Trigger-PolicyInitiativeRemediation.ps1

<#PSScriptInfo
 
.VERSION 1.3
 
.GUID 5d5c9fe8-85a7-427d-88e7-6c44f61271ce
 
.AUTHOR jbritt@microsoft.com
 
.COMPANYNAME Microsoft
 
.COPYRIGHT Microsoft
 
.TAGS
 
.LICENSEURI
 
.PROJECTURI
https://aka.ms/AzPolicyScripts
 
.ICONURI
 
.EXTERNALMODULEDEPENDENCIES
 
.REQUIREDSCRIPTS
 
.EXTERNALSCRIPTDEPENDENCIES
 
.RELEASENOTES
August 13, 2020 1.3
    Added parameter -ADO
    This parameter provides the option to run this script leveraging an SPN in Azure DevOps.
 
    Special Thanks to Nikolay Sucheninov and the VIAcode team for working to get these scripts
    integrated and operational in Azure DevOps to streamline "Policy as Code" processes with version
    drift detection and remediation through automation!
 
#>


<#
.SYNOPSIS
  Create a set of remediation tasks across a scope (Subscription or Management Group) to remediate a Policy Initiative
   
.DESCRIPTION
  This script takes a PolicyAssignmentId, SubscriptionID or ManagementGroupID as parameters, analyzes the scope targeted
  to determine what Azure Policy Initiatives are available to remediate, and triggers the creation of these remediation tasks
  to the targeted scope. Leverage for -force switch to bypass the prompt at the end of script execution to ensure
  select execution (given all parameters are provided)
 
.PARAMETER SubscriptionId
    The subscriptionID of the Azure Subscription that contains the Policy Initiative
 
.PARAMETER ManagementGroup
    This ManagementGroup switch can be used to change scope to Management Group for scanning for the policy initiative assignment
  
.PARAMETER ManagementGroupID
    This parameter can be provided along with the ManagementGroup switch to predefine which MG you want to scan. If this parameter is not provided
    the list of Management Groups you have access to will be presented in a menu you can then select.
 
.PARAMETER PolicyAssignmentId
    This parameter allows you to provide which Policy Assignment (for Policy Initiative) that you want to remediate
 
.PARAMETER ADO
    This parameter allows you to execute this script within an Azure DevOps Pipeline utilizing an SPN
 
.EXAMPLE
  .\Trigger-PolicyInitiativeRemediation.ps1 -SubscriptionId "fd2323a9-2324-4d2a-90f6-7e6c2fe03512"
  With a specified subscriptionID as scope, the script will prompt which policy assignment to select for remediation
   
.EXAMPLE
  .\Trigger-PolicyInitiativeRemediation.ps1
  Will prompt for subscriptionID to leverage for analysis and prompt for which Policy Initiative Assignment within the scope
 
.EXAMPLE
  .\Trigger-PolicyInitiativeRemediation.ps1 -ManagementGroup
  Will prompt for ManagementGroupId and PolicyAssignmentId to leverage for remediation
 
.EXAMPLE
  .\Trigger-PolicyInitiativeRemediation.ps1 -ManagementGroup -ManagementGroupId "MyManagementGroup" `
  -PolicyAssignmentId '/providers/Microsoft.Management/managementGroups/MyManagementGroup/providers/Microsoft.Authorization/policyAssignments/pa1' `
  -force
 
  Will remedate a policy initiaive given the ManagementGroupId as scope, the specific PolicytAssignmentId and use force to execute silently.
 
.EXAMPLE
  .\Trigger-PolicyInitiativeRemediation.ps1 -Environment AzureUSGovernment -ManagementGroup -ManagementGroupId "MyManagementGroup" `
  -PolicyAssignmentId '/providers/Microsoft.Management/managementGroups/MyManagementGroup/providers/Microsoft.Authorization/policyAssignments/pa1' `
  -force
 
  Will do everything the previous example accomplished but targeting AzureUSGovernment Cloud instead of AzureCloud
 
.EXAMPLE
  .\Trigger-PolicyInitiativeRemediation.ps1 -Environment AzureUSGovernment -ManagementGroup -ManagementGroupId "MyManagementGroup" `
  -PolicyAssignmentId '/providers/Microsoft.Management/managementGroups/MyManagementGroup/providers/Microsoft.Authorization/policyAssignments/pa1' `
  -force -ADO
 
  Will do everything the previous example accomplished but provides the option to run this in Azure DevOps Pipeline with an SPN
 
.NOTES
   AUTHOR: Jim Britt Senior Program Manager - Azure CXP API (Azure Product Improvement)
   August 13, 2020 1.3
    Added parameter -ADO
    This parameter provides the option to run this script leveraging an SPN in Azure DevOps.
 
