azure:azure_security_assessments

Azure Security Assessments

Methodology

To begin an assessment list all resources that are in all subscriptions that are in scope to get a sense of the environment.

List All Resources

$subs = Get-AzSubscription
 
foreach ($sub in $subs) {
  Set-AzContext -Subscription $sub.id
  $resources += Get-AzResource
}
 
$resources | convert-to-json | out-file " . \resources.json" -encoding utf8
List All Resource Types

Output a unique list of resource types 

jq 'map(.ResourceType) | unique' resources.json
jq '. | unique_by(.ResourceType) | .[] | .ResourceType' .\resources.json

List Directory Roles

$DirectoryRoles = Get-AzureADDirectoryRole
 
ObjectId                             DisplayName                                Description
--------                             -----------                                -----------
02bb6e8b-bb42-4f30-a527-0cfe44d1a902 Reports Reader                             Can read sign-in and audit reports.
...

Get Privileged Roles

$PrivilegedRoles = $DirectoryRoles | Where-Object {
 $_.DisplayName -like "*Administrator*" -or $_.DisplayName -eq "Global 
Reader"
}

List Privilege User Accounts

$PrivilegedUsers = $PrivilegedRoles | ForEach-Object { Get-MgDirectoryRoleMember -DirectoryRoleId $_.ObjectId } | Select-Object Id -Unique

List Global Admins

 

List Azure Role Assignments

Get-AzRoleAssignment
 az role assignment list --role "User Access Administrator" --scope "/providers/Microsoft.Management/managementGroups/<id guid>"

Tools

  • azure/azure_security_assessments.txt
  • Last modified: 2025/06/25 18:59
  • by mmuze