-
Notifications
You must be signed in to change notification settings - Fork 0
/
ReadAzureADPIMRoles.Ps1
146 lines (122 loc) · 8.22 KB
/
ReadAzureADPIMRoles.Ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
Param ($userupn)
Function ConnectAzuread {
# just to reduce azureadconnectrequests
if ($userupn) {
$aadconn = $userupn
}
elseif ($($(Get-AzureADCurrentSessionInfo -erroraction SilentlyContinue).account)) {
$aadconn = $(Get-AzureADCurrentSessionInfo).account
}
else {
Write-host "Please, give your Azure Accout that you want to use."
$aadconn = read-host
}
Connect-AzureAD -AccountId $aadconn
return $(Get-AzureADCurrentSessionInfo).TenantId
}
Function ConnectAzure {
# just to reduce azureconnectrequests
if ($aadconn) {
$azconn = $aadconn
}
if ($userupn) {
$azconn = $userupn
}
elseif ($($(Get-AzContext -erroraction SilentlyContinue).account)) {
$azconn = $(Get-AzContext).account
}
Else {
write-host "Please, give your Azure Accout that you want to use."
$azconn = read-host
}
Connect-AzAccount -AccountId $azconn
}
$TenantId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
connectazuread
# Set array
$PIMAzureADRoleResults = @()
$ResNameParent = ""
$ResName = ""
$Restype = "AzureAD"
#Get all AzureAD roles
$RoleAssigns = Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadRoles" -ResourceId $TenantId
#Loop through roles
foreach ($RoleAssign in $RoleAssigns) {
# Get RoleSettings
$RoleSettings = Get-AzureADMSPrivilegedRoleSetting -ProviderId "aadRoles" -Filter "(ResourceId eq '$TenantId') and (RoledefinitionID eq '$($RoleAssign.RoleDefinitionId)')"
# Get Roleinfo
$Roleinfo = Get-AzureADMSPrivilegedRoleDefinition -ProviderId 'aadRoles' -ResourceId $TenantId -Id $RoleAssign.RoleDefinitionId
$CurrRole = $Roleinfo.DisplayName
Write-Host "Running $CurrRole"
# Get ADObjInfo
$ADObjInfo = Get-AzureADObjectByObjectId -ObjectIds $RoleAssign.SubjectId
$item = [PSCustomObject]@{
Resourcetype = $Restype
ResourceName = $ResName
DisplayName_RoleDef = $Roleinfo.DisplayName
AssignmentState_RoleAssign = $RoleAssign.AssignmentState
MemberType_RoleAssign = $RoleAssign.MemberType
ResourceParent = $ResNameParent
ObjectType_AdObjInfo = $ADObjInfo.ObjectType
DisplayName_AdObjInfo = $ADObjInfo.DisplayName
UserPrincipalName_AdObjInfo = $ADObjInfo.UserPrincipalName
StartDateTime_RoleAssign = $RoleAssign.StartDateTime
EndDateTime_RoleAssign = $RoleAssign.EndDateTime
Description_AdObjInfo = $ADObjInfo.Description
UserType_AdObjInfo = $ADObjInfo.UserType
ServicePrincipalType_AdObjInfo = $ADObjInfo.ServicePrincipalType
AlternativeNames_AdObjInfo = $ADObjInfo.AlternativeNames -join '£' -replace '(?<!\x0d)\x0a',''
AppDisplayName_AdObjInfo = $ADObjInfo.AppDisplayName
IsDefault_RoleSettings = $RoleSettings.IsDefault
Id_PrivResource = $ResResource.Id
ExternalId_PrivResource = $ResResource.ExternalId
Type_PrivResource = $ResResource.Type
DisplayName_PrivResource = $ResResource.DisplayName
Status_PrivResource = $ResResource.Status
RegisteredDateTime_PrivResource = $ResResource.RegisteredDateTime
RegisteredRoot_PrivResource = $ResResource.RegisteredRoot
RoleAssignmentCount_PrivResource = $ResResource.RoleAssignmentCount
RoleDefinitionCount_PrivResource = $ResResource.RoleDefinitionCount
Permissions_PrivResource = $ResResource.Permissions
Id_RoleAssign = $RoleAssign.Id
ResourceId_RoleAssign = $RoleAssign.ResourceId
RoleDefinitionId_RoleAssign = $RoleAssign.RoleDefinitionId
SubjectId_RoleAssign = $RoleAssign.SubjectId
LinkedEligibleRoleAssignmentId_RoleAssign = $RoleAssign.LinkedEligibleRoleAssignmentId
ExternalId_RoleAssign = $RoleAssign.ExternalId
Id_RoleDef = $Roleinfo.Id
ResourceId_RoleDef = $Roleinfo.ResourceId
ExternalId_RoleDef = $Roleinfo.ExternalId
SubjectCount_RoleDef = $Roleinfo.SubjectCount
EligibleAssignmentCount_RoleDef = $Roleinfo.EligibleAssignmentCountEligibleAssignmentCount
ActiveAssignmentCount_RoleDef = $Roleinfo.ActiveAssignmentCount
ObjectId_AdObjInfo = $ADObjInfo.ObjectId
DeletionTimestamp_AdObjInfo = $ADObjInfo.DeletionTimestamp
AppId_AdObjInfo = $ADObjInfo.AppId
SecurityEnabled_AdObjInfo = $ADObjInfo.SecurityEnabled
Id_RoleSettings = $RoleSettings.Id
ResourceId_RoleSettings = $RoleSettings.ResourceId
RoleDefinitionId_RoleSettings = $RoleSettings.RoleDefinitionId
