|
| 1 | +# Monkey365 - the PowerShell Cloud Security Tool for Azure and Microsoft 365 (copyright 2022) by Juan Garrido |
| 2 | +# |
| 3 | +# Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | +# you may not use this file except in compliance with the License. |
| 5 | +# You may obtain a copy of the License at |
| 6 | +# |
| 7 | +# http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | +# |
| 9 | +# Unless required by applicable law or agreed to in writing, software |
| 10 | +# distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | +# See the License for the specific language governing permissions and |
| 13 | +# limitations under the License. |
| 14 | + |
| 15 | +function Get-MonkeyAzRBACForManagedIdentity{ |
| 16 | + <# |
| 17 | + .SYNOPSIS |
| 18 | + Get Role assignments for managed identities |
| 19 | +
|
| 20 | + .DESCRIPTION |
| 21 | + Get Role assignments for managed identities |
| 22 | +
|
| 23 | + .INPUTS |
| 24 | +
|
| 25 | + .OUTPUTS |
| 26 | +
|
| 27 | + .EXAMPLE |
| 28 | +
|
| 29 | + .NOTES |
| 30 | + Author : Juan Garrido |
| 31 | + Twitter : @tr1ana |
| 32 | + File Name : Get-MonkeyAzRBACForManagedIdentity |
| 33 | + Version : 1.0 |
| 34 | +
|
| 35 | + .LINK |
| 36 | + https://github.com/silverhack/monkey365 |
| 37 | + #> |
| 38 | + [CmdletBinding()] |
| 39 | + Param ( |
| 40 | + [Parameter(Mandatory=$True, ValueFromPipeline = $True, HelpMessage="Object")] |
| 41 | + [Object]$InputObject |
| 42 | + ) |
| 43 | + Begin{ |
| 44 | + #Set array |
| 45 | + $allIdentities = [System.Collections.Generic.List[System.Object]]::new() |
| 46 | + #Get Config |
| 47 | + $_config = @($O365Object.internal_config.ResourceManager).Where{$_.Name -eq "managedIdentity"} | Select-Object -ExpandProperty resource |
| 48 | + } |
| 49 | + Process{ |
| 50 | + Try{ |
| 51 | + ForEach($_object in @($InputObject)){ |
| 52 | + $identity = $_object | Select-Object -ExpandProperty identity -ErrorAction Ignore |
| 53 | + If($null -ne $identity){ |
| 54 | + If($identity.type.ToLower() -eq "userassigned"){ |
| 55 | + $identities = $identity.userAssignedIdentities.PsObject.Properties | Select-Object -ExpandProperty Name -ErrorAction Ignore |
| 56 | + #Get managed user identities |
| 57 | + ForEach($_identity in @($identities)){ |
| 58 | + $p = @{ |
| 59 | + Id = $_identity; |
| 60 | + APIVersion = $_config.api_version; |
| 61 | + Verbose = $O365Object.Verbose; |
| 62 | + Debug = $O365Object.Debug; |
| 63 | + InformationAction = $O365Object.InformationAction; |
| 64 | + } |
| 65 | + $_id = Get-MonkeyAzObjectById @p |
| 66 | + If($null -ne $_id){ |
| 67 | + $_userIdentity = [PsCustomObject]@{ |
| 68 | + id = $_id.id; |
| 69 | + name = $_id.name; |
| 70 | + location = $_id.location; |
| 71 | + tags = $_id | Select-Object -ExpandProperty tags -ErrorAction Ignore |
| 72 | + type = $_id.type; |
| 73 | + tenantId = $_id.properties.tenantId; |
| 74 | + principalId = $_id.properties.principalId; |
| 75 | + clientId = $_id.properties.clientId; |
| 76 | + isolationScope = $_id.properties.isolationScope; |
| 77 | + roleAssignment = (Get-MonkeyAzIAMPermission -PrincipalId $_id.properties.principalId -AtScope) |
| 78 | + } |
| 79 | + #Add to array |
| 80 | + [void]$allIdentities.Add($_userIdentity); |
| 81 | + } |
| 82 | + } |
| 83 | + } |
| 84 | + ElseIf($identity.type.ToLower() -eq "systemassigned"){ |
