User Access Review custom report in Microsoft Azure - azure

Is there a way I can fetch all users currently assigned permissions to each resource created under a subscription.
To put in other words, I want to traverse all the resources created under a subscription & get the list of all users, service principal names, SGs, AAD groups, along with their role who have access to each resource. This report would help me perform a periodic user access review .
Any leads/code would be appreciated.

You could simply get that with the powershell command Get-AzRoleAssignment.
Without any parameter, Get-AzRoleAssignment will get all the role assignments in the subscription, you can also leverage different parameters e.g. -ObjectId, -Scope to list assignments to a specific user/service principal/security group, or to list assignments on a specific resource group or resource.
For more details, see https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-powershell
Same thing also can be achieved by the REST API, Azure CLI, and SDK of different languages.

Related

Grant Read access to service principal to get ONLY subscription ids on Azure

I have over 50 Azure subscriptions under same tenant. I have created a service-principal under Azure active directory and provided the service principal 'reader' role to each subscriptions. When I make an API call from Postman I get all subscription ids but my concern is I am giving 'READ' access to all my resources on different subscriptions. I want to limit this service-principal will ONLY be able to list the subscription ids and nothing else.
I want to limit this service-principal will ONLY be able to list the
subscription ids and nothing else.
With "Reader" role, a user would be able to read all resources inside a subscription and not just subscription id.
I believe the solution to your problem is to create a custom role (let's call it SubscriptionPropertiesReader) and then give only the permission to perform read operation just at the subscription level. Based on the information provided here, I believe the permission you would want to include in this role is Microsoft.Resources/subscriptions/read.
The challenge obviously will be to create this custom role in each and every subscription and then assigning this role to your Service Principal in each subscription.

Azure Rest API Get More Information about Subscriptions, Resource Groups and Resources

Using this url I can get more detailed information about a Subscription, but is there a way to find CreationDate, CreatedBy, and a list of users who has access to it?
Also the same for Resource Groups and Resources.
Thanks!
You find all those information - When (EventTimeStamp), who (Caller) and subscription Id) from ActivityLog REST API
You should filter on operation Microsoft.Management/register/action as it represents creation of new subscription
With subscription ID in hand you can use List role assignments to find who has access to it.
In the same activity log you may find same information as above for resource group and any other resource. creation of resource group operation: Microsoft.Resources/subscriptions/resourceGroups/write

Traversing Azure PIM Roles for Review

Azure PIM just add a temporary RBAC to the resource, and role assignment goes away after the allowed time slot (maximum of 8 hrs).
So, wanted to understand if there is a way to conduct user access reviews on all Azure PIM roles - like how can I know who all users can elevate PIM roles & what roles & at what scope. I understand there is "Access Review" of PIM but that needs admin level permissions, hence wondering if there is a way through powershell or CLI to create such report for periodic reviews.
Yes, there is a command Get-AzureADMSPrivilegedRoleAssignment in AzureADPreview module that calls the Microsoft Graph - List governanceRoleAssignments, it should meet your requirement, but it is in preview and I believe there is a bug in this command/api, as when you run the command/call the api, there is always an UnknownError(I have tested it with the Global admin in AAD tenant and Owner role in subscription, so there should be no permission issue). So to use it successfully, I think you may need to wait for it to be GA.
Get-AzureADMSPrivilegedRoleAssignment -ProviderId AzureResources -ResourceId <tenant-id>
I understand there is "Access Review" of PIM but that needs admin level permissions
Besides, even it becomes GA in the future, I think it needs admin permissions, because the feature in the portal and the powershell should both call the same API, it needs the same permission. So if you don't have the enough permission, anyway you could not do this.

Is there any REST API available to list owners of an azure resource group?

The REST API which is available to list role assignments of a resource group by MS results with few properties in which neither DisplayName nor RoleDefinitionName specified. But all the expected details could be fetched using PowerShell as stated in this link.
Need to fetch the same details via an api call. Is there any possible way or REST API currently available to fetch details of all the Owners of a particular resource group in Azure?
You can use MS graph api to list the owners of resource groups:
GET https://graph.microsoft.com/v1.0/groups/{id}/owners

Fetch Azure role assignments to AAD groups

In our current azure tenant we have 100's of subscriptions, user access is managed by azure AAD groups.
How can i view roles assigned to a group, Assume 1 group had access to only 1 subscription out of 100 subscriptions then from portal i need to select each and every subscription in group Azure role assignment page.
I wonder is there any direct way to fetch using powershell?
Thanks
dev
Usually we use the Get-AzRoleAssignment command to list all the role assignments that are valid on the scope. If no parameters are specified, this command will return all the role assignments made under the subscription.
For your problem, you want to use a security group to filter this list, just use the Azure AD group ObjectId parameter:
Get-AzRoleAssignment -ObjectId <your group objectid>
In MS Graph API docs there is List appRoleAssignments granted to a group : https://learn.microsoft.com/en-US/graph/api/group-list-approleassignments?view=graph-rest-1.0&tabs=http
Test it under MS Graph
You can use Microsoft Graph PowerShell SDK https://github.com/microsoftgraph/msgraph-sdk-powershell
Here are samples code - for example for fetching groups:
https://github.com/microsoftgraph/msgraph-sdk-powershell/tree/dev/samples

Resources