#Connect-AzAccount function GetAzureDefender { param ( [string] $resourceId ) #https://learn.microsoft.com/en-us/rest/api/defenderforcloud/defender-for-storage/create?view=rest-defenderforcloud-2022-12-01-preview&tabs=HTTP $access_token = (Get-AzAccessToken -TenantId "e9792fd7-4044-47e7-a40d-3fba46f1cd09").Token $url = "https://management.azure.com/$resourceId/providers/Microsoft.Security/defenderForStorageSettings/current?api-version=2022-12-01-preview" $head = @{ Authorization =" Bearer $access_token" } $response = Invoke-RestMethod -Uri $url -Method Get -Headers $head -ContentType "application/json" return ($response.properties.overrideSubscriptionLevelSettings -and !$response.properties.isEnabled) } function TurnOffAzureDefender { param ( [string] $resourceId ) $patchValue = ' { "properties": { "isEnabled": false, "sensitiveDataDiscovery": { "isEnabled": false }, "malwareScanning": { "onUpload": { "isEnabled": false, "capGBPerMonth": -1 } }, "overrideSubscriptionLevelSettings": true } } ' #https://learn.microsoft.com/en-us/rest/api/defenderforcloud/defender-for-storage/create?view=rest-defenderforcloud-2022-12-01-preview&tabs=HTTP $access_token = (Get-AzAccessToken -TenantId "e9792fd7-4044-47e7-a40d-3fba46f1cd09").Token $url = "https://management.azure.com/$resourceId/providers/Microsoft.Security/defenderForStorageSettings/current?api-version=2022-12-01-preview" $head = @{ Authorization =" Bearer $access_token" } Invoke-RestMethod -Uri $url -Method Put -Headers $head -Body $patchValue -ContentType "application/json" | Out-Null } class ResourceCheck { [string] $ManagementGroupId = "" [string] $ManagementGroupName = "" [string] $SubscriptionId = "" [string] $SubscriptionName = "" [string] $ResourceId = "" [string] $ResourceGroupName = "" [string] $StorageAccountName = "" [string] $Location = "" [string] $Tag_Team = "" [string] $Tag_Product = "" [string] $Tag_Environment = "" [string] $Tag_Data = "" [string] $Tag_CreatedOnDate = "" [string] $Tag_Deployment = "" [string] $Tag_BackupPolicy = "" [string] $PreviousOverrideSubscription = "" [string] $Action = "None" } [string] $date = Get-Date -Format "yyyy-MM-dd HHmm" $fileName = ".\$date Processed Storage Accounts.csv" Write-Host "======================================================================================================================================================================" Write-Host "Updating Azure defender settings." Write-Host "======================================================================================================================================================================" $managementGroups = Get-AzManagementGroup foreach ($managementGroup in $managementGroups) { Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" Write-Host "Management group [$($managementGroup.Name)]" $subscriptions = Get-AzManagementGroupSubscription -Group $managementGroup.Name | Where-Object State -eq "Active" | Where-Object DisplayName -NotLike "Visual Studio*" foreach ($subscription in $subscriptions) { Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" $scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length) $subscriptionId = $scope.Replace("/subscriptions/", "") Write-Host "Subscription [$($subscription.DisplayName) - $subscriptionId]" Set-AzContext -SubscriptionId $subscriptionId | Out-Null Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" [ResourceCheck[]]$Result = @() $allResources = Get-AzStorageAccount foreach ($resource in $allResources) { [ResourceCheck] $resourceCheck = [ResourceCheck]::new() $resourceCheck.ManagementGroupId = $managementGroup.Id $resourceCheck.ManagementGroupName = $managementGroup.DisplayName $resourceCheck.SubscriptionId = $subscription.Id $resourceCheck.SubscriptionName = $subscription.DisplayName $resourceCheck.ResourceId = $resource.Id $resourceCheck.Location = $resource.Location $resourceCheck.StorageAccountName = $resource.StorageAccountName $resourceCheck.ResourceGroupName = $resource.ResourceGroupName $resourceCheck.Tag_Team = $resource.Tags.team $resourceCheck.Tag_Product = $resource.Tags.product $resourceCheck.Tag_Environment = $resource.Tags.environment $resourceCheck.Tag_Data = $resource.Tags.data $resourceCheck.Tag_CreatedOnDate = $resource.Tags.CreatedOnDate $resourceCheck.Tag_Deployment = $resource.Tags.drp_deployment $resourceCheck.Tag_BackupPolicy = $resource.Tags.drp_backup_policy $resourceCheck.PreviousOverrideSubscription = GetAzureDefender -resourceId $resource.Id # set overrideSubscriptionLevelSettings # if ($resourceCheck.Tag_BackupPolicy.ToLower() -eq "ignore" -and $resourceCheck.PreviousOverrideSubscription -eq "False") { # $resourceCheck.Action = "Turned off" # TurnOffAzureDefender -resourceId $resource.Id # } $Result += $resourceCheck } $Result | Export-Csv -Path $fileName -Append -NoTypeInformation } } Write-Host "======================================================================================================================================================================" Write-Host "Done."