AzureADAssessment.psm1
#Requires -Version 5.1 #Requires -PSEdition Core,Desktop #Requires -Module @{'ModuleVersion'='4.36.1.2';'ModuleName'='MSAL.PS';'GUID'='c765c957-c730-4520-9c36-6a522e35d60b'} <# .SYNOPSIS AzureADAssessment .DESCRIPTION This module analyzes your Azure Active Directory configuration and provides best practice recommendations. .NOTES ModuleVersion: 2.5.0 GUID: 0dc4c0ce-4ff6-43c2-9913-8e001c84e0d3 Author: Microsoft Identity CompanyName: Microsoft Corporation Copyright: (c) 2022 Microsoft Corporation. All rights reserved. .FUNCTIONALITY Complete-AADAssessmentReports, Connect-AADAssessment, Disconnect-AADAssessment, Expand-AADAssessAADConnectConfig, Export-AADAssessmentPortableModule, Get-AADAssessAppAssignmentReport, Get-AADAssessAppCredentialExpirationReport, Export-AADAssessConditionalAccessData, Get-AADAssessConsentGrantReport, Get-AADAssessNotificationEmailsReport, Get-AADAssessRoleAssignmentReport, Get-AADAssessUserReport, Invoke-AADAssessmentDataCollection, Invoke-AADAssessmentHybridDataCollection, Get-AADAssessADFSEndpoints, Export-AADAssessADFSAdminLog, Export-AADAssessADFSConfiguration, Get-AADAssessAppProxyConnectorLog, Get-AADAssessPasswordWritebackAgentLog, Get-MsGraphResults, New-AADAssessmentRecommendations, Export-AADAssessmentRecommendations, Test-AADAssessmentEmailOtp, Export-AADAssessmentReportData, Test-AADAssessmentPackage .LINK https://github.com/AzureAD/AzureADAssessment #> <# .DISCLAIMER THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. Copyright (c) Microsoft Corporation. All rights reserved. #> param ( # Provide module configuration [Parameter(Mandatory = $false)] [psobject] $ModuleConfiguration ) #region NestedModules Script(s) #region Add-AadObjectToLookupCache.ps1 function Add-AadObjectToLookupCache { param ( # [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [psobject] $InputObject, # [Parameter(Mandatory = $true)] [Alias('Type')] [ValidateSet('servicePrincipal', 'application', 'user', 'group', 'administrativeUnit','userRegistrationDetails')] [string] $ObjectType, # [Parameter(Mandatory = $true)] [psobject] $LookupCache, # [Parameter(Mandatory = $false)] [switch] $PassThru ) process { if (!$LookupCache.$ObjectType.ContainsKey($InputObject.id)) { #if ($ObjectType -eq 'servicePrincipal') { $LookupCache.servicePrincipalAppId.Add($InputObject.appId, $InputObject) } $LookupCache.$ObjectType.Add($InputObject.id, $InputObject) } if ($PassThru) { return $InputObject } } } #endregion #region Add-AadReferencesToCache.ps1 function Add-AadReferencesToCache { param ( # [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [psobject] $InputObject, # [Parameter(Mandatory = $true)] [Alias('Type')] [ValidateSet('appRoleAssignment', 'oauth2PermissionGrant', 'servicePrincipal', 'group', 'directoryRole', 'conditionalAccessPolicy', 'roleAssignmentScheduleInstances','roleAssignments')] [string] $ObjectType, # [Parameter(Mandatory = $true)] [psobject] $ReferencedIdCache, # [Parameter(Mandatory = $false)] [string[]] $ReferencedTypes = @('#microsoft.graph.user', '#microsoft.graph.group', '#microsoft.graph.servicePrincipal'), # [Parameter(Mandatory = $false)] [switch] $PassThru ) begin { function Expand-PropertyToCache ($InputObject, $PropertyName) { if ($InputObject.psobject.Properties.Name.Contains($PropertyName)) { foreach ($Object in $InputObject.$PropertyName) { if ($Object.'@odata.type' -in $ReferencedTypes) { $ObjectType = $Object.'@odata.type' -replace '#microsoft.graph.', '' [void] $ReferencedIdCache.$ObjectType.Add($Object.id) } } } } } process { switch ($ObjectType) { appRoleAssignment { [void] $ReferencedIdCache.servicePrincipal.Add($InputObject.resourceId) [void] $ReferencedIdCache.$($InputObject.principalType).Add($InputObject.principalId) break } oauth2PermissionGrant { [void] $ReferencedIdCache.servicePrincipal.Add($InputObject.clientId) [void] $ReferencedIdCache.servicePrincipal.Add($InputObject.resourceId) if ($InputObject.principalId) { [void] $ReferencedIdCache.user.Add($InputObject.principalId) } break } servicePrincipal { if ($InputObject.psobject.Properties.Name.Contains('appRoleAssignedTo')) { $InputObject.appRoleAssignedTo | Add-AadReferencesToCache -Type appRoleAssignment } break } group { Expand-PropertyToCache $InputObject 'members' Expand-PropertyToCache $InputObject 'transitiveMembers' Expand-PropertyToCache $InputObject 'owners' break } directoryRole { Expand-PropertyToCache $InputObject 'members' break } conditionalAccessPolicy { $InputObject.conditions.users.includeUsers | Where-Object { $_ -notin 'None', 'All', 'GuestsOrExternalUsers' } | ForEach-Object { [void]$ReferencedIdCache.user.Add($_) } $InputObject.conditions.users.excludeUsers | Where-Object { $_ -notin 'GuestsOrExternalUsers' } | ForEach-Object { [void]$ReferencedIdCache.user.Add($_) } $InputObject.conditions.users.includeGroups | Where-Object { $_ -notin 'All' } | ForEach-Object { [void]$ReferencedIdCache.group.Add($_) } $InputObject.conditions.users.excludeGroups | ForEach-Object { [void]$ReferencedIdCache.group.Add($_) } $InputObject.conditions.applications.includeApplications | Where-Object { $_ -notin 'None', 'All', 'Office365' } | ForEach-Object { [void]$ReferencedIdCache.appId.Add($_) } $InputObject.conditions.applications.excludeApplications | Where-Object { $_ -notin 'Office365' } | ForEach-Object { [void]$ReferencedIdCache.appId.Add($_) } break } # roleDefinition { # [void] $ReferencedIdCache.roleDefinition.Add($InputObject.id) # } roleAssignmentScheduleInstances { if ($InputObject.directoryScopeId -match '/(?:(.+)s/)([0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12})') { $directoryScopeType = $Matches[1] [void] $ReferencedIdCache.$directoryScopeType.Add($Matches[2]) } elseif ($InputObject.directoryScopeId -match '/([0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12})') { [void] $ReferencedIdCache.unknownType.Add($Matches[1]) } $principalType = $InputObject.principal.'@odata.type' -replace '#microsoft.graph.', '' [void] $ReferencedIdCache.$principalType.Add($InputObject.principal.id) if ($principalType -eq 'group') { [void] $ReferencedIdCache.roleGroup.Add($InputObject.principal.id) } } # aadRoleAssignment { # if ($InputObject.directoryScopeId -like "/administrativeUnits/*") { # $id = $InputObject.directoryScopeId -replace "^/administrativeUnits/","" # [void] $ReferencedIdCache.administrativeUnit.Add($id) # } elseif ($InputObject.directoryScopeId -match "^/[0-9a-f-]+$") { # $id = $InputObject.directoryScopeId -replace "^/","" # [void] $ReferencedIdCache.directoryScopeId.Add($id) # } # if ($InputObject.principalType -ieq "group") { # # add groups to role groups on role assignements to have a specific pointer to look at transitive memberships # [void] $ReferencedIdCache.roleGroup.Add($InputObject.principalId) # # add group to cache directly to get those groups information # [void] $ReferencedIdCache.group.Add($InputObject.principalId) # } else { # [void] $ReferencedIdCache.$($InputObject.principalType).Add($InputObject.principalId) # } # break # } roleAssignments { [void] $ReferencedIdCache.unknownType.Add($InputObject.principalId) } } if ($PassThru) { return $InputObject } } } #endregion #region Assert-DirectoryExists.ps1 function Assert-DirectoryExists { [CmdletBinding()] [OutputType([string[]])] param ( # Directories [Parameter(Mandatory = $true, ValueFromPipeline = $true, Position = 0)] [object[]] $InputObjects, # Directory to base relative paths. Default is current directory. [Parameter(Mandatory = $false, Position = 2)] [string] $BaseDirectory = (Get-Location).ProviderPath ) process { foreach ($InputObject in $InputObjects) { ## InputObject Casting if ($InputObject -is [System.IO.DirectoryInfo]) { [System.IO.DirectoryInfo] $DirectoryInfo = $InputObject } elseif ($InputObject -is [System.IO.FileInfo]) { [System.IO.DirectoryInfo] $DirectoryInfo = $InputObject.Directory } elseif ($InputObject -is [string]) { [System.IO.DirectoryInfo] $DirectoryInfo = $InputObject } if (!$DirectoryInfo.Exists) { Write-Output (New-Item $DirectoryInfo.FullName -ItemType Container) } } } } #endregion #region Complete-AppInsightsRequest.ps1 <# .SYNOPSIS Write Request to Application Insights. .EXAMPLE PS C:\>Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $true Write Request to Application Insights. .INPUTS System.String #> function Complete-AppInsightsRequest { [CmdletBinding()] [Alias('Complete-AIRequest')] param ( # Request Name [Parameter(Mandatory = $false)] [string] $Name, # Request Result [Parameter(Mandatory = $true)] [bool] $Success ) ## Return Immediately when Telemetry is Disabled if ($script:ModuleConfig.'ai.disabled') { return } $Operation = $script:AppInsightsRuntimeState.OperationStack.Peek() $Operation.Stopwatch.Stop() Write-AppInsightsRequest $Name -Duration $Operation.Stopwatch.Elapsed -Success $Success [void] $script:AppInsightsRuntimeState.OperationStack.Pop() } #endregion #region Confirm-ModuleAuthentication.ps1 function Confirm-ModuleAuthentication { param ( # Specifies the client application or client application options to use for authentication. [Parameter(Mandatory = $false, Position = 0, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] [psobject] $ClientApplication = $script:ConnectState.ClientApplication, # Instance of Azure Cloud [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [ValidateSet('Global', 'China', 'Germany', 'USGov', 'USGovDoD')] [string] $CloudEnvironment = $script:ConnectState.CloudEnvironment, # User account to authenticate [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [string] $User, # Ignore any access token in the user token cache and attempt to acquire new access token using the refresh token for the account if one is available. