mirror of
https://dev.azure.com/effectory/Survey%20Software/_git/Cloud%20Engineering
synced 2026-02-27 18:52:18 +01:00
95
Powershell/Tools/AzurePIM - role settings.ps1
Normal file
95
Powershell/Tools/AzurePIM - role settings.ps1
Normal file
@@ -0,0 +1,95 @@
|
||||
|
||||
function GetAllPolicies {
|
||||
|
||||
param (
|
||||
[string] $scope
|
||||
)
|
||||
|
||||
#https://learn.microsoft.com/en-us/rest/api/authorization/role-management-policies/list-for-scope?view=rest-authorization-2020-10-01&tabs=HTTP
|
||||
|
||||
$access_token = (Get-AzAccessToken -TenantId "e9792fd7-4044-47e7-a40d-3fba46f1cd09").Token
|
||||
|
||||
$url = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleManagementPolicies?api-version=2020-10-01"
|
||||
|
||||
$head = @{ Authorization =" Bearer $access_token" }
|
||||
$response = Invoke-RestMethod -Uri $url -Method GET -Headers $head
|
||||
|
||||
$response | ForEach-Object {
|
||||
$responseValue = $_.value
|
||||
if ($responseValue.Length -gt 0) {
|
||||
return $responseValue
|
||||
}
|
||||
else {
|
||||
return ""
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function UpdatePolicy {
|
||||
param (
|
||||
[string] $scope,
|
||||
[string] $roleManagementPolicyName,
|
||||
[string] $patchValue
|
||||
)
|
||||
#https://learn.microsoft.com/en-us/rest/api/authorization/role-management-policies/update?view=rest-authorization-2020-10-01&tabs=HTTP
|
||||
|
||||
$access_token = (Get-AzAccessToken -TenantId "e9792fd7-4044-47e7-a40d-3fba46f1cd09").Token
|
||||
$url = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleManagementPolicies/$($roleManagementPolicyName)?api-version=2020-10-01"
|
||||
$head = @{ Authorization =" Bearer $access_token" }
|
||||
Invoke-RestMethod -Uri $url -Method Patch -Headers $head -Body $patchValue -ContentType "application/json" | Out-Null
|
||||
}
|
||||
|
||||
Write-Host "=========================================================================================="
|
||||
Write-Host "Setting standard PIM role settings on modified roles."
|
||||
Write-Host "=========================================================================================="
|
||||
|
||||
[string] $patchValue = Get-Content .\AzurePIMpatch.json -Raw
|
||||
|
||||
$managementGroups = Get-AzManagementGroup
|
||||
|
||||
foreach ($managementGroup in $managementGroups)
|
||||
{
|
||||
Write-Host "--------------------------------------------------------------------"
|
||||
Write-Host "Management group [$($managementGroup.Name)]"
|
||||
|
||||
|
||||
$scope = "providers/Microsoft.Management/managementGroups/$($managementGroup.Name)"
|
||||
$assignments = GetAllPolicies -scope $scope | Where-Object {
|
||||
$prop = $_.properties
|
||||
if ($prop.LastModifiedDateTime) { return $_ }
|
||||
}
|
||||
|
||||
foreach ($assignment in $assignments)
|
||||
{
|
||||
$assignmentName = $assignment.name
|
||||
Write-Host "Updating assignment [$($assignment.id)]"
|
||||
UpdatePolicy -scope $scope -roleManagementPolicyName $assignmentName -patchValue $patchValue
|
||||
}
|
||||
|
||||
# $subscriptions = Get-AzManagementGroupSubscription -Group $managementGroup.Name | Where-Object State -eq "Active"
|
||||
|
||||
# foreach ($subscription in $subscriptions)
|
||||
# {
|
||||
# Write-Host " --------------------------------------------------------------------"
|
||||
|
||||
# $scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length)
|
||||
# $subscriptionId = $scope.Replace("/subscriptions/", "")
|
||||
# Write-Host " Subscription [$($subscription.DisplayName) - $subscriptionId]"
|
||||
# Write-Host " --------------------------------------------------------------------"
|
||||
|
||||
# $assignments = GetAllPolicies -scope $scope | Where-Object {
|
||||
# $prop = $_.properties
|
||||
# if ($prop.LastModifiedDateTime) { return $_ }
|
||||
# }
|
||||
|
||||
# foreach ($assignment in $assignments)
|
||||
# {
|
||||
# $assignmentName = $assignment.name
|
||||
# Write-Host " Updating assignment [$($assignment.id)]"
|
||||
# UpdatePolicy -scope $scope -roleManagementPolicyName $assignmentName -patchValue $patchValue
|
||||
# }
|
||||
# }
|
||||
}
|
||||
Write-Host "=========================================================================================="
|
||||
Write-Host "Done."
