-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathGet-PreReqs.ps1
More file actions
358 lines (325 loc) · 14.7 KB
/
Get-PreReqs.ps1
File metadata and controls
358 lines (325 loc) · 14.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
# Define the symbols
$checkMark = [char]0x2713 # ✓
$xMark = [char]0x2717 # ✗
<#
Checkmark Logic:
Green checkmark (✓) conditions:
- Owner: True
- Global Administrator: True
- User Access Administrator: True
- Provider: Registered
- Diagnostic Settings: Count < 5
- All Policies: False
Red X (✗) conditions:
- Owner: False
- Global Administrator: False
- User Access Administrator: False
- Provider: Not Registered
- Diagnostic Settings: Count >= 5
- All Policies: True
#>
# Detect if running in Cloud Shell - more reliable method
$isCloudShell = $false
if ($env:ACC_CLOUD -eq "AzureCloud" -or $env:AZUREPS_HOST_ENVIRONMENT -or (Test-Path -Path "/home/*/clouddrive")) {
$isCloudShell = $true
Write-Host "Running in Azure Cloud Shell environment" -ForegroundColor Yellow
}
# Suppress the output and warnings from Connect-AzAccount
try {
# Check if already connected
$context = Get-AzContext -ErrorAction SilentlyContinue
if (-not $context) {
Connect-AzAccount -WarningAction SilentlyContinue | Out-Null
}
} catch {
Write-Host "Error connecting to Azure: $($_.Exception.Message)" -ForegroundColor Red
exit
}
# Get the current user context
$currentUser = (Get-AzContext).Account.Id
# Get all subscriptions
$subscriptions = Get-AzSubscription
# Get the tenant root management group
$tenantDetails = Get-AzTenant
$tenantRootId = "/providers/Microsoft.Management/managementGroups/$($tenantDetails.Id)"
# Define policy information
$policyIdsToCheck = @(
# Tags
@{
Id = "/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62"
Name = "Require a tag and its value on resources"
},
@{
Id = "/providers/Microsoft.Authorization/policyDefinitions/8ce3da23-7156-49e4-b145-24f95f9dcb46"
Name = "Require a tag and its value on resource groups"
},
@{
Id = "/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b590-94f262ecfa99"
Name = "Require a tag on resources"
},
@{
Id = "/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025"
Name = "Require a tag on resource groups"
},
# Location
@{
Id = "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c"
Name = "Allowed locations"
},
@{
Id = "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988"
Name = "Allowed locations for resource groups"
},
# Resource Types
@{
Id = "/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c"
Name = "Allowed resource types"
}
)
# First check Tenant Root Management Group
Write-Host "`n=== Checking Tenant Root Management Group ===" -ForegroundColor Cyan
Write-Host "Scope: $tenantRootId"
# Owner Check at Tenant Root - Skip in Cloud Shell
Write-Host "`nOwner Check:"
if ($isCloudShell) {
Write-Host " " -NoNewline
Write-Host "?" -ForegroundColor Yellow -NoNewline
Write-Host " Owner status at tenant root cannot be determined in Cloud Shell"
Write-Host " To verify, please check in Azure Portal: https://portal.azure.com/#view/Microsoft_Azure_ManagementGroups/ManagementGroupBrowseBlade"
} else {
# Regular check for non-Cloud Shell environments
$tenantOwnerAssignment = Get-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -SignInName $currentUser -ErrorAction SilentlyContinue
if ($tenantOwnerAssignment) {
Write-Host " " -NoNewline
Write-Host $checkMark -ForegroundColor Green -NoNewline
Write-Host " Is Owner: True"
} else {
Write-Host " " -NoNewline
Write-Host $xMark -ForegroundColor Red -NoNewline
Write-Host " Is Owner: False"
}
}
# Global Administrator Check
Write-Host "`nGlobal Administrator Check:"
if ($isCloudShell) {
# In Cloud Shell, we'll use a different approach that doesn't rely on Graph API
Write-Host " " -NoNewline
Write-Host "?" -ForegroundColor Yellow -NoNewline
Write-Host " Global Administrator status cannot be reliably determined in Cloud Shell"
Write-Host " To verify, please check in Azure Portal: https://portal.azure.com/#view/Microsoft_AAD_IAM/RolesManagementMenuBlade/~/AllRoles/adminUnitObjectId//resourceScope/%2F"
# Optional: Try to use Az CLI as an alternative method
try {
# Check if Az CLI is available
$azCliVersion = az --version 2>$null
if ($azCliVersion) {
Write-Host " Attempting alternative check using Az CLI..."