    Special Thanks to Nikolay Sucheninov and the VIAcode team for working to get these scripts
    integrated and operational in Azure DevOps to streamline "Policy as Code" processes with version
    drift detection and remediation through automation!
 
   August 4, 2020 1.2 - Updates
    Environment Added to script to allow for other clouds beyond Azure Commercial
    AzureChinaCloud, AzureCloud,AzureGermanCloud,AzureUSGovernment
     
    Special Thanks to Michael Pullen for your direct addition to the script to support
    additional Azure Cloud reach for this script! :)
     
    Thank you Matt Taylor, Paul Harrison, and Abel Cruz for your collaboration in this area
    to debug, test, validate, and push on getting Azure Government supported with these scripts!
 
    Bug fix for enumeration and execution of remediation of Policy Initiatives when Management Group is used
     
   July 2, 2020 1.1 - Updates
    Small visual bug on variable prompt when providing PolicyAssignmentId parameter value
 
   July 1, 2020 1.0 - Initial
 
.LINK
    This script posted to and discussed at the following locations:
    https://aka.ms/AzPolicyScripts
#>


[cmdletbinding(
        DefaultParameterSetName='Default'
    )]

param
(
    # Determine which Azure Cloud to leverage for script - default is AzureCloud
    [Parameter(ParameterSetName='Default',Mandatory = $False)]
    [Parameter(ParameterSetName='ManagementGroup')]
    [Parameter(ParameterSetName='Subscription')]
    [Parameter(ParameterSetName='Initiative')]
    [Parameter(Mandatory=$false)]
    [ValidateSet("AzureChinaCloud","AzureCloud","AzureGermanCloud","AzureUSGovernment")]
    [string]$Environment = "AzureCloud",

    # Run inside Azure DevOps Pipeline with SPN Auth
    [Parameter(ParameterSetName='Default',Mandatory = $False)]
    [Parameter(ParameterSetName='ManagementGroup')]
    [Parameter(ParameterSetName='Subscription')]
    [Parameter(ParameterSetName='Initiative')]
    [Parameter(Mandatory=$false)]
    [switch]$ADO = $False,

    # Specify a policy initiative assignment ID
    # Example for Management Group Scope: '/providers/Microsoft.Management/managementGroups/MyManagementGroup/providers/Microsoft.Authorization/policyAssignments/pa1'
    # Example for Subscription Scope: '/subscriptions/fd2323a9-2324-4d2a-90f6-7e6c2fe03512/providers/Microsoft.Authorization/policyAssignments/17ddefc76ecd4fe5b26455bb'
    [Parameter(ParameterSetName='Default',Mandatory = $False)]
    [Parameter(ParameterSetName='ManagementGroup')]
    [Parameter(ParameterSetName='Subscription')]
    [Parameter(ParameterSetName='Initiative')]
    [string]$PolicyAssignmentId,

    # Management Group switch to allow for scanning all subs in a management group (instead of sub only)
    [Parameter(ParameterSetName='ManagementGroup')]
    [switch]$ManagementGroup=$False,

    # Management Group ID to scan (if left blank - will build list and prompt for selection if $ManagementGroup switch is used)
    [Parameter(ParameterSetName='ManagementGroup')]
    [string]$ManagementGroupID,

    # Provide SubscriptionID to bypass subscription listing
    [Parameter(ParameterSetName='Subscription')]
    [string]$SubscriptionId,

