Code Monkey home page Code Monkey logo

azureautomation / audit-azure-subscription-rbac-assignments Goto Github PK

View Code? Open in Web Editor NEW
1.0 3.0 2.0 11 KB

If you need to audit/log Azure permissions, this is it. I created this script to help perform a RBAC audit for a Azure subscription. This script resolves all RBAC assignments, then expand every group to retain only resolved users. It is build so that you can take the output and d

License: Other

PowerShell 100.00%
azureautomationrunbookgallery

audit-azure-subscription-rbac-assignments's Introduction

Audit Azure subscription RBAC assignments

If you need to audit/log Azure permissions, this is it. I created this script to help perform a RBAC audit for a Azure subscription. This script resolves all RBAC assignments, then expand every group to retain only resolved users. 

It is build so that you can take the output and do whatever you want with it after, whenever it's convert it to JSON, CSV, XML.

 

Here are 2 invocation examples and their outputs

 

Usage  

PowerShell Edit|Remove powershell Connect-AzureRmAccount

Set-AzureRmContext -Subscription 'Your Subscription'

Perform an audit grouped by users

$rbacAudit = Invoke-AzureRmSubscriptionRBACAudit.ps1

#output the result as-is $rbacAudit

Id : 4506482f-23a0-4820-850b-06219f704739 DisplayName : FirstName1 LastName1 ParentGroup : {Id, DisplayName} RoleDefinitionName : Reader Scope : /subscriptions/11111111-1111-1111-1111-111111111111 CanDelegate : False

Id : dc37e4bd-1811-4b5e-ba5e-1322ff5ac29d DisplayName : FirstName2 LastName2 ParentGroup : {Id, DisplayName} RoleDefinitionName : Owner Scope : /subscriptions/11111111-1111-1111-1111-111111111111 CanDelegate : False

Id : 8a173eb5-52a4-4a5b-b6ae-aefc3dac7489 DisplayName : FirstName3 LastName3 ParentGroup : {Id, DisplayName} RoleDefinitionName : Reader Scope : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/stg CanDelegate : False

Id : 4e13ae9c-7e3b-49e4-a49e-e81c2dd21151 DisplayName : FirstName4 LastName4 ParentGroup : {Id, DisplayName} RoleDefinitionName : Contributor Scope : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/stg/providers/Microsoft.Insights/components/stg-ai-app-qjkgqezdtfjr4 CanDelegate : False

#output the result as JSON $rbacAudit | ConvertTo-Json -Depth 5

[ { 'Id': '4506482f-23a0-4820-850b-06219f704739', 'DisplayName': 'FirstName1 LastName1', 'ParentGroup': { 'Id': '9cb7e0c1-0513-441b-b484-8b55761694fe', 'DisplayName': 'SecurityGroupName1' }, 'RoleDefinitionName': 'Reader', 'Scope': '/subscriptions/11111111-1111-1111-1111-111111111111', 'CanDelegate': false }, ...]

Connect-AzureRmAccount    Set-AzureRmContext -Subscription 'Your Subscription'    # Perform an audit grouped by users  $rbacAudit = Invoke-AzureRmSubscriptionRBACAudit.ps1     #output the result as-is  $rbacAudit    Id                       : 4506482f-23a0-4820-850b-06219f704739  DisplayName        : FirstName1 LastName1  ParentGroup         : {Id, DisplayName}  RoleDefinitionName : Reader  Scope                  : /subscriptions/11111111-1111-1111-1111-111111111111  CanDelegate        : False    Id                 : dc37e4bd-1811-4b5e-ba5e-1322ff5ac29d  DisplayName        : FirstName2 LastName2  ParentGroup        : {Id, DisplayName}  RoleDefinitionName : Owner  Scope              : /subscriptions/11111111-1111-1111-1111-111111111111  CanDelegate        : False    Id                 : 8a173eb5-52a4-4a5b-b6ae-aefc3dac7489  DisplayName        : FirstName3 LastName3  ParentGroup        : {Id, DisplayName}  RoleDefinitionName : Reader  Scope              : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/stg  CanDelegate        : False    Id                 : 4e13ae9c-7e3b-49e4-a49e-e81c2dd21151  DisplayName        : FirstName4 LastName4  ParentGroup        : {Id, DisplayName}  RoleDefinitionName : Contributor  Scope              : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/stg/providers/Microsoft.Insights/components/stg-ai-app-qjkgqezdtfjr4  CanDelegate        : False    #output the result as JSON  $rbacAudit | ConvertTo-Json -Depth 5    [      {          'Id':  '4506482f-23a0-4820-850b-06219f704739',          'DisplayName':  'FirstName1 LastName1',          'ParentGroup':  {                              'Id':  '9cb7e0c1-0513-441b-b484-8b55761694fe',                              'DisplayName':  'SecurityGroupName1'                          },          'RoleDefinitionName':  'Reader',          'Scope':  '/subscriptions/11111111-1111-1111-1111-111111111111',          'CanDelegate':  false      },      ... ]

Requirements

Tested with AzureRM.Resources Version 5.x, & 6.x

TechNet gallery is retiring! This script was migrated from TechNet script center to GitHub by Microsoft Azure Automation product group. All the Script Center fields like Rating, RatingCount and DownloadCount have been carried over to Github as-is for the migrated scripts only. Note : The Script Center fields will not be applicable for the new repositories created in Github & hence those fields will not show up for new Github repositories.

audit-azure-subscription-rbac-assignments's People

Stargazers

avatar

Watchers

avatar avatar avatar

Forkers

kennyb7322 joehun0

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.