azure:azure_security_assessments

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
azure:azure_security_assessments [2025/01/03 21:18] mmuzeazure:azure_security_assessments [2025/06/25 18:59] (current) – [List Azure Role Assignments] mmuze
Line 1: Line 1:
 ====== Azure Security Assessments ====== ====== Azure Security Assessments ======
 +  * [[azure:Azure Security Assessments Exploration]]
 +  * [[azure:Azure Powerpipe]]
 +  * [[azure:azure_resource_graph_explorer|Azure Resource Graph Explorer]]
 +  * [[https://github.com/microsoft/ARI]]
 +
 +====== Methodology ======
 +To begin an assessment list all resources that are in all subscriptions that are in scope to get a sense of the environment.
 +
 +
 +====== List All Resources ======
 +
 +<code powershell>
 +$subs = Get-AzSubscription
 +
 +foreach ($sub in $subs) {
 +  Set-AzContext -Subscription $sub.id
 +  $resources += Get-AzResource
 +}
 +
 +$resources | convert-to-json | out-file " . \resources.json" -encoding utf8
 +</code>
 +
 +== List All Resource Types ==
 +Output a unique list of resource types
 +<code>
 +jq 'map(.ResourceType) | unique' resources.json
 +</code>
 +
 +<code>
 +jq '. | unique_by(.ResourceType) | .[] | .ResourceType' .\resources.json
 +</code>
  
 ====== List Directory Roles ====== ====== List Directory Roles ======
  
 <code powershell> <code powershell>
-PS C:\Users\mg-admin> Get-AzureADDirectoryRole+$DirectoryRoles = Get-AzureADDirectoryRole
  
 ObjectId                             DisplayName                                Description ObjectId                             DisplayName                                Description
 --------                             -----------                                ----------- --------                             -----------                                -----------
 02bb6e8b-bb42-4f30-a527-0cfe44d1a902 Reports Reader                             Can read sign-in and audit reports. 02bb6e8b-bb42-4f30-a527-0cfe44d1a902 Reports Reader                             Can read sign-in and audit reports.
-042bbd3a-7970-4c1f-a3cb-6d3ae5bddb17 Compliance Data Administrator              Creates and manages compliance content. +...
-0683f604-2183-4be9-a85a-d4f9f204b8fa User Administrator                         Can manage all aspects of users and groups, including resetting passwords for limited admins. +
-09951ee1-6fb1-4c6f-9c86-97b3d3fe6cdd Global Administrator                       Can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities. +
-12aea5d0-83d8-4a4d-9bed-9b99260250b9 Global Reader                              Can read everything that a Global Administrator can, but not update anything. +
-14323b4c-ca17-48fa-b0d1-058123c78b0e Directory Writers                          Can read and write basic directory information. For granting access to applications, not intended for users. +
-151928d9-97c4-429e-99cd-37a6d256ecd8 Authentication Policy Administrator        Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and veri... +
-1670d62a-547d-4061-8177-d25c0768b7bc Hybrid Identity Administrator              Can manage Active Directory to Microsoft Entra cloud provisioning, Microsoft Entra Connect, and federation settings. +
-188d7e24-5e4f-4050-9b2a-d54de5e57377 Skype for Business Administrator           Can manage all aspects of the Skype for Business product. +
-197a0622-3e76-454a-9638-a25202e89c82 Teams Communications Support Engineer      Can troubleshoot communications issues within Teams using advanced tools. +
-1ef22921-f708-494e-a51d-53a2ad0cb4f5 Groups Administrator                       Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and v... +
-2b8e368b-f9d2-4766-92ef-d6864a455e73 Privileged Role Administrator              Can manage role assignments in Microsoft Entra ID, and all aspects of Privileged Identity Management. +
-2f288736-851d-402a-bd77-0b3842a69503 Intune Administrator                       Can manage all aspects of the Intune product. +
-2f4d93d3-cd57-47bd-9716-aabbee365915 Authentication Administrator               Allowed to view, set and reset authentication method information for any non-admin user.+
 </code> </code>
 +
 +====== Get Privileged Roles ======
 +
 +<code powershell>
 +$PrivilegedRoles = $DirectoryRoles | Where-Object {
 + $_.DisplayName -like "*Administrator*" -or $_.DisplayName -eq "Global 
 +Reader"
 +}
 +
 +</code>
 +
 +====== List Privilege User Accounts ======
 +<code powershell>
 +$PrivilegedUsers = $PrivilegedRoles | ForEach-Object { Get-MgDirectoryRoleMember -DirectoryRoleId $_.ObjectId } | Select-Object Id -Unique
 +</code>
 +
  
 ====== List Global Admins ====== ====== List Global Admins ======
Line 28: Line 63:
  
 </code> </code>
 +
 +====== List Azure Role Assignments ======
 +<code powershell>
 +Get-AzRoleAssignment
 +</code>
 +
 +<code>
 + az role assignment list --role "User Access Administrator" --scope "/providers/Microsoft.Management/managementGroups/<id guid>"
 +</code>
 +====== Tools ======
 +  * [[https://github.com/microsoft/ARI]], inventory tool
  
  • azure/azure_security_assessments.1735939124.txt.gz
  • Last modified: 2025/01/03 21:18
  • by mmuze