Documenting Azure resources access (AIM)

-
There are many situations when you want to know the access structure for all your Azure resources. Examples could be:
  • Documentation
  • Cleaning out permission given to individuals instead of groups
  • Safe screening (groups/individuals that should not have access)
  • Deleted identities still visible in the AIM list
  • Preparing for features like Privileged identity management (PIM)
  • Comparing changes in access since the last audit
  • Etc
 And the portal built in GUI works but is not particularly flexible or easy to use when you have multiple subscriptions
The Portal solution are just to go into "Subscriptions", select the subscription and "Access Control (AIM)











Here you can check a specific user or groups access, look at all role assignments or select the "Download role assignments" function at the top.
You can select to not include the inherited if you don't want to see permission given at the management or root level. And you can add the children option to get the resource groups and resources permissions as well

In my case, this was not enough so I got help from my colleague Gunnar to create a script to give me what I wanted.

I created two different scripts, the first one "DocumentSingleSubsAIM.ps1" that gives me a single csv file for the subscription (manually typed/replaced in the script)

The second script "DocumentAllSubsAIM.ps1", will automatically find all your subscriptions if you have multiple (excluding the ones mention in the script like the Azure AD and Visual Studio subscription). It creates a csv file for each subscription and one for all subscriptions combined. 













It should be easy to add and adjust the results you want to add to the reports. My current result looks something like this:




The Empty name and "unknow" type indicate that there is a user/group/app that have been deleted.

Popular posts from this blog

Installing Android on a Hyper-V virtual machine

-
Image
Working with mobile device management (MDM) require a lot of testing. With Windows 10 testing is no problem (except those things that demand to be done on a physical device by different reasons), they can easily be run virtual. But when it comes to phones and tablets it have not been that easy. Visual Studio and some other solutions where out there, but they did not come with Store access or they had dependence which excluded Hyper-V from running. Some Emulators runs in a Hyper-V VM with Windows 10, but not on the host itself. So, if you got it to work it was usually slow and painful.
Read more

MDT: TimeZoneName and index number list

-
Remebering time zone name and number are a hasle so here are the list for the next time you (or I) need it. Norwegian settings for MDT are: TimeZone=110 TimeZoneName=W. Europe Standard Time (InputLocale=0414:00000414) (KeyboardLocale=nb-NO) The complete list are as following:
Read more

Quick guide on how to run BgInfo background as Group Policy login

-
Image
I know, it's simple. But I always forget some minor details when it have been a while since last time. So this blogpost is more a reminder to my self. Goal = Get same background picture an all PC (and/or Server) Doing it very simplified and easy in this guide, but you should normally use  folder structure for the files and a suitable Group Policy or more for the setting themself.
Read more