AzADServicePrincipalInsights
Insights and change tracking on Azure Active Directory Service Principals (Enterprise Applications and Applications)
- 20221017
- Use AzAPICall PowerShell module version 1.1.40
- Issue #10 - Handle error
404
User Assigned Managed Identity / ResourceGroup not found
- Issue #10 - Handle error
- Use AzAPICall PowerShell module version 1.1.40
- 20221014
- Use AzAPICall PowerShell module version 1.1.38
- Handle error
405
Support for federated identity credentials not enabled
- Handle error
- Use AzAPICall PowerShell module version 1.1.38
- 20221008
- New feature - Managed Identity User Assigned Federated Identity Credentials
- Rearrange JSON output for Managed Identity associated Azure Resources
- 20221007
- New feature - Managed Identity User Assigned associated Azure Resources
- Changed parameter name
NoAzureRoleAssignments
toNoAzureResourceSideRelations
- Using
NoAzureResourceSideRelations
:- No (Azure Resource side) RBAC Role assignments collection
- No (Azure Resource side) Policy assignments collection
- No (Azure Resource side) Resources collection ('Managed Identity User Assigned associated Azure Resources' feature annul)
- Using
- Azure DevOps pipeline yml - update vmImage
ubuntu-20.04ubuntu-22.04 - Minor fixes and optimizations
- Use AzAPICall PowerShell module version 1.1.33
- 20220717
- Removed identity governance state validation
- Use AzAPICall PowerShell module version 1.1.18
- 20220630
- Breaking Change on the Azure side: Instead of RoleManagement.Read.All we require RoleManagement.Read.Directory
- 20220622_1
- Fix
/providers/Microsoft.Authorization/roleAssignmentScheduleInstances
AzAPICall errorhandling (error 400, 500) - Optimize procedure to update the AzAPICall module
- Use AzAPICall PowerShell module version 1.1.17
- Fix
- 20220613_1
- use AzAPICall module version 1.1.16
- enhance HiPo Users HTML output
- minor fixes
- 20220609_1
- add parameter
-CriticalAADRoles
(defaults: Global Administrator, Privileged Role Administrator, Privileged Authentication Administrator) - add HiPo Users - A HiPo User has direct or indirect ownership on a ServicePrincipal(s) with classified permissions (AppRole, AAD Role, Azure Role, OAuthPermissionGrant)
- use AzAPICall module version 1.1.13
- minor fixes
- add parameter
- 20220505_1
- fix:
using:scriptPath
variable in foreach parallel (this is only relevant for Azure DevOps and GitHub if you have a non default folder structure in your repository) - thanks Matt :)
- fix:
- 20220501_1
- parameter
-ManagementGroupId
accepts multiple Management Groups in form of an array e.g..\pwsh\AzADServicePrincipalInsights.ps1 -ManagementGroupId @('mgId0', 'mgId1')
- new parameter
-OnlyProcessSPsThatHaveARoleAssignmentInTheRelevantMGScopes
. You may want to only report on Service Principals that have RBAC permissions on Azure resources at and below that Management Group scope(s) (Management Groups, Subscriptions, Resource Groups and Resources) - Role assignments on Azure resources - mark those RBAC Role assignments which leverage a RBAC Role definition that can create role assignments as critical
- updated YAML workflow/pipeline files
- minor bug fixes
- performance optimization
- parameter
- 20220425_2
- add parameter
-ManagementGroupId
(if undefined, then Tenant Root Management Group will be used) - use AzAPICall module version 1.1.11
- add parameter
- 20220404_1
- add FederatedIdentityCredentials
- HTML export
- JSON export
- CSV export (wip)
- AADRoleAssignments
- AppRoleAssignments
- Oauth2PermissionGrants
- AppSecrets
- AppCertificates
- AppFederatedIdentityCredentials
- MIFederatedIdentityCredentials
- MI User Assigned associated resources
- Customizable permission classification (permissionClassification.json)
DebugAzAPICall
- Switch to enable AzAPICall debug function for troubleshooting API calls using the AzAPICall moduleManagementGroupId
- Option1: The Management Group ID that should be queried for the report. If undefined the Root Management group will be used.