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [switch] $ForceRefresh, # Return MsGraph WebSession object for use with Invoke-RestMethod command [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [switch] $MsGraphSession, # CorrelationId [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [guid] $CorrelationId = (New-Guid), # Scopes for MS Graph [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [string[]] $MsGraphScopes = $script:MsGraphScopes ) ## Throw error if no client application exists if (!$script:ConnectState.ClientApplication) { $Exception = New-Object System.Security.Authentication.AuthenticationException -ArgumentList ('You must call the Connect-AADAssessment cmdlet before calling any other cmdlets.') Write-Error -Exception $Exception -Category ([System.Management.Automation.ErrorCategory]::AuthenticationError) -CategoryActivity $MyInvocation.MyCommand -ErrorId 'ConnectAADAssessmentRequired' -ErrorAction Stop } ## Override scopes on microsoft tenant only if ($ClientApplication.AppConfig.TenantId -in ('72f988bf-86f1-41af-91ab-2d7cd011db47', 'microsoft.onmicrosoft.com', 'microsoft.com') -and $ClientApplication.ClientId -in ('1b730954-1685-4b74-9bfd-dac224a7b894', '1950a258-227b-4e31-a9cf-717495945fc2', '65df9042-2439-4b70-94ac-6cc892f61d85')) { $MsGraphScopes = '.default' } ## Add Microsoft Graph endpoint for the appropriate cloud for ($iScope = 0; $iScope -lt $MsGraphScopes.Count; $iScope++) { if (!$MsGraphScopes[$iScope].Contains('//')) { $MsGraphScopes[$iScope] = [IO.Path]::Combine($script:mapMgEnvironmentToMgEndpoint[$CloudEnvironment], $MsGraphScopes[$iScope]) } } if (!$MsGraphScopes.Contains('openid')) { $MsGraphScopes += 'openid' } ## Initialize #if (!$User) { $User = Get-MsalAccount $script:ConnectState.ClientApplication | Select-Object -First 1 -ExpandProperty Username } if ($script:AppInsightsRuntimeState.OperationStack.Count -gt 0) { $CorrelationId = $script:AppInsightsRuntimeState.OperationStack.Peek().Id } [hashtable] $paramMsalToken = @{ #CorrelationId = $CorrelationId } if (!$User -and !(Get-MsalAccount $ClientApplication)) { # if ($PSVersionTable.PSEdition -eq 'Core') { # $paramMsalToken.Add('DeviceCode', $true) # } # else { $paramMsalToken.Add('Interactive', $true) #} } ## Get Tokens $MsGraphToken = $null if ($ClientApplication -is [Microsoft.Identity.Client.IPublicClientApplication]) { $Stopwatch = [System.Diagnostics.Stopwatch]::StartNew() try { #$MsGraphToken = Get-MsalToken -PublicClientApplication $ClientApplication -Scopes $MsGraphScopes -UseEmbeddedWebView:$false -ForceRefresh:$ForceRefresh -CorrelationId $CorrelationId -Interactive:$Interactive -Verbose:$false -ErrorAction Stop $MsGraphToken = Get-MsalToken -PublicClientApplication $ClientApplication -Scopes $MsGraphScopes -UseEmbeddedWebView:$true -ForceRefresh:$ForceRefresh -CorrelationId $CorrelationId -LoginHint $User @paramMsalToken -Verbose:$false -ErrorAction Stop } catch { throw } finally { $Stopwatch.Stop() if ($MsGraphToken) { $AuthDetail = [ordered]@{ ClientId = $ClientApplication.ClientId TokenType = $MsGraphToken.TokenType ExpiresOn = $MsGraphToken.ExpiresOn CorrelationId = $MsGraphToken.CorrelationId Scopes = $MsGraphToken.Scopes -join ' ' } } else { $AuthDetail = [ordered]@{} } if (!$script:ConnectState.MsGraphToken -or $paramMsalToken.ContainsKey('Interactive')) { Write-AppInsightsDependency 'GET Access Token (Interactive)' -Type 'Azure AD' -Data 'GET Access Token (Interactive)' -Duration $Stopwatch.Elapsed -Success ($null -ne $MsGraphToken) -OrderedProperties $AuthDetail } elseif ($script:ConnectState.MsGraphToken.AccessToken -ne $MsGraphToken.AccessToken) { Write-AppInsightsDependency 'GET Access Token' -Type 'Azure AD' -Data 'GET Access Token' -Duration $Stopwatch.Elapsed -Success ($null -ne $MsGraphToken) -OrderedProperties $AuthDetail } } } else { $Stopwatch = [System.Diagnostics.Stopwatch]::StartNew() try { $MsGraphToken = Get-MsalToken -ConfidentialClientApplication $ClientApplication -Scopes ([IO.Path]::Combine($script:mapMgEnvironmentToMgEndpoint[$CloudEnvironment], '.default')) -CorrelationId $CorrelationId -Verbose:$false -ErrorAction Stop } catch { throw } finally { $Stopwatch.Stop() if (!$script:ConnectState.MsGraphToken -or ($script:ConnectState.MsGraphToken.AccessToken -ne $MsGraphToken.AccessToken)) { if ($MsGraphToken) { $AuthDetail = [ordered]@{ ClientId = $ClientApplication.ClientId TokenType = $MsGraphToken.TokenType ExpiresOn = $MsGraphToken.ExpiresOn CorrelationId = $MsGraphToken.CorrelationId Scopes = $MsGraphToken.Scopes -join ' ' } } else { $AuthDetail = [ordered]@{} } Write-AppInsightsDependency 'GET Access Token (Confidential Client)' -Type 'Azure AD' -Data 'GET Access Token (Confidential Client)' -Duration $Stopwatch.Elapsed -Success ($null -ne $MsGraphToken) -OrderedProperties $AuthDetail } } } if (!$script:ConnectState.MsGraphToken -or ($script:ConnectState.MsGraphToken.AccessToken -ne $MsGraphToken.AccessToken)) { Write-Verbose 'Connecting Modules...' #Connect-MgGraph -Environment $CloudEnvironment -TenantId $MsGraphToken.TenantId -AccessToken $MsGraphToken.AccessToken | Out-Null if ($script:MsGraphSession.Headers.ContainsKey('Authorization')) { $script:MsGraphSession.Headers['Authorization'] = $MsGraphToken.CreateAuthorizationHeader() } else { $script:MsGraphSession.Headers.Add('Authorization', $MsGraphToken.CreateAuthorizationHeader()) } } $script:ConnectState.MsGraphToken = $MsGraphToken if ($MsGraphSession) { return $script:MsGraphSession } } #endregion #region ConvertFrom-Base64String.ps1 <# .SYNOPSIS Convert Base64 String to Byte Array or Plain Text String. .EXAMPLE PS C:\>ConvertFrom-Base64String "QSBzdHJpbmcgd2l0aCBiYXNlNjQgZW5jb2Rpbmc=" Convert Base64 String to String with Default Encoding. .EXAMPLE PS C:\>"QVNDSUkgc3RyaW5nIHdpdGggYmFzZTY0dXJsIGVuY29kaW5n" | ConvertFrom-Base64String -Base64Url -Encoding Ascii Convert Base64Url String to String with Ascii Encoding. .EXAMPLE PS C:\>[guid](ConvertFrom-Base64String "5oIhNbCaFUGAe8NsiAKfpA==" -RawBytes) Convert Base64 String to GUID. .INPUTS System.String .LINK https://github.com/jasoth/Utility.PS #> function ConvertFrom-Base64String { [CmdletBinding()] [OutputType([byte[]], [string])] param ( # Value to convert [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [string[]] $InputObjects, # Use base64url variant [Parameter (Mandatory = $false)] [switch] $Base64Url, # Output raw byte array [Parameter (Mandatory = $false)] [switch] $RawBytes, # Encoding to use for text strings [Parameter (Mandatory = $false)] [ValidateSet('Ascii', 'UTF32', 'UTF7', 'UTF8', 'BigEndianUnicode', 'Unicode')] [string] $Encoding = 'Default' ) process { foreach ($InputObject in $InputObjects) { [string] $strBase64 = $InputObject if (!$PSBoundParameters.ContainsValue('Base64Url') -and ($strBase64.Contains('-') -or $strBase64.Contains('_'))) { $Base64Url = $true } if ($Base64Url) { $strBase64 = $strBase64.Replace('-', '+').Replace('_', '/').PadRight($strBase64.Length + (4 - $strBase64.Length % 4) % 4, '=') } [byte[]] $outBytes = [System.Convert]::FromBase64String($strBase64) if ($RawBytes) { Write-Output $outBytes -NoEnumerate } else { [string] $outString = ([Text.Encoding]::$Encoding.GetString($outBytes)) Write-Output $outString } } } } #endregion #region ConvertFrom-QueryString.ps1 <# .SYNOPSIS Convert Query String to object. .EXAMPLE PS C:\>ConvertFrom-QueryString '?name=path/file.json&index=10' Convert query string to object. .EXAMPLE PS C:\>'name=path/file.json&index=10' | ConvertFrom-QueryString -AsHashtable Convert query string to hashtable. .INPUTS System.String .LINK https://github.com/jasoth/Utility.PS #> function ConvertFrom-QueryString { [CmdletBinding()] [OutputType([psobject])] [OutputType([hashtable])] param ( # Value to convert [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [AllowEmptyString()] [string[]] $InputStrings, # URL decode parameter names [Parameter(Mandatory = $false)] [switch] $DecodeParameterNames, # Converts to hash table object [Parameter(Mandatory = $false)] [switch] $AsHashtable ) process { foreach ($InputString in $InputStrings) { if ($AsHashtable) { [hashtable] $OutputObject = @{ } } else { [psobject] $OutputObject = New-Object psobject } if ($InputString) { if ($InputString[0] -eq '?') { $InputString = $InputString.Substring(1) } [string[]] $QueryParameters = $InputString.Split('&') foreach ($QueryParameter in $QueryParameters) { [string[]] $QueryParameterPair = $QueryParameter.Split('=') if ($DecodeParameterNames) { $QueryParameterPair[0] = [System.Net.WebUtility]::UrlDecode($QueryParameterPair[0]) } if ($OutputObject -is [hashtable]) { $OutputObject.Add($QueryParameterPair[0], [System.Net.WebUtility]::UrlDecode($QueryParameterPair[1])) } else { $OutputObject | Add-Member $QueryParameterPair[0] -MemberType NoteProperty -Value ([System.Net.WebUtility]::UrlDecode($QueryParameterPair[1])) } } } Write-Output $OutputObject } } } #endregion #region ConvertTo-QueryString.ps1 <# .SYNOPSIS Convert Hashtable to Query String. .EXAMPLE PS C:\>ConvertTo-QueryString @{ name = 'path/file.json'; index = 10 } Convert hashtable to query string. .EXAMPLE PS C:\>[ordered]@{ title = 'convert&prosper'; id = [guid]'352182e6-9ab0-4115-807b-c36c88029fa4' } | ConvertTo-QueryString Convert ordered dictionary to query string. .INPUTS System.Collections.Hashtable .LINK https://github.com/jasoth/Utility.PS #> function ConvertTo-QueryString { [CmdletBinding()] [OutputType([string])] param ( # Value to convert [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [psobject] $InputObjects, # URL encode parameter names [Parameter(Mandatory = $false)] [switch] $EncodeParameterNames ) process { foreach ($InputObject in $InputObjects) { $QueryString = New-Object System.Text.StringBuilder if ($InputObject -is [hashtable] -or $InputObject -is [System.Collections.Specialized.OrderedDictionary] -or $InputObject.GetType().FullName.StartsWith('System.Collections.Generic.Dictionary')) { foreach ($Item in $InputObject.GetEnumerator()) { if ($QueryString.Length -gt 0) { [void]$QueryString.Append('&') } [string] $ParameterName = $Item.Key if ($EncodeParameterNames) { $ParameterName = [System.Net.WebUtility]::UrlEncode($ParameterName) } [void]$QueryString.AppendFormat('{0}={1}', $ParameterName, [System.Net.WebUtility]::UrlEncode($Item.Value)) } } elseif ($InputObject -is [psobject] -and $InputObject -isnot [ValueType]) { foreach ($Item in ($InputObject | Get-Member -MemberType Property, NoteProperty)) { if ($QueryString.Length -gt 0) { [void]$QueryString.Append('&') } [string] $ParameterName = $Item.Name if ($EncodeParameterNames) { $ParameterName = [System.Net.WebUtility]::UrlEncode($ParameterName) } [void]$QueryString.AppendFormat('{0}={1}', $ParameterName, [System.Net.WebUtility]::UrlEncode($InputObject.