#Connect-AzAccount class ResourceCheck { [string] $Level = "" [string] $ManagementGroupId = "" [string] $ManagementGroupName = "" [string] $SubscriptionId = "" [string] $SubscriptionName = "" [string] $ResourceId = "" [string] $ResourceGroup = "" [string] $ResourceName = "" [string] $ResourceType = "" [string] $RoleEligibilityScheduleId = "" [string] $Scope = "" [string] $RoleDefinitionId = "" [string] $RoleDefinitionName = "" [string] $RoleDefinitionType = "" [string] $PrincipalId = "" [string] $PrincipalName = "" [string] $PrincipalType = "" [string] $Status = "" [string] $StartDateTime = "" [string] $EndDateTime = "" [string] $CreatedOn = "" } function GetEligibleAssignments { param ( [string] $scope ) $access_token = (Get-AzAccessToken -TenantId "e9792fd7-4044-47e7-a40d-3fba46f1cd09").Token $url = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01&`$filter=atScope()" $head = @{ Authorization =" Bearer $access_token" } $response = Invoke-RestMethod -Uri $url -Method GET -Headers $head $response | ForEach-Object { $responseValue = $_.value if ($responseValue.Length -gt 0) { return $responseValue | ForEach-Object { return ($_.properties | Where-Object MemberType -NE "Inherited") } } else { return "" } } } Write-Host "======================================================================================================================================================================" Write-Host "Creating PIM assignments overview." Write-Host "======================================================================================================================================================================" [string] $date = Get-Date -Format "yyyy-MM-dd HHmm" $fileName = ".\$date azure_pim_assignments.csv" $managementGroups = Get-AzManagementGroup foreach ($managementGroup in $managementGroups) { Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" Write-Host "Management group [$($managementGroup.Name)]" $assignments = GetEligibleAssignments -scope "providers/Microsoft.Management/managementGroups/$($managementGroup.Name)" [ResourceCheck[]]$Result = @() foreach ($assignment in $assignments) { [ResourceCheck] $resourceCheck = [ResourceCheck]::new() $resourceCheck.Level = "Management Group" $resourceCheck.ManagementGroupId = $managementGroup.Id $resourceCheck.ManagementGroupName = $managementGroup.DisplayName $resourceCheck.RoleEligibilityScheduleId = $assignment.roleEligibilityScheduleId $resourceCheck.Scope = $assignment.scope $resourceCheck.RoleDefinitionId = $assignment.roleDefinitionId $resourceCheck.RoleDefinitionName = $assignment.expandedProperties.roleDefinition.displayName $resourceCheck.RoleDefinitionType = $assignment.expandedProperties.roleDefinition.type $resourceCheck.PrincipalId = $assignment.principalId $resourceCheck.PrincipalName = $assignment.expandedProperties.principal.displayName $resourceCheck.PrincipalType = $assignment.principalType $resourceCheck.Status = $assignment.status $resourceCheck.StartDateTime = $assignment.startDateTime $resourceCheck.EndDateTime = $assignment.endDateTime $resourceCheck.CreatedOn = $assignment.createdOn $Result += $resourceCheck } $Result | Export-Csv -Path $fileName -Append -NoTypeInformation $subscriptions = Get-AzManagementGroupSubscription -Group $managementGroup.Name | Where-Object State -eq "Active" foreach ($subscription in $subscriptions) { Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" $scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length) $subscriptionId = $scope.Replace("/subscriptions/", "") Write-Host "Subscription [$($subscription.DisplayName) - $subscriptionId]" Set-AzContext -SubscriptionId $subscriptionId | Out-Null Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" $assignments = GetEligibleAssignments -scope $scope [ResourceCheck[]]$Result = @() foreach ($assignment in $assignments) { [ResourceCheck] $resourceCheck = [ResourceCheck]::new() $resourceCheck.Level = "Subscription" $resourceCheck.ManagementGroupId = $managementGroup.Id $resourceCheck.ManagementGroupName = $managementGroup.DisplayName $resourceCheck.SubscriptionId = $subscriptionId $resourceCheck.SubscriptionName = $subscription.DisplayName $resourceCheck.RoleEligibilityScheduleId = $assignment.roleEligibilityScheduleId $resourceCheck.Scope = $assignment.scope $resourceCheck.RoleDefinitionId = $assignment.roleDefinitionId $resourceCheck.RoleDefinitionName = $assignment.expandedProperties.roleDefinition.displayName $resourceCheck.RoleDefinitionType = $assignment.expandedProperties.roleDefinition.type $resourceCheck.PrincipalId = $assignment.principalId $resourceCheck.PrincipalName = $assignment.expandedProperties.principal.displayName $resourceCheck.PrincipalType = $assignment.principalType $resourceCheck.Status = $assignment.status $resourceCheck.StartDateTime = $assignment.startDateTime $resourceCheck.EndDateTime = $assignment.endDateTime $resourceCheck.CreatedOn = $assignment.createdOn $Result += $resourceCheck } $Result | Export-Csv -Path $fileName -Append -NoTypeInformation $allResourceGroups = Get-AzResourceGroup foreach ($group in $allResourceGroups) { Write-Host $group.ResourceGroupName $assignments = GetEligibleAssignments -scope $group.ResourceId [ResourceCheck[]]$Result = @() foreach ($assignment in $assignments) { [ResourceCheck] $resourceCheck = [ResourceCheck]::new() $resourceCheck.Level = "Resource Group" $resourceCheck.ManagementGroupId = $managementGroup.Id $resourceCheck.ManagementGroupName = $managementGroup.DisplayName $resourceCheck.SubscriptionId = $subscriptionId $resourceCheck.SubscriptionName = $subscription.DisplayName $resourceCheck.ResourceGroup = $group.ResourceGroupName $resourceCheck.RoleEligibilityScheduleId = $assignment.roleEligibilityScheduleId $resourceCheck.Scope = $assignment.scope $resourceCheck.RoleDefinitionId = $assignment.roleDefinitionId $resourceCheck.RoleDefinitionName = $assignment.expandedProperties.roleDefinition.displayName $resourceCheck.RoleDefinitionType = $assignment.expandedProperties.roleDefinition.type $resourceCheck.PrincipalId = $assignment.principalId $resourceCheck.PrincipalName = $assignment.expandedProperties.principal.displayName $resourceCheck.PrincipalType = $assignment.principalType $resourceCheck.Status = $assignment.status $resourceCheck.StartDateTime = $assignment.startDateTime $resourceCheck.EndDateTime = $assignment.endDateTime $resourceCheck.CreatedOn = $assignment.createdOn $Result += $resourceCheck } $Result | Export-Csv -Path $fileName -Append -NoTypeInformation $allResources = Get-AzResource -ResourceGroupName $group.ResourceGroupName foreach ($resource in $allResources) { $assignments = GetEligibleAssignments -scope $resource.ResourceId [ResourceCheck[]]$Result = @() foreach ($assignment in $assignments) { [ResourceCheck] $resourceCheck = [ResourceCheck]::new() $resourceCheck.Level = "Resource" $resourceCheck.ManagementGroupId = $managementGroup.Id $resourceCheck.ManagementGroupName = $managementGroup.DisplayName $resourceCheck.SubscriptionId = $subscriptionId $resourceCheck.SubscriptionName = $subscription.DisplayName $resourceCheck.ResourceGroup = $group.ResourceGroupName $resourceCheck.ResourceId = $resource.ResourceId $resourceCheck.ResourceName = $resource.Name $resourceCheck.ResourceType = $resource.ResourceType $resourceCheck.RoleEligibilityScheduleId = $assignment.roleEligibilityScheduleId $resourceCheck.Scope = $assignment.scope $resourceCheck.RoleDefinitionId = $assignment.roleDefinitionId $resourceCheck.RoleDefinitionName = $assignment.expandedProperties.roleDefinition.displayName $resourceCheck.RoleDefinitionType = $assignment.expandedProperties.roleDefinition.type $resourceCheck.PrincipalId = $assignment.principalId $resourceCheck.PrincipalName = $assignment.expandedProperties.principal.displayName $resourceCheck.PrincipalType = $assignment.principalType $resourceCheck.Status = $assignment.status $resourceCheck.StartDateTime = $assignment.startDateTime $resourceCheck.EndDateTime = $assignment.endDateTime $resourceCheck.CreatedOn = $assignment.createdOn $Result += $resourceCheck } $Result | Export-Csv -Path $fileName -Append -NoTypeInformation } } } } Write-Host "======================================================================================================================================================================" Write-Host "Done."