/
Get-AssignableRoles-Automation.ps1
61 lines (51 loc) · 2.53 KB
/
Get-AssignableRoles-Automation.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#Requires -Modules Microsoft.Graph.Authentication, Microsoft.Graph.Identity.Governance
<#
.SYNOPSIS
Get all PIM eligible role assignments for all users and groups in the tenant.
.DESCRIPTION
Get all PIM eligible role assignments for all users and groups in the tenant and export them to a CSV file.
#>
$outputFileName = 'eligibleRoleAssignments.csv'
$container = 'watchlists'
$storageAccountName = 'stsecopsn01'
$subscriptionId = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
Connect-MgGraph -Identity -NoWelcome
$null = Connect-AzAccount -Identity -SubscriptionId $subscriptionId
$eligibleRoleAssignments = Get-MgRoleManagementDirectoryRoleEligibilitySchedule -ExpandProperty 'roleDefinition', 'principal'
$roleMembers = $eligibleRoleAssignments | ForEach-Object {
if ($PSItem.Principal.AdditionalProperties['@odata.type'] -match 'group') {
$roleAssignment = $PSItem
Get-MgGroupMember -GroupId $roleAssignment.Principal.Id | ForEach-Object {
[PSCustomObject]@{
PrincipalId = $PSItem.Id
PrincipalType = $PSItem.AdditionalProperties['@odata.type']
UserPrincipalName = $PSItem.AdditionalProperties['userPrincipalName']
RoleDefinitionId = $roleAssignment.RoleDefinition.Id
RoleDefinitionName = $roleAssignment.RoleDefinition.DisplayName
DirectoryScopeId = $roleAssignment.DirectoryScopeId
AssignmentInheritedFrom = $roleAssignment.Principal.Id
AssignmentType = 'Eligible'
}
}
} else {
[PSCustomObject]@{
PrincipalId = $PSItem.Principal.Id
PrincipalType = $PSItem.Principal.AdditionalProperties['@odata.type']
UserPrincipalName = $PSItem.Principal.AdditionalProperties['userPrincipalName']
RoleDefinitionId = $PSItem.RoleDefinition.Id
RoleDefinitionName = $PSItem.RoleDefinition.DisplayName
DirectoryScopeId = $PSItem.DirectoryScopeId
AssignmentInheritedFrom = $null
AssignmentType = 'Eligible'
}
}
}
# Export as CSV
$roleMembers | Export-Csv -Path $outputFileName -NoTypeInformation -Encoding UTF8 -Delimiter ','
# Upload to Storage Account
$azStorageParams = @{
File = $outputFileName
Container = $container
Context = (New-AzStorageContext -StorageAccountName $storageAccountName -UseConnectedAccount)
}
Set-AzStorageBlobContent @azStorageParams