($Item.Name))) } } else { ## Non-Terminating Error $Exception = New-Object ArgumentException -ArgumentList ('Cannot convert input of type {0} to query string.' -f $InputObject.GetType()) Write-Error -Exception $Exception -Category ([System.Management.Automation.ErrorCategory]::ParserError) -CategoryActivity $MyInvocation.MyCommand -ErrorId 'ConvertQueryStringFailureTypeNotSupported' -TargetObject $InputObject continue } Write-Output $QueryString.ToString() } } } #endregion #region Expand-GroupTransitiveMembership.ps1 <# .SYNOPSIS Expand and return transitive group membership based on group members data in cache. .EXAMPLE PS C:\>Expand-GroupTransitiveMembership 00000000-0000-0000-0000-000000000000 -LookupCache $LookupCache Expand transitive group membership of group "00000000-0000-0000-0000-000000000000". Ensure all nested groups are in $LookupCache. .INPUTS System.Object #> function Expand-GroupTransitiveMembership { [CmdletBinding()] param ( # GroupId within Cache for which to calculate transitive member list. [Parameter(Mandatory = $true, Position = 1)] [System.Collections.Generic.Stack[guid]] $GroupId, # Lookup Cache populated with all nested group objects necessary to calculate transitive members. [Parameter(Mandatory = $true)] [psobject] $LookupCache ) $Group = Get-AadObjectById $GroupId.Peek() -LookupCache $LookupCache -ObjectType group -UseLookupCacheOnly if ($Group.psobject.Properties.Name.Contains('transitiveMembers')) { $Group.transitiveMembers } else { $transitiveMembers = New-Object 'System.Collections.Generic.Dictionary[guid,psobject]' if ($Group.psobject.Properties.Name.Contains('members')) { foreach ($member in $Group.members) { if (!$transitiveMembers.ContainsKey($member.id)) { $transitiveMembers.Add($member.id, $member) $member } if ($member.'@odata.type' -eq '#microsoft.graph.group') { if (!$GroupId.Contains($member.id)) { $GroupId.Push($member.id) $transitiveMembersNested = Expand-GroupTransitiveMembership $GroupId -LookupCache $LookupCache foreach ($memberNested in $transitiveMembersNested) { if (!$transitiveMembers.ContainsKey($memberNested.id)) { $transitiveMembers.Add($memberNested.id, $memberNested) $memberNested } } } } } } if ($GroupId.Count -eq 1) { $Group | Add-Member -Name transitiveMembers -MemberType NoteProperty -Value ([System.Collections.ArrayList]$transitiveMembers.Values) -ErrorAction Ignore } } [void]$GroupId.Pop() } #endregion #region Expand-JsonWebTokenPayload.ps1 <# .SYNOPSIS Extract Json Web Token (JWT) from JWS structure to PowerShell object. .EXAMPLE PS C:\>$MsalToken.IdToken | Expand-JsonWebTokenPayload Extract Json Web Token (JWT) from JWS structure to PowerShell object. .INPUTS System.String .LINK https://github.com/jasoth/MSIdentityTools #> function Expand-JsonWebTokenPayload { [CmdletBinding()] [Alias('Expand-JwtPayload')] [OutputType([PSCustomObject])] param ( # JSON Web Signature (JWS) [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [string[]] $InputObjects ) process { foreach ($InputObject in $InputObjects) { [string] $JwsPayload = $InputObject.Split('.')[1] $JwtDecoded = $JwsPayload | ConvertFrom-Base64String -Base64Url | ConvertFrom-Json Write-Output $JwtDecoded } } } #endregion #region Expand-MsGraphRelationship.ps1 <# .SYNOPSIS Expand MS Graph relationship property on object. .EXAMPLE PS C:\>@{ id = "00000000-0000-0000-0000-000000000000" } | Expand-MsGraphRelationship -ObjectType groups -PropertyName members -References Add and populate members property on input object using a references call for best performance. .INPUTS System.Object #> function Expand-MsGraphRelationship { [CmdletBinding()] param ( # MS Graph Object to expand with relationship property. [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [psobject] $InputObject, # Type of object being expanded. [Parameter(Mandatory = $true)] [Alias('Type')] [ValidateSet('groups', 'directoryRoles')] [string] $ObjectType, # Name of relationship property. [Parameter(Mandatory = $true)] [string] $PropertyName, # Only retrieve relationship object references. [Parameter(Mandatory = $false)] [switch] $References, # Filters properties (columns). [Parameter(Mandatory = $false)] [string[]] $Select, # Number of results per request [Parameter(Mandatory = $false)] [int] $Top, # Skip expanding object references their total is above threshold. Warning: This could alter the order of output objects when batching is enabled. [Parameter(Mandatory = $false)] [int] $SkipRelationshipThreshold, # Specify Batch size. [Parameter(Mandatory = $false)] [int] $BatchSize = 20 ) begin { $InputObjects = New-Object 'System.Collections.Generic.List[psobject]' $uri = ('{0}/{{0}}/{1}' -f $ObjectType, $PropertyName) if ($References) { $uri = '{0}/$ref' -f $uri } elseif ($Select) { $uri = $uri + ('?$select={0}' -f ($Select -join ',')) } } process { if ($SkipRelationshipThreshold -gt 0) { [int]$Total = Get-MsGraphResultsCount ($uri -f $InputObject.id) if ($null -ne $Total -and $Total -gt $SkipRelationshipThreshold) { return $InputObject } } $InputObjects.Add($InputObject) ## Wait For Full Batch if ($InputObjects.Count -ge $BatchSize) { #[int] $Total = $InputObjects[0..($BatchSize - 1)] | ForEach-Object { $uri -f $_.id } | Get-MsGraphResultsCount -GraphBaseUri $GraphBaseUri if ($Top -gt 1) { [array] $Results = $InputObjects[0..($BatchSize - 1)] | Get-MsGraphResults $uri -Top $Top -DisableUniqueIdDeduplication -GroupOutputByRequest } else { [array] $Results = $InputObjects[0..($BatchSize - 1)] | Get-MsGraphResults $uri -DisableUniqueIdDeduplication -GroupOutputByRequest } for ($i = 0; $i -lt $InputObjects.Count; $i++) { $refValues = @() if ($i -lt $Results.Count) { [array] $refValues = $Results[$i] } if ($References) { $refValues = $refValues | Expand-ODataId | Select-Object -Property "*" -ExcludeProperty '@odata.id' } $InputObjects[$i] | Add-Member -Name $PropertyName -MemberType NoteProperty -Value $refValues -PassThru -ErrorAction Ignore } $InputObjects.RemoveRange(0, $BatchSize) } } end { ## Finish Remaining if ($InputObjects.Count) { if ($Top -gt 1) { [array] $Results = $InputObjects | Get-MsGraphResults $uri -Top $Top -DisableUniqueIdDeduplication -GroupOutputByRequest } else { [array] $Results = $InputObjects | Get-MsGraphResults $uri -DisableUniqueIdDeduplication -GroupOutputByRequest } for ($i = 0; $i -lt $InputObjects.Count; $i++) { $refValues = @() if ($Results.Count -gt $i) { [array] $refValues = $Results[$i] } if ($References) { $refValues = $refValues | Expand-ODataId | Select-Object -Property "*" -ExcludeProperty '@odata.id' } $InputObjects[$i] | Add-Member -Name $PropertyName -MemberType NoteProperty -Value $refValues -PassThru -ErrorAction Ignore } } } } #endregion #region Expand-ODataId.ps1 <# .SYNOPSIS Use @odata.id property on object to expand object with id and @odata.type properties. .EXAMPLE PS C:\>Expand-ODataId @{ @odata.id = "directoryObjects/00000000-0000-0000-0000-000000000000/Microsoft.DirectoryServices.User" } Expands input object with extracted id and @odata.type from @odata.id property. .INPUTS System.Object #> function Expand-ODataId { [CmdletBinding()] [OutputType([PSCustomObject])] param ( # MS Graph Object with @odata.id property to expand. [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [AllowEmptyCollection()] [object[]] $InputObjects ) process { foreach ($InputObject in $InputObjects) { ## MS Graph references in Gov tenants do not follow odata naming schema. if ($InputObject.psobject.Properties.Name.Contains('url')) { $InputObject | Add-Member -Name '@odata.id' -MemberType AliasProperty -Value 'url' } if ($InputObject.'@odata.id' -match 'directoryObjects/(.+)/.+\.(.+)$') { $InputObject | Add-Member -Name 'id' -MemberType NoteProperty -Value $Matches[1] -ErrorAction Ignore $InputObject | Add-Member -Name '@odata.type' -MemberType NoteProperty -Value ('#microsoft.graph.{0}' -f ($Matches[2][0].ToString().ToLower() + $Matches[2].Substring(1))) -ErrorAction Ignore } $InputObject } } } #endregion #region Export-Config.ps1 <# .SYNOPSIS Export Configuration .EXAMPLE PS C:\>Export-Config Export Configuration .INPUTS System.String #> function Export-Config { [CmdletBinding()] param ( # Configuration Object [Parameter(Mandatory = $false, Position = 0, ValueFromPipeline = $true)] [psobject] $InputObject = $script:ModuleConfig, # Property Names to Ignore [Parameter(Mandatory = $false)] [string[]] $IgnoreProperty, # Ignore Default Configuration Values [Parameter(Mandatory = $false)] [psobject] $IgnoreDefaultValues = $script:ModuleConfigDefault, # Configuration File Path [Parameter(Mandatory = $false)] [string] $Path = 'config.json' ) ## Initialize if (![IO.Path]::IsPathRooted($Path)) { $AppDataDirectory = Join-Path ([System.Environment]::GetFolderPath([System.Environment+SpecialFolder]::ApplicationData)) 'AzureADAssessment' $Path = Join-Path $AppDataDirectory $Path } ## Read configuration file $ModuleConfigPersistent = $null if (Test-Path $Path) { ## Load from File $ModuleConfigPersistent = Get-Content $Path -Raw | ConvertFrom-Json } if (!