• Stars
    star
    194
  • Rank 200,219 (Top 4 %)
  • Language
    PowerShell
  • License
    MIT License
  • Created about 3 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Insights and change tracking on Azure Active Directory Service Principals (Enterprise Applications and Applications)

AzADServicePrincipalInsights aka AzADSPI

Insights and change tracking on Azure Active Directory Service Principals (Enterprise Applications and Applications)

aka links:

  • aka.ms/AzADSPI
  • aka.ms/AzADServicePrincipalInsights

Content

Updates

  • 20230316
    • Use AzAPICall PowerShell module version 1.1.70
  • 20221017
    • Use AzAPICall PowerShell module version 1.1.40
      • Issue #10 - Handle error 404 User Assigned Managed Identity / ResourceGroup not found
  • 20221014
  • 20221008
    • New feature - Managed Identity User Assigned Federated Identity Credentials
    • Rearrange JSON output for Managed Identity associated Azure Resources
  • 20221007
    • New feature - Managed Identity User Assigned associated Azure Resources
    • Changed parameter name NoAzureRoleAssignments to NoAzureResourceSideRelations
      • Using NoAzureResourceSideRelations:
        • No (Azure Resource side) RBAC Role assignments collection
        • No (Azure Resource side) Policy assignments collection
        • No (Azure Resource side) Resources collection ('Managed Identity User Assigned associated Azure Resources' feature annul)
    • Azure DevOps pipeline yml - update vmImage ubuntu-20.04 ubuntu-22.04
    • Minor fixes and optimizations
    • Use AzAPICall PowerShell module version 1.1.33
  • 20220717
    • Removed identity governance state validation
    • Use AzAPICall PowerShell module version 1.1.18
  • 20220630
    • Breaking Change on the Azure side: Instead of RoleManagement.Read.All we require RoleManagement.Read.Directory
  • 20220622_1
    • Fix /providers/Microsoft.Authorization/roleAssignmentScheduleInstances AzAPICall errorhandling (error 400, 500)
    • Optimize procedure to update the AzAPICall module
    • Use AzAPICall PowerShell module version 1.1.17
  • 20220613_1
    • use AzAPICall module version 1.1.16
    • enhance HiPo Users HTML output
    • minor fixes
  • 20220609_1
    • add parameter -CriticalAADRoles (defaults: Global Administrator, Privileged Role Administrator, Privileged Authentication Administrator)
    • add HiPo Users - A HiPo User has direct or indirect ownership on a ServicePrincipal(s) with classified permissions (AppRole, AAD Role, Azure Role, OAuthPermissionGrant)
    • use AzAPICall module version 1.1.13
    • minor fixes
  • 20220505_1
    • fix: using:scriptPath variable in foreach parallel (this is only relevant for Azure DevOps and GitHub if you have a non default folder structure in your repository) - thanks Matt :)
  • 20220501_1
    • parameter -ManagementGroupId accepts multiple Management Groups in form of an array e.g. .\pwsh\AzADServicePrincipalInsights.ps1 -ManagementGroupId @('mgId0', 'mgId1')
    • new parameter -OnlyProcessSPsThatHaveARoleAssignmentInTheRelevantMGScopes. You may want to only report on Service Principals that have RBAC permissions on Azure resources at and below that Management Group scope(s) (Management Groups, Subscriptions, Resource Groups and Resources)
    • Role assignments on Azure resources - mark those RBAC Role assignments which leverage a RBAC Role definition that can create role assignments as critical
    • updated YAML workflow/pipeline files
    • minor bug fixes
    • performance optimization
  • 20220425_2
    • add parameter -ManagementGroupId (if undefined, then Tenant Root Management Group will be used)
    • use AzAPICall module version 1.1.11
  • 20220404_1
    • add FederatedIdentityCredentials

