PIM settings script #99024

Script for management group overview #97859
This commit is contained in:
Jurjen Ladenius
2024-04-18 09:00:04 +02:00
parent c91b0f0908
commit 5003d32cad
8 changed files with 378 additions and 4 deletions

View File

@@ -74,6 +74,8 @@
"/subscriptions/c4b0c496-dbc1-483b-890b-fc46012125d8", "/subscriptions/c4b0c496-dbc1-483b-890b-fc46012125d8",
"/subscriptions/cea89b67-6bfd-47c6-b7fa-9b8006b664ea", "/subscriptions/cea89b67-6bfd-47c6-b7fa-9b8006b664ea",
"/subscriptions/2161debe-6042-4633-b10e-de77c06cabc6", "/subscriptions/2161debe-6042-4633-b10e-de77c06cabc6",
"/subscriptions/e33c30f7-06c7-4765-86a9-7a8979b6d1cc" "/subscriptions/e33c30f7-06c7-4765-86a9-7a8979b6d1cc",
"/subscriptions/2021c41e-3582-40a1-85e5-59588741e6d3",
"/subscriptions/17a9bacf-5a67-44bf-a532-950a4b3bf25d"
] ]
} }

View File

@@ -57,6 +57,7 @@
"/subscriptions/c4b0c496-dbc1-483b-890b-fc46012125d8", "/subscriptions/c4b0c496-dbc1-483b-890b-fc46012125d8",
"/subscriptions/cea89b67-6bfd-47c6-b7fa-9b8006b664ea", "/subscriptions/cea89b67-6bfd-47c6-b7fa-9b8006b664ea",
"/subscriptions/2161debe-6042-4633-b10e-de77c06cabc6", "/subscriptions/2161debe-6042-4633-b10e-de77c06cabc6",
"/subscriptions/e33c30f7-06c7-4765-86a9-7a8979b6d1cc" "/subscriptions/2021c41e-3582-40a1-85e5-59588741e6d3",
"/subscriptions/17a9bacf-5a67-44bf-a532-950a4b3bf25d"
] ]
} }

View File

@@ -0,0 +1,65 @@
{
"properties": {
"displayName": "Key Vault should be in RBAC authentication mode.",
"policyType": "Custom",
"mode": "All",
"description": "This policy allows enforcing RBAC authentication for Key Vault.",
"metadata": {
"category": "Key Vault",
"createdBy": "c6025a2e-416c-42da-96ef-dd507382793a",
"createdOn": "2024-04-12T14:36:53.5411731Z",
"updatedBy": null,
"updatedOn": null
},
"version": "1.0.0",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"audit",
"deny",
"disabled"
],
"defaultValue": "audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.KeyVault/vaults"
},
{
"not":
{
"field": "Microsoft.KeyVault/vaults/enableRbacAuthorization",
"equals": "true"
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"versions": [
"1.0.0"
]
},
"id": "/providers/Microsoft.Management/managementGroups/ManagementGroup_SurveySoftware/providers/Microsoft.Authorization/policyDefinitions/e889bb98-9f0c-4bec-8c72-6019781549e5",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "e889bb98-9f0c-4bec-8c72-6019781549e5",
"systemData": {
"createdBy": "jurjen.ladenius@effectory.com",
"createdByType": "User",
"createdAt": "2024-04-12T14:36:53.5414063Z",
"lastModifiedBy": "jurjen.ladenius@effectory.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2024-04-12T14:36:53.5414063Z"
}
}

