Public/Export-FMTPermissions.ps1
function Export-FMTPermissions { ## Access Check param( [parameter()] [string] $resourceGroup, [parameter()] [string] $virtualNetwork, [parameter()] [string] $subscriptionName, [parameter()] [string] $principle ) if ($subscriptionName) { try { Set-AzContext -Subscription $subscriptionName -ErrorAction Stop } catch { return $Error[0] | Write-Error } } # Access # Global Access Check try { Import-Module Microsoft.Graph.Users -ErrorAction stop } catch { Install-Module Microsoft.Graph -force Connect-MgGraph } # Connect-MgGraph try { Import-Module AZ.Quota -ErrorAction stop } catch { Install-Module AZ.Quota -force } # Grab RG and VNet via menu if none are specified. if (!$resourceGroup) { $allRGs = Get-AzResourceGroup $resourceGroup = Build-MenuFromArray -array $allRGs -property ResourceGroupName -message "Select desired resource group" } if (!$virtualNetwork) { $allVnets = Get-AzVirtualNetwork $virtualNetwork = Build-MenuFromArray -array $allVnets -property name -message "Select desired virtual network" } # Setting up some vars for use throughout. $azContext = Get-AzContext $substring = '/subscriptions/' + $azcontext.Subscription.id try { $myGroups = Get-MgUserMemberOf -UserId $azContext.account -ErrorAction Stop | ForEach-Object {Get-AzADGroup -ObjectId $_.id} } catch { Write-Error "Check your current logged in principle using Get-AzContext." } $rgObject = Get-AzResourceGroup -ResourceGroupName $resourceGroup $location = $rgObject.Location $reportName = $azContext.account.id.replace('@','-').tolower() + '.json' # VNET $Resource = Get-AzResource -ResourceType 'Microsoft.Network/virtualNetworks' -Name $virtualNetwork $vnetRoleAssignments = New-Object System.Collections.Generic.List[PSObject] $Assignment = Get-AzRoleAssignment -ResourceName $Resource.Name -ResourceGroupName $Resource.ResourceGroupName -ResourceType $Resource.ResourceType foreach ($a in $Assignment) { if ($Resource.ResourceId -eq $a.Scope) { $IsInherited = $false } else { $IsInherited = $true } $a | Add-member -MemberType NoteProperty -Name ResourceName-Value $Resource.Name $a | Add-member -MemberType NoteProperty -Name ResourceId -Value $Resource.ResourceId $a | Add-member -MemberType NoteProperty -Name IsInherited -Value $IsInherited $vnetRoleAssignments.Add($a) } $myVnetAssignments = foreach ($i in $myGroups.DisplayName) { $vnetRoleAssignments | Where-Object {$_.DisplayName -contains $i} } # RG $Resource = Get-AzResourceGroup -ResourceGroupName $resourceGroup $rgRoleAssignments = New-Object System.Collections.Generic.List[PSObject] $Assignment = Get-AzRoleAssignment -Scope $Resource.ResourceId foreach ($a in $Assignment) { if ($Resource.ResourceId -eq $a.Scope) { $IsInherited = $false } else { $IsInherited = $true } $a | Add-member -MemberType NoteProperty -Name ResourceName-Value $Resource.Name $a | Add-member -MemberType NoteProperty -Name ResourceId -Value $Resource.ResourceId $a | Add-member -MemberType NoteProperty -Name IsInherited -Value $IsInherited $rgRoleAssignments.Add($a) } $myRGAssignments = foreach ($i in $myGroups.DisplayName) { $rgRoleAssignments | Where-Object {$_.DisplayName -contains $i} } # Subscription $subRoleAssignments = New-Object System.Collections.Generic.List[PSObject] $Assignment = Get-AzRoleAssignment -Scope $substring foreach ($a in $Assignment) { if ($Resource.ResourceId -eq $a.Scope) { $IsInherited = $false } else { $IsInherited = $true } $a | Add-member -MemberType NoteProperty -Name ResourceName-Value $Resource.Name $a | Add-member -MemberType NoteProperty -Name ResourceId -Value $Resource.ResourceId $a | Add-member -MemberType NoteProperty -Name IsInherited -Value $IsInherited $subRoleAssignments.Add($a) } $mySubAssignments = foreach ($i in $myGroups.DisplayName) { $subRoleAssignments | Where-Object {$_.DisplayName -contains $i} } # Gather list of all roles and list permissions from each. $allAssignments = @() $allAssignments += $myVnetAssignments $allAssignments += $myRGAssignments $allAssignments += $mySubAssignments $allAssignmentList = $allAssignments | Select-Object RoleDefinitionName -Unique $rollArray = @() foreach ($i in $allassignmentList) { $role = Get-AzRoleDefinition -Name $i.RoleDefinitionName $rollArray += $role } # Policy # Get a list of all policy settings. $policyList = Get-AzPolicyAssignment -Scope $substring -WarningAction SilentlyContinue # Call home # Qualify outbound access to callhome endpoints. # Quota # Check overall quota and usage for all vCPU and storage types. $quotaObj = New-Object psobject $quotaScope = $substring + '/providers/Microsoft.Compute/locations/' + $location $LSv3 = Get-AzQuota -Scope $quotaScope -ResourceName 'StandardLSv3Family' $DSv5 = Get-AzQuota -Scope $quotaScope -ResourceName 'StandardDSv5Family' $quotaObj | Add-Member -MemberType NoteProperty -Name 'LSv3 Quota' -Value $LSv3 $quotaObj | Add-Member -MemberType NoteProperty -Name 'DSv5 Quota' -Value $DSv5 # Restrictions $restrictionObj = New-Object psobject $response = Get-AzComputeResourceSku -Location $location $LSv3Restrictions = $response | Where-Object {$_.Name -eq 'Standard_L8s_v3'} $DSv5Restrictions = $response | Where-Object {$_.Name -eq 'Standard_D64s_v5'} $restrictionObj | Add-Member -MemberType NoteProperty -Name 'LSv3 Restrictions' -Value $LSv3Restrictions $restrictionObj | Add-Member -MemberType NoteProperty -Name 'DSv5 Restrictions' -Value $DSv5Restrictions # Dump out to JSON. $finalReport = New-Object psobject $finalReport | Add-Member -MemberType NoteProperty -Name 'Subscription Assignments' -Value $mySubAssignments $finalReport | Add-Member -MemberType NoteProperty -Name 'Ressource Group Assignment' -Value $myRGAssignments $finalReport | Add-Member -MemberType NoteProperty -Name 'Virtual Network Assignment' -Value $myVnetAssignments $finalReport | Add-Member -MemberType NoteProperty -Name 'Roll Action Index' -Value $rollArray $finalReport | Add-Member -MemberType NoteProperty -Name 'Policies' -Value $policyList $finalReport | Add-Member -MemberType NoteProperty -Name 'Quota' -Value $quotaObj $finalReport | Add-Member -MemberType NoteProperty -Name 'Restrictions' -Value $restrictionObj $finalReport | ConvertTo-Json -Depth 10 | Out-File $reportName # Flex only. } |