    # Use -force switch to bypass prompt to continue at end of script execution
    [switch]$Force=$False

)
# FUNCTIONS
# Function used to build numbers in selection tables for menus
function Add-IndexNumberToArray (
    [Parameter(Mandatory=$True)]
    [array]$array
    )
{
    for($i=0; $i -lt $array.Count; $i++) 
    { 
        Add-Member -InputObject $array[$i] -Name "#" -Value ($i+1) -MemberType NoteProperty 
    }
    $array
}

# Build out the body for the GET / PUT request via REST API
function BuildBody
(
    [parameter(mandatory=$True)]
    [string]$method
)
{
    $BuildBody = @{
    Headers = @{
        Authorization = "Bearer $($token.AccessToken)"
        'Content-Type' = 'application/json'
    }
    Method = $Method
    UseBasicParsing = $true
    }
    $BuildBody
}  


# MAIN SCRIPT
$Start = $(Get-date)
if (!($MyInvocation.MyCommand.Path))
{
    $CurrentDir = Split-Path $MyInvocation.MyCommand.Path
}
else
{
    # Sometimes $myinvocation is null, it depends on the PS console host
    $CurrentDir = "."
}
Set-Location $CurrentDir

# Login to Azure - if already logged in, use existing credentials.
Write-Host "Authenticating to Azure..." -ForegroundColor Cyan
try
{
    $AzureLogin = Get-AzSubscription
    $currentContext = Get-AzContext
    $currentSub = $(Get-AzContext).Subscription.Name
    if($ADO){$token = $currentContext.TokenCache.ReadItems()}
    else{$token = $currentContext.TokenCache.ReadItems() | Where-Object {$_.tenantid -eq $currentContext.Tenant.Id}}
    if($Token.ExpiresOn -lt $(get-date))
    {
        "Logging you out due to cached token is expired for REST AUTH. Re-run script"
        $null = Disconnect-AzAccount        
        break
    } 
}
catch
{
    $null = Login-AzAccount -Environment $Environment
    $AzureLogin = Get-AzSubscription
    $currentContext = Get-AzContext
    if($ADO){$token = $currentContext.TokenCache.ReadItems()}
    else{$token = $currentContext.TokenCache.ReadItems() | Where-Object {$_.tenantid -eq $currentContext.Tenant.Id}}
}

# Authenticate to Azure if not already authenticated
# Ensure this is the subscription where your Azure Policy Initiative is located
If($AzureLogin -and !($SubscriptionID) -and !($ManagementGroup))
{
    [array]$SubscriptionArray = Add-IndexNumberToArray (Get-AzSubscription) 
    [int]$SelectedSub = 0

    # use the current subscription if there is only one subscription available
    if ($SubscriptionArray.Count -eq 1) 
    {
        $SelectedSub = 1
    }
    # Get SubscriptionID if one isn't provided
    while($SelectedSub -gt $SubscriptionArray.Count -or $SelectedSub -lt 1)
    {
        Write-host "Please select a subscription from the list below"
        $SubscriptionArray | Select-Object "#", Id, Name | Format-Table
        try
        {
            $SelectedSub = Read-Host "Please enter a selection from 1 to $($SubscriptionArray.count)"
        }
        catch
        {
            Write-Warning -Message 'Invalid option, please try again.'
        }
    }
    if($($SubscriptionArray[$SelectedSub - 1].Name))
    {
        $SubscriptionName = $($SubscriptionArray[$SelectedSub - 1].Name)
    }
    elseif($($SubscriptionArray[$SelectedSub - 1].SubscriptionName))
    {
        $SubscriptionName = $($SubscriptionArray[$SelectedSub - 1].SubscriptionName)
    }
    write-verbose "You Selected Azure Subscription: $SubscriptionName"
    
    if($($SubscriptionArray[$SelectedSub - 1].SubscriptionID))
    {
        [guid]$SubscriptionID = $($SubscriptionArray[$SelectedSub - 1].SubscriptionID)
    }
    if($($SubscriptionArray[$SelectedSub - 1].ID))
    {
        [guid]$SubscriptionID = $($SubscriptionArray[$SelectedSub - 1].ID)
    }
}
if($SubscriptionId -and !($ManagementGroup))
{
    try{
        $SubscriptionToUse = Select-AzSubscription -Subscription $SubscriptionId
        Write-Host "Selecting Azure Subscription: $($SubscriptionToUse.Subscription.Name) ..." -ForegroundColor Cyan
    }
    catch{
        write-host "Something went wrong - please check subscriptionId and try again" -ForegroundColor Red
        break
    }
    