View File

@@ -0,0 +1,113 @@
#Connect-AzAccount
class ResourceCheck {
[string] $SubscriptionId = ""
[string] $SubscriptionName = ""
[string] $SubscriptionState = ""
[string] $Level0_ManagementGroupId = ""
[string] $Level1_ManagementGroupId = ""
[string] $Level2_ManagementGroupId = ""
[string] $Level0_ManagementGroupName = ""
[string] $Level1_ManagementGroupName = ""
[string] $Level2_ManagementGroupName = ""
}
Write-Host "======================================================================================================================"
Write-Host "Creating list of Effectory Management Groups and subscriptions."
Write-Host "- Note: not very dynamic; Starts at hard coded root group and works up max 2 levels."
Write-Host "======================================================================================================================"
[string] $date = Get-Date -Format "yyyy-MM-dd HHmm"
$fileName = ".\$date azure_managementgroups.csv"
[ResourceCheck[]]$Result = @()
$rootManagementGroup = (Get-AzManagementGroup -GroupId 'e9792fd7-4044-47e7-a40d-3fba46f1cd09' -Expand)[0]
#level 0
Write-Host "---------------------------------------------------------------------------------------------"
Write-Host "Level 0 Management group [$($rootManagementGroup.Name)]"
Write-Host "---------------------------------------------------------------------------------------------"
$subscriptions = $rootManagementGroup.Children | Where-Object Type -EQ '/subscriptions'
foreach ($subscription in $subscriptions)
{
$scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length)
$subscriptionId = $scope.Replace("/subscriptions/", "")
Write-Host "Subscription [$($subscription.DisplayName) - $subscriptionId]"
[ResourceCheck] $resourceCheck = [ResourceCheck]::new()
$resourceCheck.Level0_ManagementGroupId = $rootManagementGroup.Id
$resourceCheck.Level0_ManagementGroupName = $rootManagementGroup.DisplayName
$resourceCheck.SubscriptionId = $subscriptionId
$resourceCheck.SubscriptionName = $subscription.DisplayName
$resourceCheck.SubscriptionState = $subscription.State
$Result += $resourceCheck
}
#level 1
foreach ($level1ManagementGroupLister in ($rootManagementGroup.Children | Where-Object Type -EQ 'Microsoft.Management/managementGroups'))
{
$level1ManagementGroup = (Get-AzManagementGroup -Group $level1ManagementGroupLister.Name -Expand)[0]
Write-Host " ---------------------------------------------------------------------------------------------"
Write-Host " Level 1 Management group [$($level1ManagementGroup.Name)]"
Write-Host " ---------------------------------------------------------------------------------------------"
$subscriptions = $level1ManagementGroup.Children | Where-Object Type -EQ '/subscriptions'
foreach ($subscription in $subscriptions)
{
$scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length)
$subscriptionId = $scope.Replace("/subscriptions/", "")
Write-Host " Subscription [$($subscription.DisplayName) - $subscriptionId]"
[ResourceCheck] $resourceCheck = [ResourceCheck]::new()
$resourceCheck.Level0_ManagementGroupId = $rootManagementGroup.Id
$resourceCheck.Level0_ManagementGroupName = $rootManagementGroup.DisplayName
$resourceCheck.Level1_ManagementGroupId = $level1ManagementGroup.Id
$resourceCheck.Level1_ManagementGroupName = $level1ManagementGroup.DisplayName
$resourceCheck.SubscriptionId = $subscriptionId
$resourceCheck.SubscriptionName = $subscription.DisplayName
$resourceCheck.SubscriptionState = $subscription.State
$Result += $resourceCheck
}
#level 2
foreach ($level2ManagementGroupLister in ($level1ManagementGroup.Children | Where-Object Type -EQ 'Microsoft.Management/managementGroups'))
{
$level2ManagementGroup = (Get-AzManagementGroup -Group $level2ManagementGroupLister.Name -Expand)[0]
Write-Host " ---------------------------------------------------------------------------------------------"
Write-Host " Level 2 Management group [$($level2ManagementGroup.Name)]"
Write-Host " ---------------------------------------------------------------------------------------------"
$subscriptions = $level2ManagementGroup.Children | Where-Object Type -EQ '/subscriptions'
foreach ($subscription in $subscriptions)
{
$scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length)
$subscriptionId = $scope.Replace("/subscriptions/", "")
Write-Host " Subscription [$($subscription.DisplayName) - $subscriptionId]"
[ResourceCheck] $resourceCheck = [ResourceCheck]::new()
$resourceCheck.Level0_ManagementGroupId = $rootManagementGroup.Id
$resourceCheck.Level0_ManagementGroupName = $rootManagementGroup.DisplayName
$resourceCheck.Level1_ManagementGroupId = $level1ManagementGroup.Id
$resourceCheck.Level1_ManagementGroupName = $level1ManagementGroup.DisplayName
$resourceCheck.Level2_ManagementGroupId = $level2ManagementGroup.Id
$resourceCheck.Level2_ManagementGroupName = $level2ManagementGroup.DisplayName
$resourceCheck.SubscriptionId = $subscriptionId
$resourceCheck.SubscriptionName = $subscription.DisplayName
$resourceCheck.SubscriptionState = $subscription.State
$Result += $resourceCheck
}
}
}
$Result | Export-Csv -Path $fileName -NoTypeInformation
Write-Host "============================================================================================="
Write-Host "Done."

