Merged PR 51902: updated keyvaults rbac column

updated keyvaults rbac column added scripts to detected unused resources Related work items: #103196
2026-02-27 18:52:18 +01:00 · 2024-07-17 09:40:19 +00:00
parent 6957def272
commit 579ba243bd
4 changed files with 1643 additions and 36 deletions
--- a/Powershell/Lists/Azure/KeyVaultAccessPolicies.ps1
+++ b/Powershell/Lists/Azure/KeyVaultAccessPolicies.ps1
@@ -72,7 +72,7 @@ foreach ($managementGroup in $managementGroups)
                    $resourceCheck.ManagementGroupId = $managementGroup.Id
                    $resourceCheck.ManagementGroupName = $managementGroup.DisplayName
                    $resourceCheck.SubscriptionId = $subscription.Id
-                    $resourceCheck.SubscriptionName = $subscription.Name
+                    $resourceCheck.SubscriptionName = $subscription.DisplayName
                    $resourceCheck.ResourceGroup = $vaultWithAllProps.ResourceGroupName
                    $resourceCheck.ResourceId = $vaultWithAllProps.ResourceId
                    $resourceCheck.Location = $vaultWithAllProps.Location
--- a/Powershell/Lists/Azure/KeyVaults.ps1
+++ b/Powershell/Lists/Azure/KeyVaults.ps1
@@ -2,11 +2,13 @@

 class ResourceCheck {
    [string] $ResourceId = ""
-    [string] $Location = ""
-    [string] $ResourceName = ""
-    [string] $ResourceGroup = ""
+    [string] $ManagementGroupId = ""
+    [string] $ManagementGroupName = ""
    [string] $SubscriptionId = ""
    [string] $SubscriptionName = ""
+    [string] $ResourceGroup = ""
+    [string] $ResourceName = ""
+    [string] $Location = ""
    [string] $Tag_Team = ""
    [string] $Tag_Product = ""
    [string] $Tag_Environment = ""
@@ -30,53 +32,67 @@ Write-Host "====================================================================
 [string] $date = Get-Date -Format "yyyy-MM-dd HHmm"
 $fileName =  ".\$date azure_key_vaults.csv" 

-foreach ($subscription in $subscriptions) 
+$managementGroups = Get-AzManagementGroup
+
+foreach ($managementGroup in $managementGroups) 
 {
    Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"
+    Write-Host "Management group [$($managementGroup.Name)]"

-    Set-AzContext -SubscriptionId $subscription.Id
+    $subscriptions = Get-AzManagementGroupSubscription -Group $managementGroup.Name | Where-Object State -eq "Active"

-    Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"
+    foreach ($subscription in $subscriptions) 
+    {
+        Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"
+        $scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length)
+        $subscriptionId = $scope.Replace("/subscriptions/", "")
+        Write-Host "Subscription [$($subscription.DisplayName) - $subscriptionId]"
+        Set-AzContext -SubscriptionId $subscriptionId | Out-Null
+        Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"

-    $allResourceGroups = Get-AzResourceGroup
-    [ResourceCheck[]]$Result = @()
+        $allResourceGroups = Get-AzResourceGroup
+        [ResourceCheck[]]$Result = @()

-    foreach ($group in $allResourceGroups) {
+        foreach ($group in $allResourceGroups) {

-        Write-Host $group.ResourceGroupName
+            Write-Host $group.ResourceGroupName

-        $allVaults = Get-AzKeyVault -ResourceGroupName $group.ResourceGroupName
-        
-        foreach ($vault in $allVaults) {
+            $allVaults = Get-AzKeyVault -ResourceGroupName $group.ResourceGroupName
+            
+            foreach ($vault in $allVaults) {

-            $vaultWithAllProps = Get-AzKeyVault -ResourceGroupName $group.ResourceGroupName -Name $vault.VaultName
+                $vaultWithAllProps = Get-AzKeyVault -ResourceGroupName $group.ResourceGroupName -Name $vault.VaultName

-            [ResourceCheck] $resourceCheck = [ResourceCheck]::new()
-            $resourceCheck.ResourceId = $vaultWithAllProps.ResourceId
-            $resourceCheck.Location = $vaultWithAllProps.Location
-            $resourceCheck.ResourceName = $vaultWithAllProps.VaultName
-            $resourceCheck.ResourceGroup = $vaultWithAllProps.ResourceGroupName
-            $resourceCheck.SubscriptionId = $subscription.Id
-            $resourceCheck.SubscriptionName = $subscription.Name
-            $resourceCheck.Tag_Team = $vaultWithAllProps.Tags.team
-            $resourceCheck.Tag_Product = $vaultWithAllProps.Tags.product
-            $resourceCheck.Tag_Environment = $vaultWithAllProps.Tags.environment
-            $resourceCheck.Tag_Data = $vaultWithAllProps.Tags.data
-            $resourceCheck.Tag_CreatedOnDate = $vaultWithAllProps.Tags.CreatedOnDate
-            $resourceCheck.Tag_Deployment = $vaultWithAllProps.Tags.drp_deployment
-            $resourceCheck.Prop_EnablePurgeProtection = $vaultWithAllProps.EnablePurgeProtection
-            $resourceCheck.Prop_EnableRbacAuthorization = $vaultWithAllProps.EnableRbacAuthorization
-            $resourceCheck.Prop_EnableSoftDelete = $vaultWithAllProps.EnableSoftDelete
-            $resourceCheck.Prop_PublicNetworkAccess = $vaultWithAllProps.PublicNetworkAccess
+                $enabledRBAC = $vaultWithAllProps.EnableRbacAuthorization -eq "TRUE"

-            $Result += $resourceCheck
+                [ResourceCheck] $resourceCheck = [ResourceCheck]::new()
+                $resourceCheck.ManagementGroupId = $managementGroup.Id
+                $resourceCheck.ManagementGroupName = $managementGroup.DisplayName
+                $resourceCheck.ResourceId = $vaultWithAllProps.ResourceId
+                $resourceCheck.Location = $vaultWithAllProps.Location
+                $resourceCheck.ResourceName = $vaultWithAllProps.VaultName
+                $resourceCheck.ResourceGroup = $vaultWithAllProps.ResourceGroupName
+                $resourceCheck.SubscriptionId = $subscription.Id
+                $resourceCheck.SubscriptionName = $subscription.DisplayName
+                $resourceCheck.Tag_Team = $vaultWithAllProps.Tags.team
+                $resourceCheck.Tag_Product = $vaultWithAllProps.Tags.product
+                $resourceCheck.Tag_Environment = $vaultWithAllProps.Tags.environment
+                $resourceCheck.Tag_Data = $vaultWithAllProps.Tags.data
+                $resourceCheck.Tag_CreatedOnDate = $vaultWithAllProps.Tags.CreatedOnDate
+                $resourceCheck.Tag_Deployment = $vaultWithAllProps.Tags.drp_deployment
+                $resourceCheck.Prop_EnablePurgeProtection = $vaultWithAllProps.EnablePurgeProtection
+                $resourceCheck.Prop_EnableRbacAuthorization = $enabledRBAC
+                $resourceCheck.Prop_EnableSoftDelete = $vaultWithAllProps.EnableSoftDelete
+                $resourceCheck.Prop_PublicNetworkAccess = $vaultWithAllProps.PublicNetworkAccess

-          
+                $Result += $resourceCheck
+
+            
+            }
        }
+        $Result | Export-Csv -Path $fileName -Append -NoTypeInformation
    }
-    $Result | Export-Csv -Path $fileName -Append -NoTypeInformation
 }
-
 Write-Host "======================================================================================================================================================================"
 Write-Host "Done."