    
}

# If Management Group specified, but no ID provided, let's go get one to use
If(!($ManagementGroupID) -and $ManagementGroup)
{
    [array]$MgtGroupArray = Add-IndexNumberToArray (Get-AzManagementGroup)
    if(!$MgtGroupArray)
    {
        Write-host "Please make sure you have Management Groups that are accessible"
        exit 1
    }
    [int]$SelectedMG = 0

    # use the current Managment Group if there is only one MG available
    if ($MgtGroupArray.Count -eq 1) 
    {
        $SelectedMG = 1
    }
    # Get Management Group if one isn't provided
    while($SelectedMG -gt $MgtGroupArray.Count -or $SelectedMG -lt 1)
    {
        Write-host "Please select a Management Group from the list below"
        $MgtGroupArray | select-object "#", Name, DisplayName, Id | Format-Table
        try
        {
            write-host "If you don't see your ManagementGroupID try using the parameter -ManagementGroupID" -ForegroundColor Cyan
            $SelectedMG = Read-Host "Please enter a selection from 1 to $($MgtGroupArray.count)"
        }
        catch
        {
            Write-Warning -Message 'Invalid option, please try again.'
        }
    }
    if($($MgtGroupArray[$SelectedMG - 1].Name))
    {
        $ManagementGroupID = $($MgtGroupArray[$SelectedMG - 1].Name)
    }
    
    write-verbose "You Selected Management Group: $ManagementGroupID"
    Write-Host "Selecting Management Group: $ManagementGroupID ..." -ForegroundColor Cyan
}

# If Management Group specified, let's validate the ID provided is correct (exists)
if($ManagementGroup)
{
    $SubScriptionsToProcess =@()
    if($ManagementGroupID)
    {
        $azEnvironment = Get-AzEnvironment -Name $Environment
        $GetBody = BuildBody -method "GET"
        $MGSubsDetailsURI = "$($azEnvironment.ResourceManagerUrl)providers/microsoft.management/managementGroups/$($ManagementGroupID)/descendants?api-version=2018-03-01-preview"
        $GetResults = (Invoke-RestMethod -uri $MGSubsDetailsURI @GetBody).value
        foreach($Result in $GetResults| Where-Object {$_.type -eq "/subscriptions"})
        {
            $SubScriptionsToProcess += $Result 
        }
    }
    else {
        Write-Host "No ManagementGroupID found - ERROR!"
        write-host "Setting Context back to initial subscription $CurrentSub" -ForegroundColor Blue
        $Null = Set-AzContext -Subscription $CurrentSub
        break
    }
    
}
if($SubscriptionId)
{
    $Scope = "/subscriptions/$($SubscriptionToUse.Subscription.Id)"
}
if($ManagementGroupID)
{
    $Scope = "/providers/Microsoft.Management/managementgroups/$($ManagementGroupID)"
}

# If we don't have a PolicyAssignmentID to use, let's ask for one from the scope provided
$WarningPreference = "SilentlyContinue"
If(!($PolicyAssignmentID))
{
    try {
        [array]$PolicyAssignMentIDArray = Add-IndexNumberToArray (Get-AzPolicyAssignment -Scope $Scope | where-object {$_.Properties.policyDefinitionID -match 'policySetDefinitions'})     
    }
    catch {
        Write-Host "`nERROR: Please check that there are Policy Initiatives assigned to scope " -nonewline -ForegroundColor Red 
        write-host "$Scope" -NoNewline -ForegroundColor Yellow
        write-host " ...terminating script`n" -ForegroundColor Red
        write-host "Setting Context back to initial subscription $CurrentSub" -ForegroundColor Blue
        $Null = Set-AzContext -Subscription $CurrentSub
        break
    }
    [int]$SelectedAssignmentID = 0