LastUpdatedDateTime_RoleSettings = $RoleSettings.LastUpdatedDateTime
LastUpdatedBy_RoleSettings = $RoleSettings.LastUpdatedBy
AdeExpirationRule_RoleSettings = $RoleSettings.AdminEligibleSettings | ForEach-Object {if ($PSItem -match 'ExpirationRule'){$PSItem -replace '(?<!\x0d)\x0a','' -replace '}}','}' -replace 'class AzureADMSPrivilegedRuleSetting { RuleIdentifier: ',''}}
AdeMfaRule_RoleSettings = $RoleSettings.AdminEligibleSettings | ForEach-Object {if ($PSItem -match 'MfaRule'){$PSItem -replace '(?<!\x0d)\x0a','' -replace '}}','}' -replace 'class AzureADMSPrivilegedRuleSetting { RuleIdentifier: ',''}}
AdeAttributeConditionRule_RoleSettings = $RoleSettings.AdminEligibleSettings | ForEach-Object {if ($PSItem -match 'AttributeConditionRule'){$PSItem -replace '(?<!\x0d)\x0a','' -replace '}}','}' -replace 'class AzureADMSPrivilegedRuleSetting { RuleIdentifier: ',''}}
AdmExpirationRule_RoleSettings = $RoleSettings.AdminMemberSettings | ForEach-Object {if ($PSItem -match 'ExpirationRule'){$PSItem -replace '(?<!\x0d)\x0a','' -replace '}}','}' -replace 'class AzureADMSPrivilegedRuleSetting { RuleIdentifier: ',''}}
AdmMfaRule_RoleSettings = $RoleSettings.AdminMemberSettings | ForEach-Object {if ($PSItem -match 'MfaRule'){$PSItem -replace '(?<!\x0d)\x0a','' -replace '}}','}' -replace 'class AzureADMSPrivilegedRuleSetting { RuleIdentifier: ',''}}
AdmJustificationRule_RoleSettings = $RoleSettings.AdminMemberSettings | ForEach-Object {if ($PSItem -match 'JustificationRule'){$PSItem -replace '(?<!\x0d)\x0a','' -replace '}}','}' -replace 'class AzureADMSPrivilegedRuleSetting { RuleIdentifier: ',''}}
AdmAttributeConditionRule_RoleSettings = $RoleSettings.AdminMemberSettings | ForEach-Object {if ($PSItem -match 'AttributeConditionRule'){$PSItem -replace '(?<!\x0d)\x0a','' -replace '}}','}' -replace 'class AzureADMSPrivilegedRuleSetting { RuleIdentifier: ',''}}
UseAttributeConditionRule_RoleSettings = $RoleSettings.UserEligibleSettings | ForEach-Object {if ($PSItem -match 'AttributeConditionRule'){$PSItem -replace '(?<!\x0d)\x0a','' -replace '}}','}' -replace 'class AzureADMSPrivilegedRuleSetting { RuleIdentifier: ',''}}
UsmExpirationRule_RoleSettings = $RoleSettings.UserMemberSettings | ForEach-Object {if ($PSItem -match 'ExpirationRule'){$PSItem -replace '(?<!\x0d)\x0a','' -replace '}}','}' -replace 'class AzureADMSPrivilegedRuleSetting { RuleIdentifier: ',''}}
UsmMfaRule_RoleSettings = $RoleSettings.UserMemberSettings | ForEach-Object {if ($PSItem -match 'MfaRule'){$PSItem -replace '(?<!\x0d)\x0a','' -replace '}}','}' -replace 'class AzureADMSPrivilegedRuleSetting { RuleIdentifier: ',''}}
UsmJustificationRule_RoleSettings = $RoleSettings.UserMemberSettings | ForEach-Object {if ($PSItem -match 'JustificationRule'){$PSItem -replace '(?<!\x0d)\x0a','' -replace '}}','}' -replace 'class AzureADMSPrivilegedRuleSetting { RuleIdentifier: ',''}}
UsmTicketingRule_RoleSettings = $RoleSettings.UserMemberSettings | ForEach-Object {if ($PSItem -match 'TicketingRule'){$PSItem -replace '(?<!\x0d)\x0a','' -replace '}}','}' -replace 'class AzureADMSPrivilegedRuleSetting { RuleIdentifier: ',''}}
UsmApprovalRule_RoleSettings = $RoleSettings.UserMemberSettings | ForEach-Object {if ($PSItem -match 'ApprovalRule'){$PSItem -replace '(?<!\x0d)\x0a','' -replace '}}','}' -replace 'class AzureADMSPrivilegedRuleSetting { RuleIdentifier: ',''}}
UsmAcrsRule_RoleSettings = $RoleSettings.UserMemberSettings | ForEach-Object {if ($PSItem -match ' AcrsRule'){$PSItem -replace '(?<!\x0d)\x0a','' -replace '}}','}' -replace 'class AzureADMSPrivilegedRuleSetting { RuleIdentifier: ',''}}
UsmAttributeConditionRule_RoleSettings = $RoleSettings.UserMemberSettings | ForEach-Object {if ($PSItem -match 'AttributeConditionRule'){$PSItem -replace '(?<!\x0d)\x0a','' -replace '}}','}' -replace 'class AzureADMSPrivilegedRuleSetting { RuleIdentifier: ',''}}
}
# Add PS Object to array
$PIMAzureADRoleResults += $item
}
$PIMAzureADRoleResults | Export-Csv -Encoding 'UTF8' -NoTypeInformation -Force -Path ".\done\$Restype-PIMRoles-$(get-date -f yyyy-MM-dd-HHmm).csv"
$PIMAzureADRoleResults | Export-Csv -Encoding 'UTF8' -NoTypeInformation -Force -Path ".\latest\$Restype-PIMRoles.csv"