View File

@@ -0,0 +1,95 @@
function GetAllPolicies {
param (
[string] $scope
)
#https://learn.microsoft.com/en-us/rest/api/authorization/role-management-policies/list-for-scope?view=rest-authorization-2020-10-01&tabs=HTTP
$access_token = (Get-AzAccessToken -TenantId "e9792fd7-4044-47e7-a40d-3fba46f1cd09").Token
$url = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleManagementPolicies?api-version=2020-10-01"
$head = @{ Authorization =" Bearer $access_token" }
$response = Invoke-RestMethod -Uri $url -Method GET -Headers $head
$response | ForEach-Object {
$responseValue = $_.value
if ($responseValue.Length -gt 0) {
return $responseValue
}
else {
return ""
}
}
}
function UpdatePolicy {
param (
[string] $scope,
[string] $roleManagementPolicyName,
[string] $patchValue
)
#https://learn.microsoft.com/en-us/rest/api/authorization/role-management-policies/update?view=rest-authorization-2020-10-01&tabs=HTTP
$access_token = (Get-AzAccessToken -TenantId "e9792fd7-4044-47e7-a40d-3fba46f1cd09").Token
$url = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleManagementPolicies/$($roleManagementPolicyName)?api-version=2020-10-01"
$head = @{ Authorization =" Bearer $access_token" }
Invoke-RestMethod -Uri $url -Method Patch -Headers $head -Body $patchValue -ContentType "application/json" | Out-Null
}
Write-Host "=========================================================================================="
Write-Host "Setting standard PIM role settings on modified roles."
Write-Host "=========================================================================================="
[string] $patchValue = Get-Content .\AzurePIMpatch.json -Raw
$managementGroups = Get-AzManagementGroup
foreach ($managementGroup in $managementGroups)
{
Write-Host "--------------------------------------------------------------------"
Write-Host "Management group [$($managementGroup.Name)]"
$scope = "providers/Microsoft.Management/managementGroups/$($managementGroup.Name)"
$assignments = GetAllPolicies -scope $scope | Where-Object {
$prop = $_.properties
if ($prop.LastModifiedDateTime) { return $_ }
}
foreach ($assignment in $assignments)
{
$assignmentName = $assignment.name
Write-Host "Updating assignment [$($assignment.id)]"
UpdatePolicy -scope $scope -roleManagementPolicyName $assignmentName -patchValue $patchValue
}
# $subscriptions = Get-AzManagementGroupSubscription -Group $managementGroup.Name | Where-Object State -eq "Active"
# foreach ($subscription in $subscriptions)
# {
# Write-Host " --------------------------------------------------------------------"
# $scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length)
# $subscriptionId = $scope.Replace("/subscriptions/", "")
# Write-Host " Subscription [$($subscription.DisplayName) - $subscriptionId]"
# Write-Host " --------------------------------------------------------------------"
# $assignments = GetAllPolicies -scope $scope | Where-Object {
# $prop = $_.properties
# if ($prop.LastModifiedDateTime) { return $_ }
# }
# foreach ($assignment in $assignments)
# {
# $assignmentName = $assignment.name
# Write-Host " Updating assignment [$($assignment.id)]"
# UpdatePolicy -scope $scope -roleManagementPolicyName $assignmentName -patchValue $patchValue
# }
# }
}
Write-Host "=========================================================================================="
Write-Host "Done."