$ModuleConfigPersistent) { $ModuleConfigPersistent = [PSCustomObject]@{} } ## Update persistent configuration foreach ($Property in $InputObject.psobject.Properties) { if ($Property.Name -in (Get-ObjectPropertyValue $ModuleConfigPersistent.psobject.Properties 'Name')) { ## Update previously persistent property value $ModuleConfigPersistent.($Property.Name) = $Property.Value } elseif ($IgnoreProperty -notcontains $Property.Name -and $Property.Value -ne (Get-ObjectPropertyValue $IgnoreDefaultValues $Property.Name)) { ## Add property with non-default value $ModuleConfigPersistent | Add-Member -Name $Property.Name -MemberType NoteProperty -Value $Property.Value } } ## Export persistent configuration to file Assert-DirectoryExists $AppDataDirectory ConvertTo-Json $ModuleConfigPersistent | Set-Content $Path } #endregion #region Export-EventLog.ps1 <# .SYNOPSIS Exports events from an event log. .DESCRIPTION .EXAMPLE PS C:\>Export-EventLog 'C:\ADFS-Admin.evtx' -LogName 'AD FS/Admin' Export all logs from "AD FS/Admin" event log. .INPUTS System.String .LINK https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil #> function Export-EventLog { [CmdletBinding()] param ( # Path to the file where the exported events will be stored [Parameter(Mandatory = $true)] [string] $Path, # Name of log [Parameter(Mandatory = $true)] [string] $LogName, # Defines the XPath query to filter the events that are read or exported. [Parameter(Mandatory = $false)] [Alias('q')] [string] $Query, # Specifies that the export file should be overwritten. [Parameter(Mandatory = $false)] [Alias('ow')] [switch] $Overwrite ) $argsWevtutil = New-Object 'System.Collections.Generic.List[System.String]' $argsWevtutil.Add('export-log') $argsWevtutil.Add($LogName) $argsWevtutil.Add($Path) if ($Query) { $argsWevtutil.Add(('/q:"{0}"' -f $Query)) } if ($PSBoundParameters.ContainsKey('Overwrite')) { $argsWevtutil.Add(('/ow:{0}' -f $Overwrite)) } wevtutil $argsWevtutil.ToArray() } #endregion #region Export-JsonArray.ps1 <# .SYNOPSIS Converts an object to a JSON-formatted string and saves the string to a file. .EXAMPLE PS C:\>@{ Property = 'Value' } | Export-JsonArray -Path .\JsonFile.json Converts an object to a JSON-formatted string and saves the string to a file. .INPUTS System.Object .NOTES Due to limitations in script functions, there is no way to override the StopProcessing() function or detect the user stopping a command. This could leave a file lock on the output file. To release the lock on the file manually either close the PowerShell process or force garbage collection using the command below. PS C:\>[System.GC]::Collect() #> function Export-JsonArray { [CmdletBinding()] [OutputType([string])] param ( # Specifies the objects to convert to JSON format. [Parameter(Mandatory = $true, ValueFromPipeline = $true)] [psobject[]] $InputObject, # Omits white space and indented formatting in the output string. [Parameter(Mandatory = $false)] [switch] $Compress, # Specifies how many levels of contained objects are included in the JSON representation. The default value is 2. [Parameter(Mandatory = $false)] [int] $Depth = 2, # A required parameter that specifies the location to save the JSON output file. [Parameter(Mandatory = $true, Position = 0)] [string] $Path ) begin { [int] $iObject = 0 [string] $JsonObject = $null try { $StreamWriter = New-Object System.IO.StreamWriter -ArgumentList $Path } catch [System.Management.Automation.MethodInvocationException] { [System.GC]::Collect() $StreamWriter = New-Object System.IO.StreamWriter -ArgumentList $Path } try { ## Start JSON Array to File #Set-Content $Path -Value '[' -NoNewline if ($Compress) { $StreamWriter.Write('[') } else { $StreamWriter.WriteLine('[') } } catch { $StreamWriter.Close() throw } } process { try { foreach ($Object in $InputObject) { $JsonObject = ConvertTo-Json $Object -Depth $Depth -Compress:$Compress if ($iObject -gt 0) { if ($Compress) { $StreamWriter.Write(',') } else { $StreamWriter.WriteLine(',') } } ## Add JSON Object to File #Add-Content $Path -Value $JsonObject -NoNewline if (!$Compress) { $JsonObject = (' ' + $JsonObject) -replace ([Environment]::NewLine), "$([Environment]::NewLine) " } $StreamWriter.Write($JsonObject) $iObject++ } } catch { $StreamWriter.Close() throw } } end { try { ## Complete JSON Array to File #Add-Content $Path -Value ']' if (!$Compress) { $StreamWriter.WriteLine('') } $StreamWriter.Write(']') } finally { $StreamWriter.Close() } } } #endregion #region Get-MsGraphResults.ps1 <# .SYNOPSIS Query Microsoft Graph API .PARAMETER EnableInFilter Enables in filter by in on ids for requried uniqueIds; $filter={previous filter} and id in ({csv with ids}) Should be more flexible than GetByIds, scalability to be tested to eventually replace getbyids This filter is currently experimental and will be subject to future change (move to DisableInFilterBatching). .EXAMPLE PS C:\>Get-MsGraphResults 'users' Return query results for first page of users. .EXAMPLE PS C:\>Get-MsGraphResults 'users' -ApiVersion beta Return query results for all users using the beta API. .EXAMPLE PS C:\>Get-MsGraphResults 'users' -UniqueId 'user1@domain.com','user2@domain.com' -Select id,userPrincipalName,displayName Return id, userPrincipalName, and displayName for user1@domain.com and user2@domain.com. #> function Get-MsGraphResults { [CmdletBinding()] [OutputType([PSCustomObject])] param ( # Graph endpoint such as "users". [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [uri[]] $RelativeUri, # Specifies unique Id(s) for the URI endpoint. For example, users endpoint accepts Id or UPN. [Parameter(Mandatory = $false, Position = 1, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] [Alias('Id')] #[ValidateNotNullOrEmpty()] [string[]] $UniqueId, # Filters properties (columns). [Parameter(Mandatory = $false)] [string[]] $Select, # Filters results (rows). https://docs.microsoft.com/en-us/graph/query-parameters#filter-parameter [Parameter(Mandatory = $false)] [string] $Filter, # Specifies the page size of the result set. [Parameter(Mandatory = $false)] [int] $Top, # Include a count of the total number of items in a collection [Parameter(Mandatory = $false)] [switch] $Count, # Parameters such as "$orderby". [Parameter(Mandatory = $false)] [hashtable] $QueryParameters, # API Version. [Parameter(Mandatory = $false)] [ValidateSet('v1.0', 'beta')] [string] $ApiVersion = 'v1.0', # Specifies consistency level. [Parameter(Mandatory = $false)] [string] $ConsistencyLevel = "eventual", # Correlation Id (client-request-id). [Parameter(Mandatory = $false)] [guid] $CorrelationId = (New-Guid), # Total requests to calcuate progress bar when using pipeline. [Parameter(Mandatory = $false)] [int] $TotalRequests, # Copy OData Context to each result value. [Parameter(Mandatory = $false)] [switch] $KeepODataContext, # Add OData Type to each result value. [Parameter(Mandatory = $false)] [switch] $AddODataType, # Incapsulate member and owner reference calls with a parent object. [Parameter(Mandatory = $false)] [switch] $IncapsulateReferenceListInParentObject, # Group results in array by request. [Parameter(Mandatory = $false)] [switch] $GroupOutputByRequest, # Disable deduplication of UniqueId values. [Parameter(Mandatory = $false)] [switch] $DisableUniqueIdDeduplication, # Only return first page of results. [Parameter(Mandatory = $false)] [switch] $DisablePaging, # Disable consolidating uniqueIds using getByIds endpoint [Parameter(Mandatory = $false)] [switch] $DisableGetByIdsBatching, # Specify GetByIds Batch size. [Parameter(Mandatory = $false)] [int] $GetByIdsBatchSize = 1000, # Enables in filter by in on ids for requried uniqueIds; $filter={previous filter} and id in ({csv with ids}) # Should be more flexible than GetByIds, scalability to be tested to eventually replace getbyids [Parameter(Mandatory = $false)] [switch] $EnableInFilter, [Parameter(Mandatory = $false)] [int] $InFilterBatchSize = 15, # Force individual requests to MS Graph. [Parameter(Mandatory = $false)] [switch] $DisableBatching, # Specify Batch size. [Parameter(Mandatory = $false)] [int] $BatchSize = 20, # Base URL for Microsoft Graph API. [Parameter(Mandatory = $false)] [uri] $GraphBaseUri = $script:mapMgEnvironmentToMgEndpoint[$script:ConnectState.CloudEnvironment] ) begin { if ($EnableInFilter) { Write-Verbose "EnableInFilter switch used: this filter is currently experimental and will be subject to future change (move to DisableInFilterBatching)" } [uri] $uriGraphVersionBase = [IO.Path]::Combine($GraphBaseUri.AbsoluteUri, $ApiVersion) $listRequests = New-Object 'System.Collections.Generic.Dictionary[string,System.Collections.Generic.List[pscustomobject]]' $listRequests.Add($uriGraphVersionBase.AbsoluteUri, (New-Object 'System.Collections.Generic.List[pscustomobject]')) [System.Collections.Generic.List[guid]] $listIds = New-Object 'System.Collections.Generic.List[guid]' [System.Collections.Generic.HashSet[uri]] $hashUri = New-Object 'System.Collections.Generic.HashSet[uri]' $ProgressState = Start-Progress -Activity 'Microsoft Graph Requests' -Total $TotalRequests function Catch-MsGraphError { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [System.Management.Automation.ErrorRecord] $ErrorRecord ) # throw error record directly if no response is found on the exception if (!