diff --git a/Az/Get-AzDomainInfo.ps1 b/Az/Get-AzDomainInfo.ps1 index d356f59..ee5e64e 100644 --- a/Az/Get-AzDomainInfo.ps1 +++ b/Az/Get-AzDomainInfo.ps1 @@ -94,6 +94,16 @@ Function Get-AzDomainInfo HelpMessage="Dump list of Groups.")] [ValidateSet("Y","N")] [String]$Groups = "Y", + + [parameter(Mandatory=$false, + HelpMessage="Dump list of RBAC of Users")] + [ValidateSet("Y","N")] + [String]$RBACUsers = "Y", + + [parameter(Mandatory=$false, + HelpMessage="Dump list of RBAC of Groups")] + [ValidateSet("Y","N")] + [String]$RBACGroups = "Y", [parameter(Mandatory=$false, HelpMessage="Dump list of Storage Accounts.")] @@ -126,6 +136,7 @@ Function Get-AzDomainInfo [String]$LoginBypass = "N" ) + if ($LoginBypass -eq "N"){ # Check to see if we're logged in with Az $LoginStatus = Get-AzContext @@ -212,7 +223,98 @@ Function Get-AzDomainInfo Write-Verbose "`tDomain Group Users were enumerated for $groupCount groups." } + If ($RBACUsers -eq "Y") { + Write-Verbose "Getting RBAC for Users..." + + # Check Output Path + if(Test-Path $folder"\RBAC"){} + else{New-Item -ItemType Directory $folder"\RBAC" | Out-Null} + + # Define the user object + $adusers = Get-AzADUser + + # Initialize an array to hold the role assignment information + $roleAssignmentsInfo = @() + + foreach ($aduser in $adusers) { + + # Ensure the ObjectId is valid (non-null) + if ($aduser.Id) { + + # Retrieve role assignments for the user using their ObjectId + $roleAssignments = Get-AzRoleAssignment -PrincipalId $aduser.Id + + # Loop through each role assignment to fetch the role definition name + foreach ($roleAssignment in $roleAssignments) { + + # Ensure the RoleDefinitionId exists + if ($roleAssignment.RoleDefinitionId) { + $roleDef = Get-AzRoleDefinition -Id $roleAssignment.RoleDefinitionId + + # Create a custom object + $roleAssignmentsInfo += [PSCustomObject]@{ + UserPrincipalName = $aduser.UserPrincipalName + RoleAssignmentName = $roleDef.Name + Scope = $roleAssignment.Scope + } + } + } + } + } + + # Print the results in a table format + $roleAssignmentsInfo | Export-Csv -NoTypeInformation -LiteralPath $folder"\RBAC\RBAC_Users.CSV" + + Write-Verbose "`t$($roleAssignmentsInfo.Count) role were enumerated for users" + } + + If ($RBACGroups -eq "Y") { + Write-Verbose "Getting RBAC for Groups..." + + # Check Output Path + if(Test-Path $folder"\RBAC"){} + else{New-Item -ItemType Directory $folder"\RBAC" | Out-Null} + + # Get all Azure AD groups + $adgroups = Get-AzADGroup + + # Initialize an array to hold the role assignment information + $roleAssignmentsInfo = @() + + foreach ($adgroup in $adgroups) { + + # Ensure the Id is valid (non-null/empty) + if ($adgroup.Id) { + + # Retrieve role assignments for the group using their Id + $roleAssignments = Get-AzRoleAssignment -PrincipalId $adgroup.Id + + # Loop through each role assignment to fetch the role definition name + foreach ($roleAssignment in $roleAssignments) { + + # Ensure the RoleDefinitionId exists + if ($roleAssignment.RoleDefinitionId) { + $roleDef = Get-AzRoleDefinition -Id $roleAssignment.RoleDefinitionId + + # Create a custom object + $roleAssignmentsInfo += [PSCustomObject]@{ + PrincipalName = $adgroup.DisplayName + PrincipalType = "Group" + RoleAssignmentName = $roleDef.Name + Scope = $roleAssignment.Scope + } + } + } + } + } + + # Print the results in a table format + $roleAssignmentsInfo | Export-Csv -NoTypeInformation -LiteralPath $folder"\RBAC\RBAC_Groups.CSV" + + Write-Verbose "`t$($roleAssignmentsInfo.Count) role were enumerated for groups" + } + # Get Storage Account name(s) if($StorageAccounts -eq "Y"){ @@ -256,7 +358,11 @@ Function Get-AzDomainInfo # URL for listing publicly available files $uriList = "https://"+(-join ($StorageAccountName,'.blob.core.windows.net/',$_.Name))+"/?restype=container&comp=list" - $FileList = (Invoke-WebRequest -uri $uriList -Method Get -Verbose:$False).Content + try { + $FileList = (Invoke-WebRequest -Uri $uriList -Method Get -Verbose:$False).Content + } catch { + # No Action + } # Microsoft includes these characters in the response, Thanks... [xml]$xmlFileList = $FileList -replace '' diff --git a/AzureAD/Get-AzureADDomainInfo.ps1 b/AzureAD/Get-AzureADDomainInfo.ps1 index 00772f7..a1396b8 100644 --- a/AzureAD/Get-AzureADDomainInfo.ps1 +++ b/AzureAD/Get-AzureADDomainInfo.ps1 @@ -45,7 +45,6 @@ Function Get-AzureADDomainInfo VERBOSE: Getting Domain Service Principals... VERBOSE: 500 service principals were enumerated. VERBOSE: All done with AzureAD tasks. - #> [CmdletBinding()] @@ -87,14 +86,126 @@ Function Get-AzureADDomainInfo if ($Users -eq "Y"){ # Get/Write Users for each domain Write-Verbose "Getting Domain Users..." - # Base user info - $azureADUsers = Get-AzureADUser -All 1 - $azureADUsers | select DisplayName,UserPrincipalName,ObjectId,ObjectType,AccountEnabled,AgeGroup,City,CompanyName,ConsentProvidedForMinor,Country,CreationType,Department,DirSyncEnabled,FacsimileTelephoneNumber,GivenName,IsCompromised,ImmutableId,JobTitle,LastDirSyncTime,LegalAgeGroupClassification,Mail,MailNickName,Mobile,OnPremisesSecurityIdentifier,PasswordPolicies,PasswordProfile,PhysicalDeliveryOfficeName,PostalCode,PreferredLanguage,RefreshTokensValidFromDateTime,ShowInAddressList,SipProxyAddress,State,StreetAddress,Surname,TelephoneNumber,UsageLocation,UserState,UserStateChangedOn,UserType | Export-Csv -NoTypeInformation -LiteralPath $folder"\AzureAD\AzureAD_Users.CSV" - $azureADUserscount = $azureADUsers.count - Write-Verbose "`t$azureADUserscount Domain Users were found." + + # List Users + $azureADUsers = Get-AzureADUser -All $true - } + # List Directory Roles + $entraIDRoles = Get-AzureADDirectoryRole + + # Initialize an empty map to store user roles + $userRolesMap = @{} + # Loop through each role in the Azure AD roles set + foreach ($role in $entraIDRoles) { + + # Retrieve the members associated with each role + $members = Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId + + # Loop through each member associated with the role + foreach ($member in $members) { + + # If the user is not already in the map, initialize an empty list + if (-not $userRolesMap.ContainsKey($member.ObjectId)) { + $userRolesMap[$member.ObjectId] = @() + } + + # Add the role name to the user's list of roles + $userRolesMap[$member.ObjectId] += $role.DisplayName + } + } + + # Retrieve all Azure AD groups + $azureADGroups = Get-AzureADGroup -All $true + + # Initialize an empty map to store group memberships for users + $userGroupsMap = @{} + + # Loop through each group in the Azure AD groups + foreach ($group in $azureADGroups) { + # Retrieve the members of each grou + $members = Get-AzureADGroupMember -ObjectId $group.ObjectId + + # Loop through each member of the group + foreach ($member in $members) { + + # If the user is not already in the map, initialize an empty list + if (-not $userGroupsMap.ContainsKey($member.ObjectId)) { + $userGroupsMap[$member.ObjectId] = @() + } + + # Add the group name to the user's list of groups + $userGroupsMap[$member.ObjectId] += $group.DisplayName + } + } + + # Create an output object for each Azure AD user with their roles and groups + $exportUsers = $azureADUsers | ForEach-Object { + + # Retrieve the roles assigned to the user and join them into a single string + $AzureADroles = $userRolesMap[$_.ObjectId] -join "; " + + # Retrieve the groups the user belongs to and join them into a single string + $AzureADgroups = if ($userGroupsMap.ContainsKey($_.ObjectId) -and $userGroupsMap[$_.ObjectId]) { + $userGroupsMap[$_.ObjectId] -join "; " + } else { + "" + } + + # Create a custom object to store the user's details and export them + [PSCustomObject]@{ + DisplayName = $_.DisplayName + UserPrincipalName = $_.UserPrincipalName + ObjectId = $_.ObjectId + DirectoryRoles = $AzureADroles + ADGroups = $AzureADgroups + ObjectType = $_.ObjectType + AccountEnabled = $_.AccountEnabled + AgeGroup = $_.AgeGroup + City = $_.City + CompanyName = $_.CompanyName + ConsentProvidedForMinor = $_.ConsentProvidedForMinor + Country = $_.Country + CreationType = $_.CreationType + Department = $_.Department + DirSyncEnabled = $_.DirSyncEnabled + FacsimileTelephoneNumber = $_.FacsimileTelephoneNumber + GivenName = $_.GivenName + Surname = $_.Surname + IsCompromised = $_.IsCompromised + ImmutableId = $_.ImmutableId + JobTitle = $_.JobTitle + LastDirSyncTime = $_.LastDirSyncTime + LegalAgeGroupClassification = $_.LegalAgeGroupClassification + Mail = $_.Mail + MailNickName = $_.MailNickName + Mobile = $_.Mobile + OnPremisesSecurityIdentifier = $_.OnPremisesSecurityIdentifier + PasswordPolicies = $_.PasswordPolicies + PasswordProfile = $_.PasswordProfile + PhysicalDeliveryOfficeName = $_.PhysicalDeliveryOfficeName + PostalCode = $_.PostalCode + PreferredLanguage = $_.PreferredLanguage + RefreshTokensValidFromDateTime = $_.RefreshTokensValidFromDateTime + ShowInAddressList = $_.ShowInAddressList + SipProxyAddress = $_.SipProxyAddress + State = $_.State + StreetAddress = $_.StreetAddress + TelephoneNumber = $_.TelephoneNumber + UsageLocation = $_.UsageLocation + UserState = $_.UserState + UserStateChangedOn = $_.UserStateChangedOn + UserType = $_.UserType + + } + } + # Export to CSV + $exportUsers | Export-Csv -NoTypeInformation -LiteralPath "$folder\AzureAD\AzureAD_Users.CSV" + + $azureADUserscount = $azureADUsers.Count + Write-Verbose "`t$azureADUserscount Domain Users were found." + } + if ($Groups -eq "Y"){ # Get/Write Groups Write-Verbose "Getting Domain Groups..."