jurjen.ladenius/Cloud-20Engineering
1
0
Fork 0
mirror of https://dev.azure.com/effectory/Survey%20Software/_git/Cloud%20Engineering synced 2026-02-27 18:52:18 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
1f5d3bc0ed92b1c4fc8419495fecb3035e5f8a4e
Cloud-20Engineering/Powershell/Tools/AzurePIM - role settings.ps1
Jurjen Ladenius 8ff1fe91c3 Subscription pim settings #99024
2024-04-18 09:02:42 +02:00

96 lines
4.0 KiB
PowerShell
Raw Blame History

function GetAllPolicies {
param (
[string] $scope
)
#https://learn.microsoft.com/en-us/rest/api/authorization/role-management-policies/list-for-scope?view=rest-authorization-2020-10-01&tabs=HTTP
$access_token = (Get-AzAccessToken -TenantId "e9792fd7-4044-47e7-a40d-3fba46f1cd09").Token
$url = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleManagementPolicies?api-version=2020-10-01"
$head = @{ Authorization =" Bearer $access_token" }
$response = Invoke-RestMethod -Uri $url -Method GET -Headers $head
$response | ForEach-Object {
$responseValue = $_.value
if ($responseValue.Length -gt 0) {
return $responseValue
}
else {
return ""
}
}
}
function UpdatePolicy {
param (
[string] $scope,
[string] $roleManagementPolicyName,
[string] $patchValue
)
#https://learn.microsoft.com/en-us/rest/api/authorization/role-management-policies/update?view=rest-authorization-2020-10-01&tabs=HTTP
$access_token = (Get-AzAccessToken -TenantId "e9792fd7-4044-47e7-a40d-3fba46f1cd09").Token
$url = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleManagementPolicies/$($roleManagementPolicyName)?api-version=2020-10-01"
$head = @{ Authorization =" Bearer $access_token" }
Invoke-RestMethod -Uri $url -Method Patch -Headers $head -Body $patchValue -ContentType "application/json" | Out-Null
}
Write-Host "=========================================================================================="
Write-Host "Setting standard PIM role settings on modified roles."
Write-Host "=========================================================================================="
[string] $patchValue = Get-Content .\AzurePIMpatch.json -Raw
$managementGroups = Get-AzManagementGroup
foreach ($managementGroup in $managementGroups)
{
Write-Host "--------------------------------------------------------------------"
Write-Host "Management group [$($managementGroup.Name)]"
$scope = "providers/Microsoft.Management/managementGroups/$($managementGroup.Name)"
$assignments = GetAllPolicies -scope $scope | Where-Object {
$prop = $_.properties
if ($prop.LastModifiedDateTime) { return $_ }
}
foreach ($assignment in $assignments)
{
$assignmentName = $assignment.name
Write-Host "Updating assignment [$($assignment.id)]"
UpdatePolicy -scope $scope -roleManagementPolicyName $assignmentName -patchValue $patchValue
}
$subscriptions = Get-AzManagementGroupSubscription -Group $managementGroup.Name | Where-Object State -eq "Active"
foreach ($subscription in $subscriptions)
{
Write-Host " --------------------------------------------------------------------"
$scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length)
$subscriptionId = $scope.Replace("/subscriptions/", "")
Write-Host " Subscription [$($subscription.DisplayName) - $subscriptionId]"
Write-Host " --------------------------------------------------------------------"
$assignments = GetAllPolicies -scope $scope | Where-Object {
$prop = $_.properties
if ($prop.LastModifiedDateTime) { return $_ }
}
foreach ($assignment in $assignments)
{
$assignmentName = $assignment.name
Write-Host " Updating assignment [$($assignment.id)]"
UpdatePolicy -scope $scope -roleManagementPolicyName $assignmentName -patchValue $patchValue
}
}
}
Write-Host "=========================================================================================="
Write-Host "Done."
Reference in New Issue View Git Blame Copy Permalink