$_.Exception.psobject.Properties.Name.Contains('Response')) { throw $ErrorRecord } $ResponseDetail = Get-MsGraphResponseDetail $_ Write-Debug -Message (ConvertTo-Json ([PSCustomObject]$ResponseDetail) -Depth 3) if ($ResponseDetail['ContentParsed']) { ## Terminating errors with specific codes if ($ResponseDetail['ContentParsed'].error.code -in ('Authentication_ExpiredToken', 'Service_ServiceUnavailable', 'Request_UnsupportedQuery')) { #Write-AppInsightsException -ErrorRecord $_ -OrderedProperties $ResponseDetail # Not needed when calling function has try finally to write terminating errors Write-Error -Exception $_.Exception -Message $ResponseDetail['ContentParsed'].error.message -ErrorId $ResponseDetail['ContentParsed'].error.code -Category $_.CategoryInfo.Category -CategoryActivity $_.CategoryInfo.Activity -CategoryReason $_.CategoryInfo.Reason -CategoryTargetName $_.CategoryInfo.TargetName -CategoryTargetType $_.CategoryInfo.TargetType -TargetObject $_.TargetObject -ErrorAction Stop } else { ## Ignore errors with specific codes else display non-terminating error if ($ResponseDetail['ContentParsed'].error.code -eq 'Request_ResourceNotFound') { Write-Error -Exception $_.Exception -Message $ResponseDetail['ContentParsed'].error.message -ErrorId $ResponseDetail['ContentParsed'].error.code -Category $_.CategoryInfo.Category -CategoryActivity $_.CategoryInfo.Activity -CategoryReason $_.CategoryInfo.Reason -CategoryTargetName $_.CategoryInfo.TargetName -CategoryTargetType $_.CategoryInfo.TargetType -TargetObject $_.TargetObject -ErrorVariable cmdError -ErrorAction SilentlyContinue #Write-Warning $ResponseDetail['ContentParsed'].error.message } else { Write-Error -Exception $_.Exception -Message $ResponseDetail['ContentParsed'].error.message -ErrorId $ResponseDetail['ContentParsed'].error.code -Category $_.CategoryInfo.Category -CategoryActivity $_.CategoryInfo.Activity -CategoryReason $_.CategoryInfo.Reason -CategoryTargetName $_.CategoryInfo.TargetName -CategoryTargetType $_.CategoryInfo.TargetType -TargetObject $_.TargetObject -ErrorVariable cmdError } if ($ResponseDetail.Contains('ContentParsed')) { $ResponseDetail.Remove('ContentParsed') } Write-AppInsightsException -ErrorRecord $cmdError -OrderedProperties $ResponseDetail } } else { throw $ErrorRecord } } function Test-MsGraphBatchError ($BatchResponse, $BatchRequest) { if ($BatchResponse.status -ne '200') { Write-Debug -Message (ConvertTo-Json $BatchResponse -Depth 3) ## Terminating errors with specific codes if ($BatchResponse.body.error.code -in ('Authentication_ExpiredToken','Service_ServiceUnavailable','Request_UnsupportedQuery')) { Write-Error -Message $BatchResponse.body.error.message -ErrorId $BatchResponse.body.error.code -ErrorAction Stop } else { ## Ignore errors with specific codes else display non-terminating error if ($BatchResponse.body.error.code -eq 'Request_ResourceNotFound') { Write-Error -Message $BatchResponse.body.error.message -ErrorId $BatchResponse.body.error.code -ErrorVariable cmdError -ErrorAction SilentlyContinue #Write-Warning $BatchResponse.body.error.message } else { Write-Error -Message $BatchResponse.body.error.message -ErrorId $BatchResponse.body.error.code -ErrorVariable cmdError } # generate extra properties for the exception $ResponseDetail = Get-MsGraphResponseDetail $BatchResponse if ($BatchRequest) { $ResponseDetail["Request"] = "{0} {1}" -f $BatchRequest.method, $BatchRequest.url } if ($ResponseDetail.Contains('ContentParsed')) { $ResponseDetail.Remove('ContentParsed') } Write-AppInsightsException -ErrorRecord $cmdError -OrderedProperties $ResponseDetail } return $true } return $false } function Add-MsGraphRequest { param ( # A collection of request objects. [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [object[]] $Requests, # Base URL for Microsoft Graph API. [Parameter(Mandatory = $false)] [uri] $GraphBaseUri = 'https://graph.microsoft.com/' ) process { foreach ($Request in $Requests) { if ($DisableBatching) { if ($ProgressState) { Update-Progress $ProgressState -CurrentOperation ('{0} {1}' -f $Request.method.ToUpper(), $Request.url) -IncrementBy 1 } Invoke-MsGraphRequest $Request -GraphBaseUri $GraphBaseUri } else { $listRequests[$GraphBaseUri].Add($Request) ## Invoke when there are enough for a batch while ($listRequests[$GraphBaseUri].Count -ge $BatchSize) { Invoke-MsGraphBatchRequest $listRequests[$GraphBaseUri][0..($BatchSize - 1)] -BatchSize $BatchSize -ProgressState $ProgressState -GraphBaseUri $GraphBaseUri $listRequests[$GraphBaseUri].RemoveRange(0, $BatchSize) } } } } } function Invoke-MsGraphBatchRequest { param ( # A collection of request objects. [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [object[]] $Requests, # Specify Batch size. [Parameter(Mandatory = $false)] [int] $BatchSize = 20, # Use external progress object. [Parameter(Mandatory = $false)] [psobject] $ProgressState, # Base URL for Microsoft Graph API. [Parameter(Mandatory = $false)] [uri] $GraphBaseUri = 'https://graph.microsoft.com/' ) begin { [bool] $ExternalProgress = $false if ($ProgressState) { $ExternalProgress = $true } else { $ProgressState = Start-Progress -Activity 'Microsoft Graph Requests - Batched' -Total $Requests.Count $Stopwatch = [System.Diagnostics.Stopwatch]::StartNew() } [uri] $uriEndpoint = [IO.Path]::Combine($GraphBaseUri.AbsoluteUri, '$batch') $listRequests = New-Object 'System.Collections.Generic.List[pscustomobject]' } process { foreach ($Request in $Requests) { $listRequests.Add($Request) } } end { [array] $BatchRequests = New-MsGraphBatchRequest $listRequests -BatchSize $BatchSize for ($iRequest = 0; $iRequest -lt $BatchRequests.Count; $iRequest++) { if ($ProgressState.Total -gt $BatchSize) { Update-Progress $ProgressState -CurrentOperation ('{0} {1}' -f $BatchRequests[$iRequest].method.ToUpper(), $BatchRequests[$iRequest].url) -IncrementBy $BatchRequests[$iRequest].body.requests.Count } $resultsBatch = Invoke-MsGraphRequest $BatchRequests[$iRequest] -NoAppInsights -GraphBaseUri $GraphBaseUri [array] $resultsBatch = $resultsBatch.responses | Sort-Object -Property { [int]$_.id } foreach ($results in ($resultsBatch)) { # check if batch result failed and call the endpoint or throw if ($results.status -eq "429") { [int] $RetryAfter = Get-ObjectPropertyValue $results headers 'Retry-After' [double] $SecondsRemaining = $RetryAfter $Date = Get-ObjectPropertyValue $results body error innerError 'date' if ($Date) { if ($PSVersionTable.PSVersion -ge [version]'7.1') { $CurrentTime = Get-Date -AsUTC } else { $CurrentTime = [datetime]::UtcNow } $SecondsRemaining = $(([datetime]$Date).AddSeconds($RetryAfter) - $CurrentTime).TotalSeconds } if ($SecondsRemaining -gt 0) { Write-Warning ("Request from batch was throttled and will attempt retry after {0:0}s." -f $SecondsRemaining) Start-Sleep -Seconds $SecondsRemaining } else { Write-Warning "Request from batch was throttled and will attempt retry." } Invoke-MsGraphRequest $request -NoAppInsights -GraphBaseUri $GraphBaseUri continue } $currentRequest = $BatchRequests[$iRequest] | Where-Object {$_.id -eq $results.id} if (!(Test-MsGraphBatchError $results $currentRequest)) { if ($IncapsulateReferenceListInParentObject -and $listRequests[$results.id].url -match '.*/(.+)/(.+)/((?:transitive)?members|owners)') { [PSCustomObject]@{ id = $Matches[2] '@odata.type' = '#{0}' -f (Get-MsGraphEntityType $GraphBaseUri.AbsoluteUri -EntityName $Matches[1]) $Matches[3] = Complete-MsGraphResult $results.body -DisablePaging:$DisablePaging -KeepODataContext:$KeepODataContext -AddODataType:$AddODataType -GroupOutputByRequest -Request $listRequests[$results.id] -GraphBaseUri $GraphBaseUri } } else { Complete-MsGraphResult $results.body -DisablePaging:$DisablePaging -KeepODataContext:$KeepODataContext -AddODataType:$AddODataType -GroupOutputByRequest:$GroupOutputByRequest -Request $listRequests[$results.id] -GraphBaseUri $GraphBaseUri } } } } if (!$ExternalProgress) { $Stopwatch.Stop() Write-AppInsightsDependency ('{0} {1}' -f 'POST', $uriEndpoint.AbsolutePath) -Type 'MS Graph' -Data ("{0} {1}`r`n`r`n{2}" -f 'POST', $uriEndpoint.AbsoluteUri, ('{{"requests":[...{0}...]}}' -f $listRequests.Count)) -Duration $Stopwatch.Elapsed -Success ($null -ne $resultsBatch) Stop-Progress $ProgressState } } } function Invoke-MsGraphRequest { param ( # A collection of request objects. [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [psobject] $Request, # Do not write application insights dependency. [Parameter(Mandatory = $false)] [switch] $NoAppInsights, # Base URL for Microsoft Graph API. [Parameter(Mandatory = $false)] [uri] $GraphBaseUri = 'https://graph.microsoft.com/', # Number of retries in case of throttling [Parameter(Mandatory = $false)] [int] $MaxRetries = 5, # Default Retry-After value [Parameter(Mandatory = $false)] [int] $RetryAfter = 2 ) process { [uri] $uriEndpoint = $Request.url if (!$uriEndpoint.IsAbsoluteUri) { $uriEndpoint = [IO.Path]::Combine($GraphBaseUri.AbsoluteUri, $Request.url.TrimStart('/')) } #if ($uriEndpoint.Segments -contains 'directoryObjects/') { $NoAppInsights = $true } [hashtable] $paramInvokeRestMethod = @{ Method = $Request.method Uri = $uriEndpoint } if ($Request.psobject.Properties.Name -contains 'headers') { $paramInvokeRestMethod.Add('Headers', $Request.headers) } if ($Request.psobject.Properties.Name -contains 'body') { $paramInvokeRestMethod.Add('Body', ($Request.body | ConvertTo-Json -Depth 10 -Compress)) $paramInvokeRestMethod.Add('ContentType', 'application/json') } ## Get results $results = $null $MsGraphSession = Confirm-ModuleAuthentication -MsGraphSession -ErrorAction Stop if (!