnDate = $vaultWithAllProps.Tags.CreatedOnDate + $resourceCheck.Tag_Deployment = $vaultWithAllProps.Tags.drp_deployment + + $Result += $resourceCheck + } + } + } + } + + $Result | Export-Csv -Path $fileName -Append -NoTypeInformation + } +} +Write-Host "======================================================================================================================================================================" +Write-Host "Done." +