# Try to get directory roles using Az CLI
$azAccount = az account show | ConvertFrom-Json
if ($azAccount) {
$userPrincipalName = $azAccount.user.name
Write-Host " Logged in as: $userPrincipalName"
# This is just informational - we can't reliably check Global Admin status in Cloud Shell
Write-Host " Note: For security reasons, Global Administrator status can only be verified in the Azure Portal"
}
}
} catch {
# Silently continue if Az CLI check fails
}
} else {
# Regular check for non-Cloud Shell environments
$isGlobalAdmin = $false
$globalAdminRoleName = "Global Administrator" # The display name of the Global Admin role
try {
# Get an access token for Microsoft Graph API, suppressing warnings
$token = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com" -WarningAction SilentlyContinue).Token
# Set the request headers
$headers = @{
"Authorization" = "Bearer $token"
}
# Query Microsoft Graph API for user's directory roles
$uri = "https://graph.microsoft.com/v1.0/me/memberOf"
$response = Invoke-RestMethod -Uri $uri -Headers $headers -Method Get
# Check if the user is a member of the Global Administrator role
$globalAdminRole = $response.value | Where-Object { $_.displayName -eq $globalAdminRoleName }
if ($globalAdminRole) {
$isGlobalAdmin = $true
Write-Host " " -NoNewline
Write-Host $checkMark -ForegroundColor Green -NoNewline
Write-Host " Is Global Administrator: True"
} else {
Write-Host " " -NoNewline
Write-Host $xMark -ForegroundColor Red -NoNewline
Write-Host " Is Global Administrator: False"
Write-Host " To manage Global Administrators, visit: https://portal.azure.com/#view/Microsoft_AAD_IAM/RolesManagementMenuBlade/~/AllRoles/adminUnitObjectId//resourceScope/%2F"
}
} catch {
Write-Host " " -NoNewline
Write-Host $xMark -ForegroundColor Red -NoNewline
Write-Host " Is Global Administrator: Error checking ($($_.Exception.Message))"
Write-Host " To manage Global Administrators, visit: https://portal.azure.com/#view/Microsoft_AAD_IAM/RolesManagementMenuBlade/~/AllRoles/adminUnitObjectId//resourceScope/%2F"
}
}
# User Access Administrator Check - Skip in Cloud Shell
Write-Host "`nUser Access Administrator Check:"
if ($isCloudShell) {
Write-Host " " -NoNewline
Write-Host "?" -ForegroundColor Yellow -NoNewline
Write-Host " User Access Administrator status cannot be determined in Cloud Shell"
Write-Host " To verify, please check in Azure Portal: https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties"
} else {
try {
# Check if the user has User Access Administrator role at tenant root
$userAccessAdminRole = Get-AzRoleAssignment -Scope '/' -RoleDefinitionName 'User Access Administrator' -SignInName $currentUser -ErrorAction SilentlyContinue
$hasUserAccessAdmin = $false
if ($userAccessAdminRole) {
$hasUserAccessAdmin = $true
Write-Host " " -NoNewline
Write-Host $checkMark -ForegroundColor Green -NoNewline
Write-Host " Is User Access Administrator: True"
} else {
Write-Host " " -NoNewline
Write-Host $xMark -ForegroundColor Red -NoNewline
Write-Host " Is User Access Administrator: False"
Write-Host " To enable, visit: https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties"
}
} catch {
Write-Host " " -NoNewline
Write-Host $xMark -ForegroundColor Red -NoNewline
Write-Host " Is User Access Administrator: Error checking ($($_.Exception.Message))"
Write-Host " To enable, visit: https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties"
}
}
# Policy Checks at Tenant Root
Write-Host "`nPolicy Checks:"
foreach ($policyInfo in $policyIdsToCheck) {
try {
$policy = Get-AzPolicyDefinition -Id $policyInfo.Id -ErrorAction Stop
if ($policy) {
$assignments = Get-AzPolicyAssignment -Scope $tenantRootId -ErrorAction SilentlyContinue
$isPolicyEnabled = $false
foreach ($assignment in $assignments) {
if ($assignment.PolicyDefinitionId -eq $policyInfo.Id) {
$isPolicyEnabled = $true
break
}
}
if ($isPolicyEnabled) {
# Red X for any policy when True
Write-Host " " -NoNewline
Write-Host $xMark -ForegroundColor Red -NoNewline
Write-Host " $($policyInfo.Name): True"
} else {
# Green checkmark for any policy when False
Write-Host " " -NoNewline