$NoAppInsights) { $Stopwatch = [System.Diagnostics.Stopwatch]::StartNew() } try { for($Retries = 0; $Retries -le $MaxRetries; $Retries++) { try { $results = Invoke-RestMethod -WebSession $MsGraphSession -UseBasicParsing @paramInvokeRestMethod -ErrorAction Stop break # break the loop if no error was raised } catch { ## Retry request if response returns error or indicates throttling # Windows PowerShell WebException Example: $_.Exception.Status -eq 'Timeout' # Response is also null because there was no response. # Example: $_.Exception.Response.StatusCode.value__ -eq 429 # Throttling # Example: $_.Exception.Response.StatusCode.value__ -eq 503 # ServiceUnavailable #if ($Retries -lt $MaxRetries -and ((Get-ObjectPropertyValue $_ Exception Response StatusCode value__) -eq 429 -or (Get-ObjectPropertyValue $_ Exception Response StatusCode value__) -eq 503 -or !(Get-ObjectPropertyValue $_ Exception Response))) { if ($Retries -lt $MaxRetries -and (Get-ObjectPropertyValue $_ Exception Response StatusCode value__) -notin 400,403) { $ResponseDetail = Get-MsGraphResponseDetail $_ if ($ResponseDetail.Contains('ContentParsed')) { $ResponseDetail.Remove('ContentParsed') } Write-AppInsightsException -ErrorRecord $_ -OrderedProperties $ResponseDetail # Get the retry after header try { $RetryAfter = $_.Exception.Response.Headers.GetValues('Retry-After')[0] } catch { if ($Retries -gt 0) { $RetryAfter *= 2 } } if ((Get-ObjectPropertyValue $_ Exception Response StatusCode value__) -eq 429) { Write-Warning "Request was throttled and will attempt retry $($Retries+1) of $MaxRetries after $($RetryAfter)s." } else { Write-Warning "Request returned error and will attempt retry $($Retries+1) of $MaxRetries after $($RetryAfter)s." } Start-Sleep -Seconds $RetryAfter } else { # catch error if it was the last try Catch-MsGraphError $_ break # break the loop if error was not due to throttling } } } if ($results) { if ($IncapsulateReferenceListInParentObject -and $Request.url -match '.*/(.+)/(.+)/((?:transitive)?members|owners)') { [PSCustomObject]@{ id = $Matches[2] '@odata.type' = '#{0}' -f (Get-MsGraphEntityType $GraphBaseUri.AbsoluteUri -EntityName $Matches[1]) $Matches[3] = Complete-MsGraphResult $results -DisablePaging:$DisablePaging -KeepODataContext:$KeepODataContext -AddODataType:$AddODataType -GroupOutputByRequest -Request $Request -GraphBaseUri $GraphBaseUri -MaxRetries $MaxRetries -RetryAfter $RetryAfter } } else { Complete-MsGraphResult $results -DisablePaging:$DisablePaging -KeepODataContext:$KeepODataContext -AddODataType:$AddODataType -GroupOutputByRequest:$GroupOutputByRequest -Request $Request -GraphBaseUri $GraphBaseUri -MaxRetries $MaxRetries -RetryAfter $RetryAfter } } } finally { if (!$NoAppInsights) { $Stopwatch.Stop() Write-AppInsightsDependency ('{0} {1}' -f $Request.method.ToUpper(), $uriEndpoint.AbsolutePath) -Type 'MS Graph' -Data ('{0} {1}' -f $Request.method.ToUpper(), $uriEndpoint.AbsoluteUri) -Duration $Stopwatch.Elapsed -Success ($null -ne $results) } } } } function Complete-MsGraphResult { param ( # Results from MS Graph API. [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [object[]] $Results, # Only return first page of results. [Parameter(Mandatory = $false)] [switch] $DisablePaging, # Copy ODataContext to each result value. [Parameter(Mandatory = $false)] [switch] $KeepODataContext, # Add ODataType to each result value. [Parameter(Mandatory = $false)] [switch] $AddODataType, # Group results in array by request. [Parameter(Mandatory = $false)] [switch] $GroupOutputByRequest, # MS Graph request object. [Parameter(Mandatory = $false)] [psobject] $Request, # Base URL for Microsoft Graph API. [Parameter(Mandatory = $false)] [uri] $GraphBaseUri = 'https://graph.microsoft.com/', # Number of retries in case of throttling [Parameter(Mandatory = $false)] [int] $MaxRetries = 5, # Default Retry-After value [Parameter(Mandatory = $false)] [int] $RetryAfter = 2 ) begin { [System.Collections.Generic.List[object]] $listOutput = New-Object 'System.Collections.Generic.List[object]' } process { foreach ($Result in $Results) { $Output = Expand-MsGraphResult $Result -RawOutput:$DisablePaging -KeepODataContext:$KeepODataContext -AddODataType:$AddODataType if ($GroupOutputByRequest -and $Output) { $listOutput.AddRange([array]$Output) } else { $Output } if (!$DisablePaging -and $Result) { if (Get-ObjectPropertyValue $Result '@odata.nextLink') { [uri] $uriEndpoint = [IO.Path]::Combine($GraphBaseUri.AbsoluteUri, $Request.url.TrimStart('/')) [int] $Total = Get-MsGraphResultsCount $uriEndpoint -GraphBaseUri $GraphBaseUri $Activity = ('{0} {1}' -f $Request.method.ToUpper(), $uriEndpoint.AbsolutePath) $ProgressState = Start-Progress -Activity $Activity -Total $Total $ProgressState.CurrentIteration = $Result.value.Count try { while (Get-ObjectPropertyValue $Result '@odata.nextLink') { Update-Progress $ProgressState -IncrementBy $Result.value.Count $nextLink = $Result.'@odata.nextLink' $MsGraphSession = Confirm-ModuleAuthentication -MsGraphSession -ErrorAction Stop $Result = $null for ($Retries = 0; $Retries -le $MaxRetries; $Retries++) { try { $Result = Invoke-RestMethod -WebSession $MsGraphSession -UseBasicParsing -Method Get -Uri $nextLink -Headers $Request.headers -ErrorAction Stop break # break the loop if no error was raised } catch { ## Retry request if response returns error or indicates throttling #if ($Retries -lt $MaxRetries -and ((Get-ObjectPropertyValue $_ Exception Response StatusCode value__) -eq 429 -or (Get-ObjectPropertyValue $_ Exception Response StatusCode value__) -eq 503 -or !(Get-ObjectPropertyValue $_ Exception Response))) { if ($Retries -lt $MaxRetries -and (Get-ObjectPropertyValue $_ Exception Response StatusCode value__) -notin 400, 403) { $ResponseDetail = Get-MsGraphResponseDetail $_ if ($ResponseDetail.Contains('ContentParsed')) { $ResponseDetail.Remove('ContentParsed') } Write-AppInsightsException -ErrorRecord $_ -OrderedProperties $ResponseDetail # Get the retry after header try { $RetryAfter = $_.Exception.Response.Headers.GetValues('Retry-After')[0] } catch { if ($Retries -gt 0) { $RetryAfter *= 2 } } if ((Get-ObjectPropertyValue $_ Exception Response StatusCode value__) -eq 429) { Write-Warning "Request was throttled and will attempt retry $($Retries+1) of $MaxRetries after $($RetryAfter)s." } else { Write-Warning "Request returned error and will attempt retry $($Retries+1) of $MaxRetries after $($RetryAfter)s." } Start-Sleep -Seconds $RetryAfter } else { # catch error if it was the last try Catch-MsGraphError $_ break # break the loop if error was not due to throttling } } } if ($Result) { $Output = Expand-MsGraphResult $Result -RawOutput:$DisablePaging -KeepODataContext:$KeepODataContext -AddODataType:$AddODataType if ($GroupOutputByRequest -and $Output) { $listOutput.AddRange([array]$Output) } else { $Output } } } } finally { Stop-Progress $ProgressState } } } } } end { if ($GroupOutputByRequest) { Write-Output $listOutput.ToArray() -NoEnumerate } } } } process { ## Initialize if ($PSBoundParameters.ContainsKey('UniqueId') -and !$UniqueId) { return } if ($RelativeUri.OriginalString -eq $UniqueId) { $UniqueId = $null } # Pipeline string/uri input binds to both parameters so default to just uri ## Process Each RelativeUri foreach ($uri in $RelativeUri) { [string] $BaseUri = $uriGraphVersionBase.AbsoluteUri if ($uri.IsAbsoluteUri) { if ($uri.AbsoluteUri -match '^https://(.+?)/(v1.0|beta)?') { $BaseUri = $Matches[0] } if (!$listRequests.ContainsKey($BaseUri)) { $listRequests.Add($BaseUri, (New-Object 'System.Collections.Generic.List[pscustomobject]')) } $uriQueryEndpoint = New-Object System.UriBuilder -ArgumentList $uri } else { $uriQueryEndpoint = New-Object System.UriBuilder -ArgumentList ([IO.Path]::Combine($BaseUri, $uri)) } ## Combine query parameters from URI and cmdlet parameters [hashtable] $QueryParametersFinal = @{ } if ($uriQueryEndpoint.Query) { $QueryParametersFinal = ConvertFrom-QueryString $uriQueryEndpoint.Query -AsHashtable if ($QueryParameters) { foreach ($ParameterName in $QueryParameters.Keys) { $QueryParametersFinal[$ParameterName] = $QueryParameters[$ParameterName] } } } elseif ($QueryParameters) { $QueryParametersFinal = $QueryParameters } if ($Select) { $QueryParametersFinal['$select'] = $Select -join ',' } if ($Filter) { $QueryParametersFinal['$filter'] = $Filter } if ($Top) { $QueryParametersFinal['$top'] = $Top } if ($PSBoundParameters.ContainsKey('Count')) { $QueryParametersFinal['$count'] = ([string]$Count).ToLower() } $uriQueryEndpoint.Query = ConvertTo-QueryString $QueryParametersFinal ## Expand with UniqueIds if ($UniqueId) { foreach ($id in $UniqueId) { if ($id) { ## If the URI contains '{0}', then replace it with Unique Id. if ($uriQueryEndpoint.Uri.AbsoluteUri.Contains('%7B0%7D')) { $uriQueryEndpointUniqueId = New-Object System.UriBuilder -ArgumentList ([System.Net.WebUtility]::UrlDecode($uriQueryEndpoint.Uri.AbsoluteUri) -f [System.Net.WebUtility]::UrlEncode($id)) } else { $uriQueryEndpointUniqueId = New-Object System.UriBuilder -ArgumentList $uriQueryEndpoint.Uri $uriQueryEndpointUniqueId.Path = ([IO.Path]::Combine($uriQueryEndpointUniqueId.Path, $id)) } if ($DisableUniqueIdDeduplication -or $hashUri.Add($uriQueryEndpointUniqueId.Uri)) { if ($EnableInFilter -and $id -match '^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') { $listIds.Add($id) while($listIds.Count -ge $InFilterBatchSize) { # go back to initial uri (without appending id) $uriQueryEndpointUniqueId = New-Object System.UriBuilder -ArgumentList $uriQueryEndpoint.Uri # get the query parameters $QueryParametersInIds = ConvertFrom-QueryString $uriQueryEndpoint.Query -AsHashtable # get the ids to query $filterids = $listIds[0..