View File

@@ -0,0 +1,96 @@
{
"properties": {
"rules": [
{
"isExpirationRequired": false,
"maximumDuration": "PT10H",
"id": "Expiration_EndUser_Assignment",
"ruleType": "RoleManagementPolicyExpirationRule",
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"targetObjects": [],
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"enabledRules": [
"MultiFactorAuthentication"
],
"id": "Enablement_EndUser_Assignment",
"ruleType": "RoleManagementPolicyEnablementRule",
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"targetObjects": [],
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"notificationType": "Email",
"recipientType": "Admin",
"isDefaultRecipientsEnabled": false,
"notificationLevel": "All",
"notificationRecipients": [],
"id": "Notification_Admin_EndUser_Assignment",
"ruleType": "RoleManagementPolicyNotificationRule",
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"targetObjects": [],
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"notificationType": "Email",
"recipientType": "Requestor",
"isDefaultRecipientsEnabled": false,
"notificationLevel": "All",
"notificationRecipients": [],
"id": "Notification_Requestor_EndUser_Assignment",
"ruleType": "RoleManagementPolicyNotificationRule",
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"targetObjects": [],
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"notificationType": "Email",
"recipientType": "Approver",
"isDefaultRecipientsEnabled": false,
"notificationLevel": "All",
"notificationRecipients": [],
"id": "Notification_Approver_EndUser_Assignment",
"ruleType": "RoleManagementPolicyNotificationRule",
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"targetObjects": [],
"inheritableSettings": [],
"enforcedSettings": []
}
}
]
}
}

View File

@@ -22,8 +22,6 @@ $subscriptionId = "3190b0fd-4a66-4636-a204-5b9f18be78a6" ; $resourceGroupName =
$subscriptionId = "86945e42-fa5a-4bbc-948f-3f5407f15d3e" ; $resourceGroupName = "hierarchy"; $accountName = "hierarchyeff"; $principalIdReader = "dd576450-b564-4659-ac00-163036bf1dff"; $principalIdWriter = "591b32ff-33b8-4839-bf35-58ec262b014f" $subscriptionId = "86945e42-fa5a-4bbc-948f-3f5407f15d3e" ; $resourceGroupName = "hierarchy"; $accountName = "hierarchyeff"; $principalIdReader = "dd576450-b564-4659-ac00-163036bf1dff"; $principalIdWriter = "591b32ff-33b8-4839-bf35-58ec262b014f"
$subscriptionId = "70cae949-5013-4c40-b718-911dbf9b9a80" ; $resourceGroupName = "participantcore"; $accountName = "participantcore"; $principalIdReader = "a7f7f051-90ad-4419-b040-2868c0e6bbff"; $principalIdWriter = "0bbbf6d4-bdf4-450a-bcc7-4024451558e5"
$subscriptionId = "f9ab522b-4895-492d-b8a8-ca6e1f60c2a8" ; $resourceGroupName = "participant-exchange"; $accountName = "participantexchange"; $principalIdReader = "3b3ebcdf-04b6-4cf8-a237-425cc3952770"; $principalIdWriter = "6c38e6fb-4190-45bc-a347-b132afb47cba" $subscriptionId = "f9ab522b-4895-492d-b8a8-ca6e1f60c2a8" ; $resourceGroupName = "participant-exchange"; $accountName = "participantexchange"; $principalIdReader = "3b3ebcdf-04b6-4cf8-a237-425cc3952770"; $principalIdWriter = "6c38e6fb-4190-45bc-a347-b132afb47cba"
$subscriptionId = "7feeb150-9ee0-4aea-992a-5f3a89d933e6" ; $resourceGroupName = "results-calculation"; $accountName = "results-calculation"; $principalIdReader = "645b069a-c367-4e0e-9dac-38595663acab"; $principalIdWriter = "fa86c1a4-570c-4f00-8960-1a17eb23d613" $subscriptionId = "7feeb150-9ee0-4aea-992a-5f3a89d933e6" ; $resourceGroupName = "results-calculation"; $accountName = "results-calculation"; $principalIdReader = "645b069a-c367-4e0e-9dac-38595663acab"; $principalIdWriter = "fa86c1a4-570c-4f00-8960-1a17eb23d613"

View File

@@ -0,0 +1,4 @@
az login
az account set --subscription 'a134faf1-7a89-4f2c-8389-06d00bd5e2a7'
az sql server audit-policy show -g 'Default-SQL-WestEurope' -n 'c0m7f8nybr'
az sql server audit-policy update -g 'Default-SQL-WestEurope' -n 'c0m7f8nybr' --state Disabled