Write-Host $checkMark -ForegroundColor Green -NoNewline
Write-Host " $($policyInfo.Name): False"
}
}
} catch {
Write-Host "Error checking policy definition $($policyInfo.Id)`: $($_.Exception.Message)"
}
}
# Then check each subscription
foreach ($subscription in $subscriptions) {
Write-Host "`n=== Checking Subscription ===" -ForegroundColor Cyan
Write-Host "Scope: /subscriptions/$($subscription.Id)"
# Set the active subscription
Set-AzContext -SubscriptionId $subscription.Id | Out-Null
# Provider Checks
Write-Host "`nProvider Checks:"
$requiredProviders = @(
"Microsoft.Insights"
"Microsoft.Management"
"Microsoft.EventHub"
"Microsoft.PolicyInsights"
)
foreach ($provider in $requiredProviders) {
$providerRegistration = Get-AzResourceProvider -ProviderNamespace $provider
if ($providerRegistration.RegistrationState -eq "Registered") {
# Green checkmark for registered providers
Write-Host " " -NoNewline
Write-Host $checkMark -ForegroundColor Green -NoNewline
Write-Host " Provider $provider is registered"
} else {
# Red X for unregistered providers
Write-Host " " -NoNewline
Write-Host $xMark -ForegroundColor Red -NoNewline
Write-Host " Provider $provider is not registered"
}
}
# Owner Check - Skip in Cloud Shell
Write-Host "`nOwner Check:"
if ($isCloudShell) {
Write-Host " " -NoNewline
Write-Host "?" -ForegroundColor Yellow -NoNewline
Write-Host " Owner status cannot be determined in Cloud Shell"
Write-Host " To verify, please check in Azure Portal: https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade"
} else {
# Regular check for non-Cloud Shell environments
$roleAssignments = Get-AzRoleAssignment -SignInName $currentUser -Scope "/subscriptions/$($subscription.Id)" -ErrorAction SilentlyContinue
$isOwner = $false
if ($roleAssignments) {
$isOwner = $roleAssignments | Where-Object { $_.RoleDefinitionName -eq "Owner" } | Select-Object -First 1
if ($isOwner) {
Write-Host " " -NoNewline
Write-Host $checkMark -ForegroundColor Green -NoNewline
Write-Host " Is Owner: True"
} else {
Write-Host " " -NoNewline
Write-Host $xMark -ForegroundColor Red -NoNewline
Write-Host " Is Owner: False"
}
} else {
Write-Host " " -NoNewline
Write-Host $xMark -ForegroundColor Red -NoNewline
Write-Host " Is Owner: False"
}
}
# Diagnostic Settings Check
Write-Host "`nDiagnostic Settings Check:"
$diagnosticSettings = Get-AzDiagnosticSetting -ResourceId "/subscriptions/$($subscription.Id)" -ErrorAction SilentlyContinue
$logCount = if ($diagnosticSettings) { ($diagnosticSettings | Measure-Object).Count } else { 0 }
if ($logCount -lt 5) {
# Green checkmark for log count less than 5
Write-Host " " -NoNewline
Write-Host $checkMark -ForegroundColor Green -NoNewline
Write-Host " Activity Logs Exported: $($logCount)"
} else {
# Red X for log count 5 or greater
Write-Host " " -NoNewline
Write-Host $xMark -ForegroundColor Red -NoNewline
Write-Host " Activity Logs Exported: $($logCount)"
# Add link to Azure portal for exporting activity logs
Write-Host " To manage Activity Log settings, visit: https://portal.azure.com/#view/Microsoft_Azure_Monitoring/DiagnosticsLogsBlade/queryInputs~/%7B%22subscriptionId%22%3A%22%2Fsubscriptions%2F$($subscription.Id)%22%7D"
}
# Policy Checks
Write-Host "`nPolicy Checks:"
foreach ($policyInfo in $policyIdsToCheck) {
try {
$policy = Get-AzPolicyDefinition -Id $policyInfo.Id -ErrorAction Stop
if ($policy) {
$assignments = Get-AzPolicyAssignment -Scope "/subscriptions/$($subscription.Id)" -ErrorAction SilentlyContinue
$isPolicyEnabled = $false
foreach ($assignment in $assignments) {
if ($assignment.PolicyDefinitionId -eq $policyInfo.Id) {
$isPolicyEnabled = $true
break
}
}
if ($isPolicyEnabled) {
# Red X for any policy when True
Write-Host " " -NoNewline
Write-Host $xMark -ForegroundColor Red -NoNewline
Write-Host " $($policyInfo.Name): True"
} else {
# Green checkmark for any policy when False
Write-Host " " -NoNewline
Write-Host $checkMark -ForegroundColor Green -NoNewline
Write-Host " $($policyInfo.Name): False"
}
}
} catch {
Write-Host "Error checking policy definition $($policyInfo.Id)`: $($_.Exception.Message)"
}
}
}