($InFilterBatchSize - 1)] # append them to "$filter" if ($QueryParametersInIds.ContainsKey('$filter')) { $QueryParametersInIds['$filter'] = "($($QueryParametersInIds['$filter'])) and id in ('$($filterids -join "','")')" } else { $QueryParametersInIds['$filter'] = "id in ('$($filterids -join "','")')" } # update query $uriQueryEndpointUniqueId.Query = ConvertTo-QueryString $QueryParametersInIds # add new batch request New-MsGraphRequest $uriQueryEndpointUniqueId.Uri -Headers @{ 'client-request-id' = $CorrelationId; ConsistencyLevel = $ConsistencyLevel } | Add-MsGraphRequest -GraphBaseUri $BaseUri # remove ids from ids to request $listIds.RemoveRange(0, $InFilterBatchSize) # update progress if ($ProgressState) { $ProgressState.CurrentIteration += $InFilterBatchSize - 1 } } } elseif (!$DisableGetByIdsBatching -and $id -match '^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$' -and $uriQueryEndpoint.Uri.Segments.Count -eq 3 -and $uriQueryEndpoint.Uri.Segments[2] -in ('directoryObjects', 'users', 'groups', 'devices', 'servicePrincipals', 'applications') -and ($QueryParametersFinal.Count -eq 0 -or ($QueryParametersFinal.Count -eq 1 -and $QueryParametersFinal.ContainsKey('$select')))) { $listIds.Add($id) while ($listIds.Count -ge $GetByIdsBatchSize) { New-MsGraphGetByIdsRequest $listIds[0..($GetByIdsBatchSize - 1)] -Types $uriQueryEndpoint.Uri.Segments[2].TrimEnd('s') -Select $QueryParametersFinal['$select'] -BatchSize $GetByIdsBatchSize | Add-MsGraphRequest -GraphBaseUri $BaseUri $listIds.RemoveRange(0, $GetByIdsBatchSize) if ($ProgressState) { $ProgressState.CurrentIteration += $GetByIdsBatchSize - 1 } } } else { New-MsGraphRequest $uriQueryEndpointUniqueId.Uri -Headers @{ 'client-request-id' = $CorrelationId; ConsistencyLevel = $ConsistencyLevel } | Add-MsGraphRequest -GraphBaseUri $BaseUri } } elseif ($ProgressState) { $ProgressState.Total -= 1 } } elseif ($ProgressState) { $ProgressState.Total -= 1 } } } else { New-MsGraphRequest $uriQueryEndpoint.Uri -Headers @{ 'client-request-id' = $CorrelationId; ConsistencyLevel = $ConsistencyLevel } | Add-MsGraphRequest -GraphBaseUri $BaseUri } } } end { ## Complete Remaining Ids if ($listIds.Count -gt 0) { New-MsGraphGetByIdsRequest $listIds -Types $uriQueryEndpoint.Uri.Segments[2].TrimEnd('s') -Select $QueryParametersFinal['$select'] -BatchSize $GetByIdsBatchSize | Add-MsGraphRequest -GraphBaseUri $BaseUri if ($ProgressState) { $ProgressState.CurrentIteration += $listIds.Count - 1 } } ## Finish requests foreach ($BaseUri in $listRequests.Keys) { if ($listRequests[$BaseUri].Count -eq 1) { Invoke-MSGraphRequest $listRequests[$BaseUri][0] -GraphBaseUri $BaseUri } elseif ($listRequests[$BaseUri].Count -gt 0) { Invoke-MsGraphBatchRequest $listRequests[$BaseUri] -BatchSize $BatchSize -ProgressState $ProgressState -GraphBaseUri $BaseUri } if (!$DisableBatching -and $ProgressState -and $ProgressState.CurrentIteration -gt 1) { [uri] $uriEndpoint = [IO.Path]::Combine($BaseUri, '$batch') Write-AppInsightsDependency ('{0} {1}' -f 'POST', $uriEndpoint.AbsolutePath) -Type 'MS Graph' -Data ("{0} {1}`r`n`r`n{2}" -f 'POST', $uriEndpoint.AbsoluteUri, ('{{"requests":[...{0}...]}}' -f $ProgressState.CurrentIteration)) -Duration $ProgressState.Stopwatch.Elapsed -Success $? } } ## Clean-up if ($ProgressState) { Stop-Progress $ProgressState } } } <# .SYNOPSIS New request object containing Microsoft Graph API details. .EXAMPLE PS C:\>New-MsGraphRequest 'users' Return request object for GET /users. .EXAMPLE PS C:\>New-MsGraphRequest -Method Get -Uri 'https://graph.microsoft.com/v1.0/users' Return request object for GET /users. .EXAMPLE PS C:\>New-MsGraphRequest -Method Patch -Uri 'users/{id}' -Body ([PsCustomObject]{ displayName = "Joe Cool" } Return request object for PATCH /users/{id} with a body payload to update the displayName. #> function New-MsGraphRequest { [CmdletBinding()] param ( # Specifies the method used for the web request. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [Alias('Id')] [int] $RequestId = 0, # Specifies the method used for the web request. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [ValidateSet('Get', 'Head', 'Post', 'Put', 'Delete', 'Trace', 'Options', 'Merge', 'Patch')] [string] $Method = 'Get', # Specifies the Uniform Resource Identifier (URI) of the Internet resource to which the web request is sent. [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] [uri[]] $Uri, # Specifies the headers of the web request. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [hashtable] $Headers, # Specifies the body of the request. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [pscustomobject] $Body ) process { if (!$Headers) { $Headers = @{} } for ($iRequest = 0; $iRequest -lt $Uri.Count; $iRequest++) { if ($Body) { if (!$Headers.ContainsKey('Content-Type')) { $Headers.Add('Content-Type', 'application/json') } } [string] $url = $Uri[$iRequest].PathAndQuery if (!$url) { $url = $Uri[$iRequest].ToString() } [pscustomobject]@{ id = $RequestId + $iRequest method = $Method.ToUpper() url = $url -replace '^(https://.+?/)?/?(v1.0/|beta/)?', '/' headers = $Headers body = $Body } } } } function New-MsGraphGetByIdsRequest { [CmdletBinding()] param ( # A collection of IDs for which to return objects. [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [guid[]] $Ids, # A collection of resource types that specifies the set of resource collections to search. [Parameter(Mandatory = $false)] [string[]] $Types, # Filters properties (columns). [Parameter(Mandatory = $false)] [string[]] $Select, # Specify Batch size. [Parameter(Mandatory = $false)] [int] $BatchSize = 1000 ) begin { $Types = $Types | Where-Object { $_ -ne 'directoryObject' } if (!$Select) { $Select = "*" } $listIds = New-Object 'System.Collections.Generic.List[guid]' } process { foreach ($Id in $Ids) { $listIds.Add($Id) ## Process IDs when a full batch is reached while ($listIds.Count -ge $BatchSize) { New-MsGraphRequest ('/directoryObjects/getByIds?$select={0}' -f ($Select -join ',')) -Method Post -Headers @{ 'Content-Type' = 'application/json' } -Body ([PSCustomObject]@{ ids = $listIds[0..($BatchSize - 1)] types = $Types }) $listIds.RemoveRange(0, $BatchSize) } } } end { ## Process any remaining IDs if ($listIds.Count -gt 0) { New-MsGraphRequest ('/directoryObjects/getByIds?$select={0}' -f ($Select -join ',')) -Method Post -Headers @{ 'Content-Type' = 'application/json' } -Body ([PSCustomObject]@{ ids = $listIds types = $Types }) } } } function New-MsGraphBatchRequest { [CmdletBinding()] param ( # A collection of request objects. [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [object[]] $Requests, # Specify Batch size. [Parameter(Mandatory = $false)] [int] $BatchSize = 20, # Specify depth of nested batches. MS Graph does not currently support batch nesting. [Parameter(Mandatory = $false)] [int] $Depth = 1 ) process { for ($iRequest = 0; $iRequest -lt $Requests.Count; $iRequest += [System.Math]::Pow($BatchSize, $Depth)) { $indexEnd = [System.Math]::Min($iRequest + [System.Math]::Pow($BatchSize, $Depth) - 1, $Requests.Count - 1) ## Reset ID Order for ($iId = $iRequest; $iId -le $indexEnd; $iId++) { $Requests[$iId].id = $iId } ## Generate Batch Request if ($Depth -gt 1) { $BatchRequest = New-MsGraphBatchRequest $Requests[$iRequest..$indexEnd] -Depth ($Depth - 1) } else { $BatchRequest = $Requests[$iRequest..$indexEnd] } New-MsGraphRequest -RequestId $iRequest -Method Post -Uri '/$batch' -Headers @{ 'Content-Type' = 'application/json' } -Body ([PSCustomObject]@{ requests = $BatchRequest }) } } } function Get-MsGraphMetadata { param ( # Metadata URL for Microsoft Graph API. [Parameter(Mandatory = $false, Position = 0, ValueFromPipeline = $true)] [uri] $Uri = 'https://graph.microsoft.com/v1.0/$metadata', # Force a refresh of metadata. [Parameter(Mandatory = $false)] [switch] $ForceRefresh ) if (!(Get-Variable MsGraphMetadataCache -Scope Script -ErrorAction SilentlyContinue)) { New-Variable -Name MsGraphMetadataCache -Scope Script -Value (New-Object 'System.Collections.Generic.Dictionary[string,xml]') } if (!$Uri.AbsolutePath.EndsWith('$metadata')) { $Uri = ([IO.Path]::Combine($Uri.AbsoluteUri, '$metadata')) } [string] $BaseUri = $Uri.AbsoluteUri if ($Uri.AbsoluteUri -match ('^.+{0}' -f ([regex]::Escape($Uri.AbsolutePath)))) { $BaseUri = $Matches[0] } if ($ForceRefresh -or !$script:MsGraphMetadataCache.ContainsKey($BaseUri)) { #$MsGraphSession = Confirm-ModuleAuthentication -MsGraphSession -ErrorAction Stop try { $script:MsGraphMetadataCache[$BaseUri] = Invoke-RestMethod -UseBasicParsing -Method Get -Uri $Uri -ErrorAction Ignore } catch {} } return $script:MsGraphMetadataCache[$BaseUri] } function Get-MsGraphEntityType { param ( # Metadata URL for Microsoft Graph API. [Parameter(Mandatory = $false, Position = 0, ValueFromPipeline = $true)] [uri] $Uri = 'https://graph.microsoft.com/v1.0/$metadata', # Name of endpoint. [Parameter(Mandatory = $false)] [string] $EntityName ) process { $MsGraphMetadata = Get-MSGraphMetadata $Uri if (!$EntityName -and $Uri.Fragment -match '^#(.+?)(\(.+\))?(/\$entity)?$') { $EntityName = $Matches[1] } foreach ($Schema in $MsGraphMetadata.Edmx.DataServices.Schema) { foreach ($EntitySet in $Schema.EntityContainer.EntitySet) { if ($EntitySet.Name -eq $EntityName) { return $EntitySet.EntityType } } } } } function Expand-MsGraphResult { param ( # Results from MS Graph API. [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [object[]] $Results, # Do not expand result values [Parameter(Mandatory = $false)] [switch] $RawOutput, # Copy ODataContext to each result value [Parameter(Mandatory = $false)] [switch] $KeepODataContext, # Add ODataType to each result value [Parameter(Mandatory = $false)] [switch] $AddODataType ) process { foreach ($Result in $Results) { if (!