azure:azure_security_assessments

This is an old revision of the document!

Azure Security Assessments

Methodology

To begin an assessment list all resources that are in all subscriptions that are in scope to get a sense of the environment.

List All Resources

$subs = Get-AzSubscription
 
foreach ($sub in $subs) {
  Set-AzContext -Subscription $sub.id
  $resources += Get-AzResource
}
 
$resources | convert-to-json | out-file " . \resources.json" -encoding utf8
List All Resource Types

Output a unique list of resource types 

jq 'map(.ResourceType) | unique' resources.json
jq '. | unique_by(.ResourceType) | .[] | .ResourceType' .\resources.json

List Directory Roles

$DirectoryRoles = Get-AzureADDirectoryRole
 
ObjectId                             DisplayName                                Description
--------                             -----------                                -----------
02bb6e8b-bb42-4f30-a527-0cfe44d1a902 Reports Reader                             Can read sign-in and audit reports.
...

Get Privileged Roles

$PrivilegedRoles = $DirectoryRoles | Where-Object {
 $_.DisplayName -like "*Administrator*" -or $_.DisplayName -eq "Global 
Reader"
}

List Privilege User Accounts

$PrivilegedUsers = $PrivilegedRoles | ForEach-Object { Get-MgDirectoryRoleMember -DirectoryRoleId $_.ObjectId } | Select-Object Id -Unique

List Global Admins

 

List Azure Role Assignments

Get-AzRoleAssignment

Tools

  • azure/azure_security_assessments.1748540187.txt.gz
  • Last modified: 2025/05/29 17:36
  • by mmuze