azure:azure_security_assessments

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
azure:azure_security_assessments [2022/09/14 16:10] – removed mmuzeazure:azure_security_assessments [2025/06/25 18:59] (current) – [List Azure Role Assignments] mmuze
Line 1: Line 1:
 +====== Azure Security Assessments ======
 +  * [[azure:Azure Security Assessments Exploration]]
 +  * [[azure:Azure Powerpipe]]
 +  * [[azure:azure_resource_graph_explorer|Azure Resource Graph Explorer]]
 +  * [[https://github.com/microsoft/ARI]]
 +
 +====== Methodology ======
 +To begin an assessment list all resources that are in all subscriptions that are in scope to get a sense of the environment.
 +
 +
 +====== List All Resources ======
 +
 +<code powershell>
 +$subs = Get-AzSubscription
 +
 +foreach ($sub in $subs) {
 +  Set-AzContext -Subscription $sub.id
 +  $resources += Get-AzResource
 +}
 +
 +$resources | convert-to-json | out-file " . \resources.json" -encoding utf8
 +</code>
 +
 +== List All Resource Types ==
 +Output a unique list of resource types
 +<code>
 +jq 'map(.ResourceType) | unique' resources.json
 +</code>
 +
 +<code>
 +jq '. | unique_by(.ResourceType) | .[] | .ResourceType' .\resources.json
 +</code>
 +
 +====== List Directory Roles ======
 +
 +<code powershell>
 +$DirectoryRoles = Get-AzureADDirectoryRole
 +
 +ObjectId                             DisplayName                                Description
 +--------                             -----------                                -----------
 +02bb6e8b-bb42-4f30-a527-0cfe44d1a902 Reports Reader                             Can read sign-in and audit reports.
 +...
 +</code>
 +
 +====== Get Privileged Roles ======
 +
 +<code powershell>
 +$PrivilegedRoles = $DirectoryRoles | Where-Object {
 + $_.DisplayName -like "*Administrator*" -or $_.DisplayName -eq "Global 
 +Reader"
 +}
 +
 +</code>
 +
 +====== List Privilege User Accounts ======
 +<code powershell>
 +$PrivilegedUsers = $PrivilegedRoles | ForEach-Object { Get-MgDirectoryRoleMember -DirectoryRoleId $_.ObjectId } | Select-Object Id -Unique
 +</code>
 +
 +
 +====== List Global Admins ======
 +<code powershell>
 +
 +</code>
 +
 +====== List Azure Role Assignments ======
 +<code powershell>
 +Get-AzRoleAssignment
 +</code>
 +
 +<code>
 + az role assignment list --role "User Access Administrator" --scope "/providers/Microsoft.Management/managementGroups/<id guid>"
 +</code>
 +====== Tools ======
 +  * [[https://github.com/microsoft/ARI]], inventory tool
  
  • azure/azure_security_assessments.1663171817.txt.gz
  • Last modified: 2022/09/14 16:10
  • by mmuze