- Option2: accepts multiple Management Groups in form of an array e.g. .\pwsh\AzADServicePrincipalInsights.ps1 -ManagementGroupId @('mgId0', 'mgId1')
NoCsvExport
- Switch to disable exporting enriched data in CSV formatCsvDelimiter
- The world is split into two kinds of delimiters - comma and semicolon - choose yours (default : ';')OutputPath
- Define the path where you want the output files to be storedSubscriptionQuotaIdWhitelist
- Process only Subscriptions with defined QuotaId(s). Example: .\AzADServicePrincipalInsights.ps1 -SubscriptionQuotaIdWhitelist MSDN_,Enterprise_ (default : @('undefined')DoTranscript
- Switch to enable logging to console outputHtmlTableRowsLimit
Threshold for the HTML output (table formatted) to prevent unresponsive browser issue due to limited client device performance. A recommendation will be shown to download the CSV instead of opening the TF table (default : 20000)ThrottleLimitARM
- Limit the parallel Azure Resource Manager API requests (default : 10)ThrottleLimitGraph
- Limit the parallel Graph API requests (default : 20)ThrottleLimitLocal
- Limit the parallelism of Powershell task to process the results (default : 100)SubscriptionId4AzContext
- If needed set a specific SubscriptionID as context for the AzAPICall module (default : 'undefined')FileTimeStampFormat
- Define the time format for the output files (default : 'yyyyMMdd_HHmmss')NoJsonExport
- Switch to disable exporting enriched data in Json formatted filesAADGroupMembersLimit
- Defines the limit of AAD Group members; For AAD Groups that have more members than the defined limit Group members will not be resolved (default : 500)NoAzureResourceSideRelations
- Switch to disable the processing of Azure resource side relationsStatsOptOut
- Switch to opt out sending statistics for usage analysisApplicationSecretExpiryWarning
- Define warning period for Service Principal secret expiry (default : 14 days)ApplicationSecretExpiryMax
- Define maximum expiry period for Service Principal secrets (default : 730 days)ApplicationCertificateExpiryWarning
- Define warning period for Service Principal certificate expiry (default : 14 days)ApplicationCertificateExpiryMax
- Define maximum expiry period for Service Principal certificates (default : 730 days)DirectorySeparatorChar
- Set the character for directory seperation (default : [IO.Path]::DirectorySeparatorChar)OnlyProcessSPsThatHaveARoleAssignmentInTheRelevantMGScopes
- Switch to only report on Service Principals that have a role assigment within the scope of the data collection contaxtCriticalAADRoles
- Azure Active Directory roles that should be considered as highly privileged/critical (default :@('62e90394-69f5-4237-9190-012177145e10', 'e8611ab8-c189-46e8-94e1-60213ab1f814', '7be44c8a-adaf-4e2a-84d6-ab2649e08a13') which are Global Administrator, Privileged Role Administrator, Privileged Authentication Administrator)
- ServicePrincipals by type
- ServicePrincipal owners
- Application owners
- ServicePrincipal owned objects
- Managed Identity User Assigned - associated Azure Resources
- ServicePrincipal AAD Role assignments
- ServicePrincipal AAD Role assignedOn
- Application AAD Role assignedOn
- App Role assignments (API permissions Application)
- App Roles assignedTo (Users and Groups)
- Oauth permission grants (API permissions delegated)
- Azure Role assignments (Azure Resources; Management Groups, Subscriptions, Resource Groups, Resources)
- ServicePrincipal Group memberships
- Application Secrets
- Application Certificates
- Application Federated Identity Credentials
- Managed Identity User Assigned Federated Identity Credentials
- HiPo Users (wip)
Management Group (Tenant Root Management Group) RBAC: Reader
Microsoft Graph API | Application | Application.Read.All
Microsoft Graph API | Application | Group.Read.All
Microsoft Graph API | Application | RoleManagement.Read.All
Microsoft Graph API | Application | RoleManagement.Read.Directory
Microsoft Graph API | Application | User.Read.All
The Build Service Account or Project Collection Build Service Account (which ever you use) requires Contribute permissions on the repository (Project settings - Repos - Security)
Requires PowerShell Version >= 7.0.3
Requires PowerShell Module 'AzAPICall'.
Running in Azure DevOps or GitHub Actions the AzAPICall PowerShell module will be installed automatically.
AzAPICall resources:
#USER: 'Application (client) ID' of the App registration OR 'Application ID' of the Service Principal (Enterprise Application)
#PASSWORD: Secret of the App registration
$pscredential = Get-Credential
Connect-AzAccount -ServicePrincipal -TenantId <tenantId> -Credential $pscredential
.\pwsh\AzADServicePrincipalInsights.ps1
Also check https://www.azadvertizer.net - AzAdvertizer helps you to keep up with the pace by providing overview and insights on new releases and changes/updates for Azure Governance capabilities such as Azure Policy's Policy definitions, initiatives (Set definitions), aliases and Azure RBAC's Role definitions and resource provider operations.
Also check https://aka.ms/AzGovViz - Azure Governance Visualizer is intended to help you to get a holistic overview on your technical Azure Governance implementation by connecting the dots.
It is a PowerShell script that iterates your Azure Tenant's Management Group hierarchy down to Subscription level, it captures most relevant Azure governance capabilities such as Azure Policy, RBAC and Blueprints and a lot more..
- Listed as tool for the Govern discipline in the Microsoft Cloud Adoption Framework (CAF)
- Listed as security monitoring tool in the Microsoft Well Architected Framework (WAF)
Please note that while being developed by a Microsoft employee, AzADServicePrincipalInsights is not a Microsoft service or product. AzADServicePrincipalInsights is a personal/community driven project, there are none implicit or explicit obligations related to this project, it is provided 'as is' with no warranties and confer no rights.