Posts

Removing all "Unknown" object from permission/access list in Azure (IAM)

Image
I do not like to have permission in Azure that gives access to "Unknown". I consider this a "visual" disturbance, a documentation issue, and a potential security risk. So I usually delete them when I find them. You can find them by browsing around the entire portal manually or you can find them by using a script to document all access like my script explained in  "Documenting Azure resources access (AIM)"   To ease the cleanup process I created a script based on my findings from this blog . I basically extended it to go through all my subscriptions and document what it does during the process So it will go through all subscriptions (with some exceptions). Documents all findings in a CSV file, remove the unknowns and then documents what has been removed in a text file at the end. I Was not able to test the text file part, since I already had cleaned up everything when I figured out that documentation of what actually got removed was something that should be...

Documenting Azure resources access (AIM)

Image
There are many situations when you want to know the access structure for all your Azure resources. Examples could be: Documentation Cleaning out permission given to individuals instead of groups Safe screening (groups/individuals that should not have access) Deleted identities still visible in the AIM list Preparing for features like Privileged identity management (PIM) Comparing changes in access since the last audit Etc  And the portal built in GUI works but is not particularly flexible or easy to use when you have multiple subscriptions

Change owner for App registration and Enterprise Apps in Azure

Image
 I got a long list of Azure AD App Registration/Enterprise Apps that needed to get a new owner. This is a quite common task since the original owner might have quit or changed role.  So knowing that this is a task that might appear every now and then I wrote two short and quick PowerShell script to fix this. One for App registration and one for Enterprise Apps, you can, of course, combine them and add lots of error checks and so on but I like KISS

PowerShell script to get some AzureAD logins stats

Image
 The information you get in the Azure portal about logins are decent, but some time you need some statistic or insight fast and don't want to use the graphic interface or down load csv/json files. I have created som script and favourite lines and uploaded it to my Github repo

Unused Azure AD Connect accounts "On-Premises Directory Synchronization Service Account"

Image
Playing with #Azure Privileged Identity Management‎ made me aware of two active accounts from old or failed AAD connector installations from way back. And we don't want to leave something with that potential for misusage laying available in our AAD. 

Requesting access with Azure AD Privileged Identity Management from PowerShell

Image
Using Azure AD Privileged Identity Management (PIM for short) as a method to control access to Azure resource are nice security feature. It makes it more trackable and gives the granted roles for a defined time period.  You can add approval as a necessary add-on security feature, use MFA or other adjustments. Read more about PIM here. BUT! it can also feel like a pain in the... if you use it a lot. So I created a small and simple PowerShell script to request the access for me.

Finding empty resource groups in Azure

Image
Not easy to have control over your Azure resource groups, but maybe find all those whiteout any content could help? I have created a PowerShell script helping me in my environment. Should be easy to adjust it to different needs. Got valuable help from VidarW