#Connect-AzAccount Import-Module Az.Accounts Import-Module Az.Resources class ResourceCheck { [string] $ResourceId = "" [string] $Id = "" [string] $Kind = "" [string] $Location = "" [string] $ResourceName = "" [string] $ResourceGroupName = "" [string] $ResourceType = "" [string] $ManagementGroupId = "" [string] $ManagementGroupName = "" [string] $SubscriptionId = "" [string] $SubscriptionName = "" [string] $Tag_Team = "" [string] $Tag_Product = "" [string] $Tag_Environment = "" [string] $Tag_Data = "" [string] $Tag_Delete = "" [string] $Tag_Split = "" [string] $RBAC_RoleAssignmentId = "" [string] $RBAC_Scope = "" [string] $RBAC_DisplayName = "" [string] $RBAC_SignInName = "" [string] $RBAC_RoleDefinitionName = "" } Write-Host "========================================================================================================================================================================" Write-Host "Creating resource RBAC assignment overview." Write-Host "========================================================================================================================================================================" [string] $date = Get-Date -Format "yyyy-MM-dd HHmm" $fileName = ".\$date azure_rbac_assignments.csv" $managementGroups = Get-AzManagementGroup foreach ($managementGroup in $managementGroups) { Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" Write-Host "Management group [$($managementGroup.Name)]" [ResourceCheck[]]$Result = @() try { $roleAssignments = Get-AzRoleAssignment -Scope $managementGroup.Id | Where-Object Scope -eq $managementGroup.Id foreach($roleAssignment in $roleAssignments) { [ResourceCheck] $resourceCheck = [ResourceCheck]::new() $resourceCheck.ResourceId = "" $resourceCheck.Kind = "ManagementGroup" $resourceCheck.Location = "" $resourceCheck.ResourceGroupName = "" $resourceCheck.ManagementGroupId = $managementGroup.Id $resourceCheck.ManagementGroupName = $managementGroup.DisplayName $resourceCheck.SubscriptionId = "" $resourceCheck.SubscriptionName = "" $resourceCheck.Tag_Team = "" $resourceCheck.Tag_Product = "" $resourceCheck.Tag_Environment = "" $resourceCheck.Tag_Data = "" $resourceCheck.Tag_Delete = "" $resourceCheck.Tag_Split = "" $resourceCheck.RBAC_RoleAssignmentId = $roleAssignment.RoleAssignmentId $resourceCheck.RBAC_Scope = $roleAssignment.Scope $resourceCheck.RBAC_DisplayName = $roleAssignment.DisplayName $resourceCheck.RBAC_SignInName = $roleAssignment.SignInName $resourceCheck.RBAC_RoleDefinitionName = $roleAssignment.RoleDefinitionName $Result += $resourceCheck } } catch { } $Result | Export-Csv -Path $fileName -Append -NoTypeInformation $subscriptions = Get-AzManagementGroupSubscription -Group $managementGroup.Name | Where-Object State -eq "Active" foreach ($subscription in $subscriptions) { Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" $scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length) $subscriptionId = $scope.Replace("/subscriptions/", "") Write-Host "Subscription [$($subscription.DisplayName) - $subscriptionId]" Set-AzContext -SubscriptionId $subscriptionId | Out-Null Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" [ResourceCheck[]]$Result = @() try { $roleAssignments = Get-AzRoleAssignment -Scope $scope | Where-Object Scope -eq $scope foreach($roleAssignment in $roleAssignments) { [ResourceCheck] $resourceCheck = [ResourceCheck]::new() $resourceCheck.ResourceId = "" $resourceCheck.Kind = "Subscription" $resourceCheck.Location = "" $resourceCheck.ResourceGroupName = "" $resourceCheck.ManagementGroupId = $managementGroup.Id $resourceCheck.ManagementGroupName = $managementGroup.DisplayName $resourceCheck.SubscriptionId = $subscription.Id $resourceCheck.SubscriptionName = $subscription.Name $resourceCheck.Tag_Team = $subscription.Tags.team $resourceCheck.Tag_Product = $subscription.Tags.product $resourceCheck.Tag_Environment = $subscription.Tags.environment $resourceCheck.Tag_Data = $subscription.Tags.data $resourceCheck.Tag_Delete = $subscription.Tags.delete $resourceCheck.Tag_Split = $subscription.Tags.split $resourceCheck.RBAC_RoleAssignmentId = $roleAssignment.RoleAssignmentId $resourceCheck.RBAC_Scope = $roleAssignment.Scope $resourceCheck.RBAC_DisplayName = $roleAssignment.DisplayName $resourceCheck.RBAC_SignInName = $roleAssignment.SignInName $resourceCheck.RBAC_RoleDefinitionName = $roleAssignment.RoleDefinitionName $Result += $resourceCheck } } catch { } $Result | Export-Csv -Path $fileName -Append -NoTypeInformation $resourceGroups = Get-AzResourceGroup foreach ($resourceGroup in $resourceGroups) { [ResourceCheck[]]$Result = @() try { $roleAssignments = Get-AzRoleAssignment -Scope $resourceGroup.ResourceId | Where-Object Scope -Like "$($resourceGroup.ResourceId)*" foreach($roleAssignment in $roleAssignments) { [ResourceCheck] $resourceCheck = [ResourceCheck]::new() $resourceCheck.ResourceId = $resourceGroup.ResourceId $resourceCheck.Kind = "ResourceGroup" $resourceCheck.Location = $resourceGroup.Location $resourceCheck.ResourceGroupName = $resourceGroup.ResourceGroupName $resourceCheck.ManagementGroupId = $managementGroup.Id $resourceCheck.ManagementGroupName = $managementGroup.DisplayName $resourceCheck.SubscriptionId = $subscription.Id $resourceCheck.SubscriptionName = $subscription.Name $resourceCheck.Tag_Team = $resourceGroup.Tags.team $resourceCheck.Tag_Product = $resourceGroup.Tags.product $resourceCheck.Tag_Environment = $resourceGroup.Tags.environment $resourceCheck.Tag_Data = $resourceGroup.Tags.data $resourceCheck.Tag_Delete = $resourceGroup.Tags.delete $resourceCheck.Tag_Split = $resourceGroup.Tags.split $resourceCheck.RBAC_RoleAssignmentId = $roleAssignment.RoleAssignmentId $resourceCheck.RBAC_Scope = $roleAssignment.Scope $resourceCheck.RBAC_DisplayName = $roleAssignment.DisplayName $resourceCheck.RBAC_SignInName = $roleAssignment.SignInName $resourceCheck.RBAC_RoleDefinitionName = $roleAssignment.RoleDefinitionName $Result += $resourceCheck } } catch { } $Result | Export-Csv -Path $fileName -Append -NoTypeInformation } $allResources = Get-AzResource foreach ($resource in $allResources) { [ResourceCheck[]]$Result = @() try { $roleAssignments = Get-AzRoleAssignment -Scope $resource.ResourceId | Where-Object Scope -eq $resource.ResourceId foreach($roleAssignment in $roleAssignments) { [ResourceCheck] $resourceCheck = [ResourceCheck]::new() $resourceCheck.ResourceId = $resource.ResourceId $resourceCheck.Id = $resource.Id $resourceCheck.Kind = "Resource" $resourceCheck.Location = $resource.Location $resourceCheck.ResourceName = $resource.ResourceName $resourceCheck.ResourceGroupName = $resource.ResourceGroupName $resourceCheck.ResourceType = $resource.ResourceType $resourceCheck.ManagementGroupId = $managementGroup.Id $resourceCheck.ManagementGroupName = $managementGroup.DisplayName $resourceCheck.SubscriptionId = $subscription.Id $resourceCheck.SubscriptionName = $subscription.Name $resourceCheck.Tag_Team = $resource.Tags.team $resourceCheck.Tag_Product = $resource.Tags.product $resourceCheck.Tag_Environment = $resource.Tags.environment $resourceCheck.Tag_Data = $resource.Tags.data $resourceCheck.Tag_Delete = $resource.Tags.delete $resourceCheck.Tag_Split = $resource.Tags.split $resourceCheck.RBAC_RoleAssignmentId = $roleAssignment.RoleAssignmentId $resourceCheck.RBAC_Scope = $roleAssignment.Scope $resourceCheck.RBAC_DisplayName = $roleAssignment.DisplayName $resourceCheck.RBAC_SignInName = $roleAssignment.SignInName $resourceCheck.RBAC_RoleDefinitionName = $roleAssignment.RoleDefinitionName $Result += $resourceCheck } } catch { } $Result | Export-Csv -Path $fileName -Append -NoTypeInformation } } } Write-Host "========================================================================================================================================================================" Write-Host "Done."