    # use the only assignmentid if there is only one available
    if ($PolicyAssignMentIDArray.Count -eq 1) 
    {
        $SelectedAssignmentID = 1
    }
    # Get IDs if one isn't provided
    while($SelectedAssignmentID -gt $PolicyAssignMentIDArray.Count -or $SelectedAssignmentID -lt 1)
    {
        Write-host "Please select an AssignMentID from the list below"
        $PolicyAssignMentIDArray | Select-Object "#", @{Label = "PolicyAssignment Name";Expression={$_.Properties.displayName}}, @{Label = "PolicyAssignmentID";Expression={$_.ResourceId}} | Format-Table
        try
        {
            $SelectedAssignmentID = Read-Host "Please enter a selection from 1 to $($PolicyAssignMentIDArray.count)"
        }
        catch
        {
            Write-Warning -Message 'Invalid option, please try again.'
        }
    }
    if($($PolicyAssignMentIDArray[$SelectedAssignmentID - 1].Name))
    {
        $PolicyAssignmentID = $($PolicyAssignMentIDArray[$SelectedAssignmentID - 1].PolicyAssignmentId)
    }
    write-verbose "You Selected Azure Policy Initiative: $($PolicyAssignMentIDArray[$SelectedAssignmentID - 1].Properties.displayName)"
}
if($PolicyAssignmentID)
{
    try
    {
        $PolicyAssignment = Get-AzPolicyAssignment -Id $PolicyAssignmentID
        $PolicyDefinition = $(Get-AzPolicySetDefinition -id $PolicyAssignment.Properties.policyDefinitionId)
        $PolicyDefinitionRefIDs = $($PolicyDefinition.Properties.policyDefinitions).policyDefinitionReferenceId
        Write-Host "Selecting Azure Policy Initiative: $($PolicyAssignMent.Properties.displayName)..." -ForegroundColor Cyan
    }
    catch{
        write-host "Something went wrong - please check PolicyAssignmentID and try again" -ForegroundColor Red
        write-host "Setting Context back to initial subscription $CurrentSub" -ForegroundColor Blue
        $Null = Set-AzContext -Subscription $CurrentSub
        break
    }
}

# Initialize counts to track number of policies to remediate
$Count = 0
$Totalcount = $PolicyDefinitionRefIDs.Count

# Use -force switch to bypass prompt
if ($Force -OR $PSCmdlet.ShouldContinue("Create a set of remediation tasks for Policy Initiative `"$($PolicyAssignMent.Properties.displayName)`". Continue?","Remediate `"$($PolicyAssignMent.Properties.displayName)`" Initiative?") )
{
    Foreach($PolicyDefRefID in $PolicyDefinitionRefIDs)
    {
        try {
            $Count++
            write-host "Creating remediation for Policy $Count of $Totalcount - Remediation-$PolicyDefRefID"
            $null = Start-AzPolicyRemediation -PolicyAssignmentId $PolicyAssignmentID -PolicyDefinitionReferenceId $PolicyDefRefID -Name "Remediation-$PolicyDefRefID"
        }
        catch {
            Write-Host "Something went wrong creating the policy remediation" -ForegroundColor Red
            write-host "Setting Context back to initial subscription $CurrentSub" -ForegroundColor Blue
            $Null = Set-AzContext -Subscription $CurrentSub
            break
        }
    }
}
else {
    Write-Host "You have cancelled the remediation request for $($PolicyAssignMent.Properties.displayName)" -ForegroundColor Yellow
}

# Stop "timer" to calculate total time running
$Stop = (Get-Date)

# Let's set context back to original sub you were on before executing
write-host "Setting Context back to initial subscription $CurrentSub" -ForegroundColor Blue
try
{
    $Null = Set-AzContext -Subscription $CurrentSub
}
catch
{
    Write-Host "Failed to set context back to intial subscription $CurrentSub. Please review!"
}

# Finish up
Write-Host "Complete`n" -ForegroundColor Green
Write-Host "Script execution time: " -nonewline
Write-Host "$($($Stop - $Start).minutes) minutes and $($($Stop - $Start).seconds) seconds.`n" -ForegroundColor Cyan