Custom Storage Data role and RBAC scripter

2026-02-27 18:52:18 +01:00 · 2021-12-15 10:46:36 +01:00
parent d08728cb88
commit 7a8ca7f8a2
3 changed files with 59522 additions and 5 deletions
--- a/Powershell/Lists/AzureRBAC.ps1
+++ b/Powershell/Lists/AzureRBAC.ps1
@@ -1,4 +1,6 @@
 #Connect-AzAccount
+Import-Module Az.Accounts
+Import-Module Az.Resources

 class ResourceCheck {
    [string] $ResourceId = ""
@@ -29,7 +31,7 @@ Write-Host "====================================================================

 $subscriptions = Get-AzSubscription | Where-Object State -eq "Enabled"

-$fileName =  "c:\temp\2020-10-21 azure_rbac.csv" 
+$fileName =  "2021-11-24 azure_rbac.csv" 
 $fileExists = Test-Path $fileName
 If ($fileExists -eq $True) {
    Remove-Item $fileName 
@@ -37,19 +39,55 @@ If ($fileExists -eq $True) {

 foreach ($subscription in $subscriptions) 
 {
-Set-AzContext -SubscriptionId $subscription.Id
+    Set-AzContext -SubscriptionId $subscription.Id

-    $allResources = Get-AzResource 
+    $resourceGroups = Get-AzResourceGroup
+
+    foreach ($resourceGroup in $resourceGroups) {
+
+        [ResourceCheck[]]$Result = @()
+
+        try {
+            $roleAssignments = Get-AzRoleAssignment -Scope $resourceGroup.ResourceId
+
+            foreach($roleAssignment in $roleAssignments) {
+                [ResourceCheck] $resourceCheck = [ResourceCheck]::new()
+                $resourceCheck.ResourceId = $resourceGroup.ResourceId
+                $resourceCheck.Kind = "ResourceGroup"
+                $resourceCheck.Location = $resourceGroup.Location
+                $resourceCheck.ResourceGroupName = $resourceGroup.ResourceGroupName
+                $resourceCheck.SubscriptionId = $subscription.Id
+                $resourceCheck.SubscriptionName = $subscription.Name
+                $resourceCheck.Tag_Team = $resourceGroup.Tags.team
+                $resourceCheck.Tag_Product = $resourceGroup.Tags.product
+                $resourceCheck.Tag_Environment = $resourceGroup.Tags.environment
+                $resourceCheck.Tag_Data = $resourceGroup.Tags.data
+                $resourceCheck.Tag_Delete = $resourceGroup.Tags.delete
+                $resourceCheck.Tag_Split = $resourceGroup.Tags.split
+                $resourceCheck.RBAC_RoleAssignmentId = $roleAssignment.RoleAssignmentId
+                $resourceCheck.RBAC_Scope = $roleAssignment.Scope
+                $resourceCheck.RBAC_DisplayName = $roleAssignment.DisplayName
+                $resourceCheck.RBAC_SignInName = $roleAssignment.SignInName
+                $resourceCheck.RBAC_RoleDefinitionName = $roleAssignment.RoleDefinitionName
+                
+                $Result += $resourceCheck
+                }
+        } catch {
+        }
+        $Result | Export-Csv -Path $fileName -Append -NoTypeInformation
+    }
    
+    $allResources = Get-AzResource 
+
    foreach ($resource in $allResources) {

        [ResourceCheck[]]$Result = @()

        try {
-            $roleAssignments = Get-AzRoleAssignment -ResourceGroupName $resource.ResourceGroupName -ResourceName $resource.ResourceName -ResourceType $resource.ResourceType # | Where-Object Scope -EQ "/"
+            $roleAssignments = Get-AzRoleAssignment -Scope $resource.ResourceId

            foreach($roleAssignment in $roleAssignments) {
-            [ResourceCheck] $resourceCheck = [ResourceCheck]::new()
+                [ResourceCheck] $resourceCheck = [ResourceCheck]::new()
                $resourceCheck.ResourceId = $resource.ResourceId
                $resourceCheck.Id = $resource.Id
                $resourceCheck.Kind = $resource.Kind