azure:azure_security_assessments

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
azure:azure_security_assessments [2025/01/03 21:27] mmuzeazure:azure_security_assessments [2025/06/25 18:59] (current) – [List Azure Role Assignments] mmuze
Line 1: Line 1:
 ====== Azure Security Assessments ====== ====== Azure Security Assessments ======
 +  * [[azure:Azure Security Assessments Exploration]]
 +  * [[azure:Azure Powerpipe]]
 +  * [[azure:azure_resource_graph_explorer|Azure Resource Graph Explorer]]
 +  * [[https://github.com/microsoft/ARI]]
 +
 +====== Methodology ======
 +To begin an assessment list all resources that are in all subscriptions that are in scope to get a sense of the environment.
 +
 +
 +====== List All Resources ======
 +
 +<code powershell>
 +$subs = Get-AzSubscription
 +
 +foreach ($sub in $subs) {
 +  Set-AzContext -Subscription $sub.id
 +  $resources += Get-AzResource
 +}
 +
 +$resources | convert-to-json | out-file " . \resources.json" -encoding utf8
 +</code>
 +
 +== List All Resource Types ==
 +Output a unique list of resource types
 +<code>
 +jq 'map(.ResourceType) | unique' resources.json
 +</code>
 +
 +<code>
 +jq '. | unique_by(.ResourceType) | .[] | .ResourceType' .\resources.json
 +</code>
  
 ====== List Directory Roles ====== ====== List Directory Roles ======
  
 <code powershell> <code powershell>
-PS C:\Users\mg-admin> Get-AzureADDirectoryRole+$DirectoryRoles = Get-AzureADDirectoryRole
  
 ObjectId                             DisplayName                                Description ObjectId                             DisplayName                                Description
Line 24: Line 55:
 ====== List Privilege User Accounts ====== ====== List Privilege User Accounts ======
 <code powershell> <code powershell>
-$PrivilegedRoles | ForEach-Object { Get-MgDirectoryRoleMember -DirectoryRoleId $_.ObjectId } | Select-Object Id -Unique+$PrivilegedUsers = $PrivilegedRoles | ForEach-Object { Get-MgDirectoryRoleMember -DirectoryRoleId $_.ObjectId } | Select-Object Id -Unique
 </code> </code>
  
Line 32: Line 63:
  
 </code> </code>
 +
 +====== List Azure Role Assignments ======
 +<code powershell>
 +Get-AzRoleAssignment
 +</code>
 +
 +<code>
 + az role assignment list --role "User Access Administrator" --scope "/providers/Microsoft.Management/managementGroups/<id guid>"
 +</code>
 +====== Tools ======
 +  * [[https://github.com/microsoft/ARI]], inventory tool
  
  • azure/azure_security_assessments.1735939641.txt.gz
  • Last modified: 2025/01/03 21:27
  • by mmuze