| 85 | + $identities = $identity | Select-Object -ExpandProperty principalId |
| 86 | + ForEach($_identity in @($identities)){ |
| 87 | + #Get Service principal |
| 88 | + $sp = Get-MonkeyMSGraphServicePrincipal -ServicePrincipalId $_identity |
| 89 | + If($null -ne $sp){ |
| 90 | + $_systemIdentity = [PsCustomObject]@{ |
| 91 | + id = $sp.id; |
| 92 | + name = $sp.displayName; |
| 93 | + location = $null; |
| 94 | + tags = $null; |
| 95 | + type = $sp.servicePrincipalType; |
| 96 | + tenantId = $identity.tenantId; |
| 97 | + principalId = $identity.principalId; |
| 98 | + clientId = $sp.appId; |
| 99 | + isolationScope = $null; |
| 100 | + roleAssignment = (Get-MonkeyAzIAMPermission -PrincipalId $_identity -AtScope) |
| 101 | + } |
| 102 | + #Add to array |
| 103 | + [void]$allIdentities.Add($_systemIdentity); |
| 104 | + } |
| 105 | + } |
| 106 | + } |
| 107 | + ElseIf($identity.type.ToLower().Contains('systemassigned') -and $identity.type.ToLower().Contains('userassigned')){ |
| 108 | + #Get PrincipalId |
| 109 | + $identities = $identity | Select-Object -ExpandProperty principalId |
| 110 | + ForEach($_identity in @($identities)){ |
| 111 | + #Get Service principal |
| 112 | + $sp = Get-MonkeyMSGraphServicePrincipal -ServicePrincipalId $_identity |
| 113 | + If($null -ne $sp){ |
| 114 | + $_systemIdentity = [PsCustomObject]@{ |
| 115 | + id = $sp.id; |
| 116 | + name = $sp.displayName; |
| 117 | + location = $null; |
| 118 | + tags = $null; |
| 119 | + type = $sp.servicePrincipalType; |
| 120 | + tenantId = $identity.tenantId; |
| 121 | + principalId = $identity.principalId; |
| 122 | + clientId = $sp.appId; |
| 123 | + isolationScope = $null; |
| 124 | + roleAssignment = (Get-MonkeyAzIAMPermission -PrincipalId $_identity -AtScope) |
| 125 | + } |
| 126 | + #Add to array |
| 127 | + [void]$allIdentities.Add($_systemIdentity); |
| 128 | + } |
| 129 | + } |
| 130 | + #Get user managed identities |
| 131 | + $identities = $identity.userAssignedIdentities.PsObject.Properties | Select-Object -ExpandProperty Name -ErrorAction Ignore |
| 132 | + #Get managed user identities |
| 133 | + ForEach($_identity in @($identities)){ |
| 134 | + $p = @{ |
| 135 | + Id = $_identity; |
| 136 | + APIVersion = $_config.api_version; |
| 137 | + Verbose = $O365Object.Verbose; |
| 138 | + Debug = $O365Object.Debug; |
| 139 | + InformationAction = $O365Object.InformationAction; |
| 140 | + } |
| 141 | + $_id = Get-MonkeyAzObjectById @p |
| 142 | + If($null -ne $_id){ |
| 143 | + $_userIdentity = [PsCustomObject]@{ |
| 144 | + id = $_id.id; |
| 145 | + name = $_id.name; |
| 146 | + location = $_id.location; |
| 147 | + tags = $_id | Select-Object -ExpandProperty tags -ErrorAction Ignore |
| 148 | + type = $_id.type; |
| 149 | + tenantId = $_id.properties.tenantId; |
| 150 | + principalId = $_id.properties.principalId; |
| 151 | + clientId = $_id.properties.clientId; |
| 152 | + isolationScope = $_id.properties.isolationScope; |
| 153 | + roleAssignment = (Get-MonkeyAzIAMPermission -PrincipalId $_id.properties.principalId -AtScope) |
| 154 | + } |
| 155 | + #Add to array |
| 156 | + [void]$allIdentities.Add($_userIdentity); |
| 157 | + } |
| 158 | + } |
| 159 | + } |
| 160 | + } |
| 161 | + } |
| 162 | + Write-Output $allIdentities -NoEnumerate |
| 163 | + } |
| 164 | + Catch{ |
| 165 | + Write-Error $_.Exception |
| 166 | + } |
| 167 | + } |
| 168 | +} |
0 commit comments