Features

Parameters

  • DebugAzAPICall - Switch to enable AzAPICall debug function for troubleshooting API calls using the AzAPICall module
  • ManagementGroupId
    • Option1: The Management Group ID that should be queried for the report. If undefined the Root Management group will be used.
    • Option2: accepts multiple Management Groups in form of an array e.g. .\pwsh\AzADServicePrincipalInsights.ps1 -ManagementGroupId @('mgId0', 'mgId1')
  • NoCsvExport - Switch to disable exporting enriched data in CSV format
  • CsvDelimiter - The world is split into two kinds of delimiters - comma and semicolon - choose yours (default : ';')
  • OutputPath - Define the path where you want the output files to be stored
  • SubscriptionQuotaIdWhitelist - Process only Subscriptions with defined QuotaId(s). Example: .\AzADServicePrincipalInsights.ps1 -SubscriptionQuotaIdWhitelist MSDN_,Enterprise_ (default : @('undefined')
  • DoTranscript - Switch to enable logging to console output
  • HtmlTableRowsLimit Threshold for the HTML output (table formatted) to prevent unresponsive browser issue due to limited client device performance. A recommendation will be shown to download the CSV instead of opening the TF table (default : 20000)
  • ThrottleLimitARM - Limit the parallel Azure Resource Manager API requests (default : 10)
  • ThrottleLimitGraph - Limit the parallel Graph API requests (default : 20)
  • ThrottleLimitLocal - Limit the parallelism of Powershell task to process the results (default : 100)
  • SubscriptionId4AzContext - If needed set a specific SubscriptionID as context for the AzAPICall module (default : 'undefined')
  • FileTimeStampFormat - Define the time format for the output files (default : 'yyyyMMdd_HHmmss')
  • NoJsonExport - Switch to disable exporting enriched data in Json formatted files
  • AADGroupMembersLimit - Defines the limit of AAD Group members; For AAD Groups that have more members than the defined limit Group members will not be resolved (default : 500)
  • NoAzureResourceSideRelations - Switch to disable the processing of Azure resource side relations
  • StatsOptOut - Switch to opt out sending statistics for usage analysis
  • ApplicationSecretExpiryWarning - Define warning period for Service Principal secret expiry (default : 14 days)
  • ApplicationSecretExpiryMax - Define maximum expiry period for Service Principal secrets (default : 730 days)
  • ApplicationCertificateExpiryWarning - Define warning period for Service Principal certificate expiry (default : 14 days)
  • ApplicationCertificateExpiryMax - Define maximum expiry period for Service Principal certificates (default : 730 days)
  • DirectorySeparatorChar - Set the character for directory seperation (default : [IO.Path]::DirectorySeparatorChar)
  • OnlyProcessSPsThatHaveARoleAssignmentInTheRelevantMGScopes - Switch to only report on Service Principals that have a role assigment within the scope of the data collection contaxt
  • CriticalAADRoles - Azure Active Directory roles that should be considered as highly privileged/critical (default :@('62e90394-69f5-4237-9190-012177145e10', 'e8611ab8-c189-46e8-94e1-60213ab1f814', '7be44c8a-adaf-4e2a-84d6-ab2649e08a13') which are Global Administrator, Privileged Role Administrator, Privileged Authentication Administrator)

Data

  • ServicePrincipals by type
  • ServicePrincipal owners
  • Application owners
  • ServicePrincipal owned objects
  • Managed Identity User Assigned - associated Azure Resources
  • ServicePrincipal AAD Role assignments
  • ServicePrincipal AAD Role assignedOn
  • Application AAD Role assignedOn
  • App Role assignments (API permissions Application)
  • App Roles assignedTo (Users and Groups)
  • Oauth permission grants (API permissions delegated)
  • Azure Role assignments (Azure Resources; Management Groups, Subscriptions, Resource Groups, Resources)
  • ServicePrincipal Group memberships
  • Application Secrets
  • Application Certificates
  • Application Federated Identity Credentials
  • Managed Identity User Assigned Federated Identity Credentials
  • HiPo Users (wip)

Prerequisites

Permissions

Azure

Management Group (Tenant Root Management Group) RBAC: Reader

Azure Active Directory

Microsoft Graph API | Application | Application.Read.All
Microsoft Graph API | Application | Group.Read.All
Microsoft Graph API | Application | RoleManagement.Read.All
Microsoft Graph API | Application | RoleManagement.Read.Directory
Microsoft Graph API | Application | User.Read.All

Azure DevOps

The Build Service Account or Project Collection Build Service Account (which ever you use) requires Contribute permissions on the repository (Project settings - Repos - Security)

PowerShell

Requires PowerShell Version >= 7.0.3

Requires PowerShell Module 'AzAPICall'.
Running in Azure DevOps or GitHub Actions the AzAPICall PowerShell module will be installed automatically.
AzAPICall resources:

PowerShell Gallery Version (including pre-releases)
GitHub Repository

Execute as Service Principal / Application

#USER: 'Application (client) ID' of the App registration OR 'Application ID' of the Service Principal (Enterprise Application)
#PASSWORD: Secret of the App registration

$pscredential = Get-Credential
Connect-AzAccount -ServicePrincipal -TenantId <tenantId> -Credential $pscredential
.\pwsh\AzADServicePrincipalInsights.ps1

Preview

previewHTML
previewHTML2
previewJSON

AzAdvertizer

alt text

Also check https://www.azadvertizer.net - AzAdvertizer helps you to keep up with the pace by providing overview and insights on new releases and changes/updates for Azure Governance capabilities such as Azure Policy's Policy definitions, initiatives (Set definitions), aliases and Azure RBAC's Role definitions and resource provider operations.

Azure Governance Visualizer aka AzGovViz

alt text

Also check out the Azure Governance Visualizer. The tool is intended to help you to get a holistic overview on your technical Azure Governance implementation by connecting the dots.
It is a PowerShell script that iterates your Azure Tenant's Management Group hierarchy down to Subscription level, it captures most relevant Azure governance capabilities such as Azure Policy, RBAC and Blueprints and a lot more..

  • Listed as tool for the Govern discipline in the Microsoft Cloud Adoption Framework (CAF)
  • Listed as security monitoring tool in the Microsoft Well Architected Framework (WAF)

Closing Note

Please note that while being developed by a Microsoft employee, AzADServicePrincipalInsights is not a Microsoft service or product. AzADServicePrincipalInsights is a personal/community driven project, there are none implicit or explicit obligations related to this project, it is provided 'as is' with no warranties and confer no rights.