jurjen.ladenius/Cloud-20Engineering
1
0
Fork 0
mirror of https://dev.azure.com/effectory/Survey%20Software/_git/Cloud%20Engineering synced 2026-02-27 18:52:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

PIM settings script #99024

Browse Source 
Script for management group overview #97859
This commit is contained in:
Jurjen Ladenius
2024-04-18 09:00:04 +02:00
parent c91b0f0908
commit 5003d32cad
8 changed files with 378 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
Powershell/Tools/AzurePIM - role settings.ps1 Normal file
View File

@@ -0,0 +1,95 @@
function GetAllPolicies {
param (
[string] $scope
)
#https://learn.microsoft.com/en-us/rest/api/authorization/role-management-policies/list-for-scope?view=rest-authorization-2020-10-01&tabs=HTTP
$access_token = (Get-AzAccessToken -TenantId "e9792fd7-4044-47e7-a40d-3fba46f1cd09").Token
$url = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleManagementPolicies?api-version=2020-10-01"
$head = @{ Authorization =" Bearer $access_token" }
$response = Invoke-RestMethod -Uri $url -Method GET -Headers $head
$response | ForEach-Object {
$responseValue = $_.value
if ($responseValue.Length -gt 0) {
return $responseValue
}
else {
return ""
}
}
}
function UpdatePolicy {
param (
[string] $scope,
[string] $roleManagementPolicyName,
[string] $patchValue
)
#https://learn.microsoft.com/en-us/rest/api/authorization/role-management-policies/update?view=rest-authorization-2020-10-01&tabs=HTTP
$access_token = (Get-AzAccessToken -TenantId "e9792fd7-4044-47e7-a40d-3fba46f1cd09").Token
$url = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleManagementPolicies/$($roleManagementPolicyName)?api-version=2020-10-01"
$head = @{ Authorization =" Bearer $access_token" }
Invoke-RestMethod -Uri $url -Method Patch -Headers $head -Body $patchValue -ContentType "application/json" | Out-Null
}
Write-Host "=========================================================================================="
Write-Host "Setting standard PIM role settings on modified roles."
Write-Host "=========================================================================================="
[string] $patchValue = Get-Content .\AzurePIMpatch.json -Raw
$managementGroups = Get-AzManagementGroup
foreach ($managementGroup in $managementGroups)
{
Write-Host "--------------------------------------------------------------------"
Write-Host "Management group [$($managementGroup.Name)]"
$scope = "providers/Microsoft.Management/managementGroups/$($managementGroup.Name)"
$assignments = GetAllPolicies -scope $scope | Where-Object {
$prop = $_.properties
if ($prop.LastModifiedDateTime) { return $_ }
}
foreach ($assignment in $assignments)
{
$assignmentName = $assignment.name
Write-Host "Updating assignment [$($assignment.id)]"
UpdatePolicy -scope $scope -roleManagementPolicyName $assignmentName -patchValue $patchValue
}
# $subscriptions = Get-AzManagementGroupSubscription -Group $managementGroup.Name | Where-Object State -eq "Active"
# foreach ($subscription in $subscriptions)
# {
# Write-Host " --------------------------------------------------------------------"
# $scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length)
# $subscriptionId = $scope.Replace("/subscriptions/", "")
# Write-Host " Subscription [$($subscription.DisplayName) - $subscriptionId]"
# Write-Host " --------------------------------------------------------------------"
# $assignments = GetAllPolicies -scope $scope | Where-Object {
# $prop = $_.properties
# if ($prop.LastModifiedDateTime) { return $_ }
# }
# foreach ($assignment in $assignments)
# {
# $assignmentName = $assignment.name
# Write-Host " Updating assignment [$($assignment.id)]"
# UpdatePolicy -scope $scope -roleManagementPolicyName $assignmentName -patchValue $patchValue
# }
# }
}
Write-Host "=========================================================================================="
Write-Host "Done."

96
Powershell/Tools/AzurePIMpatch.json Normal file
View File

@@ -0,0 +1,96 @@
{
"properties": {
"rules": [
{
"isExpirationRequired": false,
"maximumDuration": "PT10H",
"id": "Expiration_EndUser_Assignment",
"ruleType": "RoleManagementPolicyExpirationRule",
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"targetObjects": [],
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"enabledRules": [
"MultiFactorAuthentication"
],
"id": "Enablement_EndUser_Assignment",
"ruleType": "RoleManagementPolicyEnablementRule",
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"targetObjects": [],
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"notificationType": "Email",
"recipientType": "Admin",
"isDefaultRecipientsEnabled": false,
"notificationLevel": "All",
"notificationRecipients": [],
"id": "Notification_Admin_EndUser_Assignment",
"ruleType": "RoleManagementPolicyNotificationRule",
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"targetObjects": [],
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"notificationType": "Email",
"recipientType": "Requestor",
"isDefaultRecipientsEnabled": false,
"notificationLevel": "All",
"notificationRecipients": [],
"id": "Notification_Requestor_EndUser_Assignment",
"ruleType": "RoleManagementPolicyNotificationRule",
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"targetObjects": [],
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"notificationType": "Email",
"recipientType": "Approver",
"isDefaultRecipientsEnabled": false,
"notificationLevel": "All",
"notificationRecipients": [],
"id": "Notification_Approver_EndUser_Assignment",
"ruleType": "RoleManagementPolicyNotificationRule",
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"targetObjects": [],
"inheritableSettings": [],
"enforcedSettings": []
}
}
]
}
}

2
Powershell/Tools/Azure Custom Roles.ps1 → Powershell/Tools/Custom Roles.ps1
View File

@@ -22,8 +22,6 @@ $subscriptionId = "3190b0fd-4a66-4636-a204-5b9f18be78a6" ; $resourceGroupName =
$subscriptionId = "86945e42-fa5a-4bbc-948f-3f5407f15d3e" ; $resourceGroupName = "hierarchy"; $accountName = "hierarchyeff"; $principalIdReader = "dd576450-b564-4659-ac00-163036bf1dff"; $principalIdWriter = "591b32ff-33b8-4839-bf35-58ec262b014f"
$subscriptionId = "70cae949-5013-4c40-b718-911dbf9b9a80" ; $resourceGroupName = "participantcore"; $accountName = "participantcore"; $principalIdReader = "a7f7f051-90ad-4419-b040-2868c0e6bbff"; $principalIdWriter = "0bbbf6d4-bdf4-450a-bcc7-4024451558e5"
$subscriptionId = "f9ab522b-4895-492d-b8a8-ca6e1f60c2a8" ; $resourceGroupName = "participant-exchange"; $accountName = "participantexchange"; $principalIdReader = "3b3ebcdf-04b6-4cf8-a237-425cc3952770"; $principalIdWriter = "6c38e6fb-4190-45bc-a347-b132afb47cba"
$subscriptionId = "7feeb150-9ee0-4aea-992a-5f3a89d933e6" ; $resourceGroupName = "results-calculation"; $accountName = "results-calculation"; $principalIdReader = "645b069a-c367-4e0e-9dac-38595663acab"; $principalIdWriter = "fa86c1a4-570c-4f00-8960-1a17eb23d613"

4
Powershell/Tools/SQLAudit.ps1 Normal file
View File

@@ -0,0 +1,4 @@
az login
az account set --subscription 'a134faf1-7a89-4f2c-8389-06d00bd5e2a7'
az sql server audit-policy show -g 'Default-SQL-WestEurope' -n 'c0m7f8nybr'
az sql server audit-policy update -g 'Default-SQL-WestEurope' -n 'c0m7f8nybr' --state Disabled