|
||||
|
||||
96
Powershell/Tools/AzurePIMpatch.json
Normal file
96
Powershell/Tools/AzurePIMpatch.json
Normal file
@@ -0,0 +1,96 @@
|
||||
{
|
||||
"properties": {
|
||||
"rules": [
|
||||
{
|
||||
"isExpirationRequired": false,
|
||||
"maximumDuration": "PT10H",
|
||||
"id": "Expiration_EndUser_Assignment",
|
||||
"ruleType": "RoleManagementPolicyExpirationRule",
|
||||
"target": {
|
||||
"caller": "EndUser",
|
||||
"operations": [
|
||||
"All"
|
||||
],
|
||||
"level": "Assignment",
|
||||
"targetObjects": [],
|
||||
"inheritableSettings": [],
|
||||
"enforcedSettings": []
|
||||
}
|
||||
},
|
||||
{
|
||||
"enabledRules": [
|
||||
"MultiFactorAuthentication"
|
||||
],
|
||||
"id": "Enablement_EndUser_Assignment",
|
||||
"ruleType": "RoleManagementPolicyEnablementRule",
|
||||
"target": {
|
||||
"caller": "EndUser",
|
||||
"operations": [
|
||||
"All"
|
||||
],
|
||||
"level": "Assignment",
|
||||
"targetObjects": [],
|
||||
"inheritableSettings": [],
|
||||
"enforcedSettings": []
|
||||
}
|
||||
},
|
||||
{
|
||||
"notificationType": "Email",
|
||||
"recipientType": "Admin",
|
||||
"isDefaultRecipientsEnabled": false,
|
||||
"notificationLevel": "All",
|
||||
"notificationRecipients": [],
|
||||
"id": "Notification_Admin_EndUser_Assignment",
|
||||
"ruleType": "RoleManagementPolicyNotificationRule",
|
||||
"target": {
|
||||
"caller": "EndUser",
|
||||
"operations": [
|
||||
"All"
|
||||
],
|
||||
"level": "Assignment",
|
||||
"targetObjects": [],
|
||||
"inheritableSettings": [],
|
||||
"enforcedSettings": []
|
||||
}
|
||||
},
|
||||
{
|
||||
"notificationType": "Email",
|
||||
"recipientType": "Requestor",
|
||||
"isDefaultRecipientsEnabled": false,
|
||||
"notificationLevel": "All",
|
||||
"notificationRecipients": [],
|
||||
"id": "Notification_Requestor_EndUser_Assignment",
|
||||
"ruleType": "RoleManagementPolicyNotificationRule",
|
||||
"target": {
|
||||
"caller": "EndUser",
|
||||
"operations": [
|
||||
"All"
|
||||
],
|
||||
"level": "Assignment",
|
||||
"targetObjects": [],
|
||||
"inheritableSettings": [],
|
||||
"enforcedSettings": []
|
||||
}
|
||||
},
|
||||
{
|
||||
"notificationType": "Email",
|
||||
"recipientType": "Approver",
|
||||
"isDefaultRecipientsEnabled": false,
|
||||
"notificationLevel": "All",
|
||||
"notificationRecipients": [],
|
||||
"id": "Notification_Approver_EndUser_Assignment",
|
||||
"ruleType": "RoleManagementPolicyNotificationRule",
|
||||
"target": {
|
||||
"caller": "EndUser",
|
||||
"operations": [
|
||||
"All"
|
||||
],
|
||||
"level": "Assignment",
|
||||
"targetObjects": [],
|
||||
"inheritableSettings": [],
|
||||
"enforcedSettings": []
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
@@ -22,8 +22,6 @@ $subscriptionId = "3190b0fd-4a66-4636-a204-5b9f18be78a6" ; $resourceGroupName =
|
||||
|
||||
$subscriptionId = "86945e42-fa5a-4bbc-948f-3f5407f15d3e" ; $resourceGroupName = "hierarchy"; $accountName = "hierarchyeff"; $principalIdReader = "dd576450-b564-4659-ac00-163036bf1dff"; $principalIdWriter = "591b32ff-33b8-4839-bf35-58ec262b014f"
|
||||
|
||||
$subscriptionId = "70cae949-5013-4c40-b718-911dbf9b9a80" ; $resourceGroupName = "participantcore"; $accountName = "participantcore"; $principalIdReader = "a7f7f051-90ad-4419-b040-2868c0e6bbff"; $principalIdWriter = "0bbbf6d4-bdf4-450a-bcc7-4024451558e5"
|
||||
|
||||
$subscriptionId = "f9ab522b-4895-492d-b8a8-ca6e1f60c2a8" ; $resourceGroupName = "participant-exchange"; $accountName = "participantexchange"; $principalIdReader = "3b3ebcdf-04b6-4cf8-a237-425cc3952770"; $principalIdWriter = "6c38e6fb-4190-45bc-a347-b132afb47cba"
|
||||
|
||||
$subscriptionId = "7feeb150-9ee0-4aea-992a-5f3a89d933e6" ; $resourceGroupName = "results-calculation"; $accountName = "results-calculation"; $principalIdReader = "645b069a-c367-4e0e-9dac-38595663acab"; $principalIdWriter = "fa86c1a4-570c-4f00-8960-1a17eb23d613"
|
||||
4
Powershell/Tools/SQLAudit.ps1
Normal file
4
Powershell/Tools/SQLAudit.ps1
Normal file
@@ -0,0 +1,4 @@
|
||||
az login
|
||||
az account set --subscription 'a134faf1-7a89-4f2c-8389-06d00bd5e2a7'
|
||||
az sql server audit-policy show -g 'Default-SQL-WestEurope' -n 'c0m7f8nybr'
|
||||
az sql server audit-policy update -g 'Default-SQL-WestEurope' -n 'c0m7f8nybr' --state Disabled
|
||||
Reference in New Issue
Block a user