$RawOutput -and (Get-ObjectPropertyValue $Result.psobject.Properties 'Name') -contains 'value') { foreach ($ResultValue in $Result.value) { if ($AddODataType) { $ODataType = Get-ObjectPropertyValue $Result '@odata.context' | Get-MsGraphEntityType if ($ODataType) { $ODataType = '#' + $ODataType } if ($ResultValue -is [hashtable] -and !$ResultValue.ContainsKey('@odata.type')) { $ResultValue.Add('@odata.type', $ODataType) } elseif ($ResultValue.psobject.Properties.Name -notcontains '@odata.type') { $ResultValue | Add-Member -MemberType NoteProperty -Name '@odata.type' -Value $ODataType } } if ($KeepODataContext) { if ($ResultValue -is [hashtable]) { $ResultValue.Add('@odata.context', ('{0}/$entity' -f $Result.'@odata.context')) } else { $ResultValue | Add-Member -MemberType NoteProperty -Name '@odata.context' -Value ('{0}/$entity' -f $Result.'@odata.context') } } Write-Output $ResultValue } } else { Write-Output $Result } } } } function Get-MsGraphResultsCount { [CmdletBinding()] param ( # Graph endpoint such as "users". [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [uri] $Uri, # API Version. [Parameter(Mandatory = $false)] [ValidateSet('v1.0', 'beta')] [string] $ApiVersion = 'v1.0', # Base URL for Microsoft Graph API. [Parameter(Mandatory = $false)] [uri] $GraphBaseUri = $script:mapMgEnvironmentToMgEndpoint[$script:ConnectState.CloudEnvironment] ) process { if ($Uri.IsAbsoluteUri) { $uriEndpointCount = New-Object System.UriBuilder -ArgumentList $Uri -ErrorAction Stop } else { $uriEndpointCount = New-Object System.UriBuilder -ArgumentList $GraphBaseUri -ErrorAction Stop $uriEndpointCount.Path = ([IO.Path]::Combine($uriEndpointCount.Path, $ApiVersion, $Uri)) } ## Remove $ref from path $uriEndpointCount.Path = $uriEndpointCount.Path -replace '/\$ref$', '' ## Add $count segment to path $uriEndpointCount.Path = ([IO.Path]::Combine($uriEndpointCount.Path, '$count')) ## $count is not supported with $expand parameter so remove it. [hashtable] $QueryParametersUpdated = ConvertFrom-QueryString $uriEndpointCount.Query -AsHashtable if ($QueryParametersUpdated.ContainsKey('$expand')) { $QueryParametersUpdated.Remove('$expand') } $uriEndpointCount.Query = ConvertTo-QueryString $QueryParametersUpdated $MsGraphSession = Confirm-ModuleAuthentication -MsGraphSession -ErrorAction Stop [int] $Count = $null try { $Count = Invoke-RestMethod -WebSession $MsGraphSession -UseBasicParsing -Method Get -Uri $uriEndpointCount.Uri -Headers @{ ConsistencyLevel = 'eventual' } -ErrorAction Ignore } catch {} return $Count } } function Get-MsGraphResponseDetail { [CmdletBinding()] param ( # ErrorRecord from exception or batch response object [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [object] $InputObject ) process { $ResponseDetail = [ordered]@{} if ($InputObject -is [System.Management.Automation.ErrorRecord]) { if ($InputObject.Exception.psobject.Properties.Name.Contains('Response')) { ## Get Response Body if ($InputObject.ErrorDetails) { $ResponseDetail['Response'] = '{0} {1} HTTP/{2}' -f $InputObject.Exception.Response.StatusCode.value__, $InputObject.Exception.Response.ReasonPhrase, $InputObject.Exception.Response.Version $ResponseDetail['Content-Type'] = $InputObject.Exception.Response.Content.Headers.ContentType.ToString() $ResponseDetail['Content'] = $InputObject.ErrorDetails.Message } elseif ($InputObject.Exception -is [System.Net.WebException]) { if ($InputObject.Exception.Response) { $ResponseDetail['Response'] = '{0} {1} HTTP/{2}' -f $InputObject.Exception.Response.StatusCode.value__, $InputObject.Exception.Response.StatusDescription, $InputObject.Exception.Response.ProtocolVersion $ResponseDetail['Content-Type'] = $InputObject.Exception.Response.Headers.GetValues('Content-Type') -join '; ' $StreamReader = New-Object System.IO.StreamReader -ArgumentList $InputObject.Exception.Response.GetResponseStream() try { $ResponseDetail['Content'] = $StreamReader.ReadToEnd() } finally { $StreamReader.Close() } } } $ResponseDetail['ContentParsed'] = $null if ($ResponseDetail['Content-Type'] -eq 'application/json') { $ResponseDetail['ContentParsed'] = ConvertFrom-Json $ResponseDetail['Content'] } $ResponseDetail['error-message'] = Get-ObjectPropertyValue $ResponseDetail['ContentParsed'] error message $ResponseDetail['Request'] = '{0} {1}' -f $InputObject.TargetObject.Method, $InputObject.TargetObject.RequestUri.AbsoluteUri if ($InputObject.Exception.Response) { $ResponseDetail['Date'] = $InputObject.Exception.Response.Headers.GetValues('Date')[0] $ResponseDetail['request-id'] = $InputObject.Exception.Response.Headers.GetValues('request-id')[0] $ResponseDetail['client-request-id'] = $InputObject.Exception.Response.Headers.GetValues('client-request-id')[0] try { if ($InputObject.Exception.Response.Headers.GetValues('Retry-After')[0]) { $ResponseDetail['Retry-After'] = $InputObject.Exception.Response.Headers.GetValues('Retry-After')[0] } } catch {} } } } else { $ResponseDetail['Response'] = '{0} {1}' -f $InputObject.status, (Get-ObjectPropertyValue $InputObject body error code) $ResponseDetail['Content-Type'] = Get-ObjectPropertyValue $InputObject headers 'Content-Type' $ResponseDetail['ContentParsed'] = Get-ObjectPropertyValue $InputObject body $ResponseDetail['Content'] = ConvertTo-Json $ResponseDetail['ContentParsed'] -Depth 5 -Compress $ResponseDetail['error-message'] = Get-ObjectPropertyValue $InputObject body error message $ResponseDetail['Date'] = Get-ObjectPropertyValue $InputObject body error innerError 'date' $ResponseDetail['request-id'] = Get-ObjectPropertyValue $InputObject body error innerError 'request-id' $ResponseDetail['client-request-id'] = Get-ObjectPropertyValue $InputObject body error innerError 'client-request-id' if (Get-ObjectPropertyValue $InputObject headers 'Retry-After') { $ResponseDetail['Retry-After'] = Get-ObjectPropertyValue $InputObject headers 'Retry-After' } } Write-Output $ResponseDetail } } #endregion #region Format-Csv.ps1 function Format-Csv { [CmdletBinding()] [OutputType([psobject])] param ( # [Parameter(Mandatory = $true, ValueFromPipeline = $true)] [psobject[]] $InputObjects, # [Parameter(Mandatory = $false)] [string] $ArrayDelimiter = ";" ) begin { function Transform ($InputObject) { if ($InputObject) { if ($InputObject -is [DateTime]) { $InputObject = $InputObject.ToString("o") } elseif ($InputObject -is [Array] -or $InputObject -is [System.Collections.ArrayList]) { for ($i = 0; $i -lt $InputObject.Count; $i++) { $InputObject[$i] = Transform $InputObject[$i] } $InputObject = $InputObject -join $ArrayDelimiter } elseif ($InputObject -is [System.Management.Automation.PSCustomObject]) { return ConvertTo-Json $InputObject } } return $InputObject } } process { foreach ($InputObject in $InputObjects) { $OutputObject = $InputObject.psobject.Copy() foreach ($Property in $OutputObject.psobject.Properties) { if ($Property.Value -is [DateTime] -or $Property.Value -is [Array] -or $Property.Value -is [System.Collections.ArrayList] -or $Property.Value -is [System.Management.Automation.PSCustomObject]) { $Property.Value = Transform $Property.Value } } $OutputObject } } } #endregion #region Format-DataSize.ps1 <# .SYNOPSIS Format data size in bytes to human readable format. .DESCRIPTION .EXAMPLE PS > Format-DataSize 123 Format 123 bytes to "123.0 Bytes". .EXAMPLE PS > Format-DataSize 1234567890 Format 1234567890 bytes to "1.150 GB". .INPUTS System.Int64 .LINK https://github.com/jasoth/Utility.PS #> function Format-DataSize { [CmdletBinding()] [Alias('Format-FileSize')] [OutputType([string])] param ( # [Parameter(Mandatory = $true, ValueFromPipeline = $true, Position = 0)] [long] $Bytes ) begin { ## Adapted From: ## https://github.com/PowerShell/PowerShell/blob/80b5df4b7f6e749e34a2363e1ef6cc09f2761c89/src/System.Management.Automation/engine/Utils.cs#L1489 function DisplayHumanReadableFileSize([long] $bytes) { switch ($bytes) { { $_ -lt 1024 -and $_ -ge 0 } { return "{0:0.0} Bytes" -f $bytes } { $_ -lt 1048576 -and $_ -ge 1024 } { return "{0:0.0} KB" -f ($bytes / 1024) } { $_ -lt 1073741824 -and $_ -ge 1048576 } { return "{0:0.0} MB" -f ($bytes / 1048576) } { $_ -lt 1099511627776 -and $_ -ge 1073741824 } { return "{0:0.000} GB" -f ($bytes / 1073741824) } { $_ -lt 1125899906842624 -and $_ -ge 1099511627776 } { return "{0:0.00000} TB" -f ($bytes / 1099511627776) } { $_ -lt 1152921504606847000 -and $_ -ge 1125899906842624 } { return "{0:0.0000000} PB" -f ($bytes / 1125899906842624) } { $_ -ge 1152921504606847000 } { return "{0:0.000000000} EB" -f ($bytes / 1152921504606847000 ) } Default { return "0 Bytes" } } } } process { foreach ($Byte in $Bytes) { DisplayHumanReadableFileSize $Byte } } } #endregion #region Get-AadObjectById.ps1 function Get-AadObjectById { param ( # [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [Alias('Id')] [string] $ObjectId, # [Parameter(Mandatory = $true)] [Alias('Type')] [ValidateSet('servicePrincipal', 'application', 'user', 'group', 'administrativeUnit')] [string] $ObjectType, # [Parameter(Mandatory = $false)] [Alias('Select')] [string[]] $Properties, # [Parameter(Mandatory = $false)] [psobject] $LookupCache, # [Parameter(Mandatory = $false)] [switch] $UseLookupCacheOnly ) process { if ($LookupCache -and $LookupCache.$ObjectType.ContainsKey($ObjectId)) { return $($LookupCache.$ObjectType)[$ObjectId] } elseif (!$UseLookupCacheOnly) { $Object = Get-MsGraphResults 'directoryObjects' -UniqueId $ObjectId -DisableUniqueIdDeduplication -DisableGetByIdsBatching -Select $Properties if ($LookupCache) { Add-AadObjectToLookupCache $Object -Type $ObjectType -LookupCache $LookupCache } return $Object } } } #endregion #region Get-ObjectPropertyValue.ps1 <# .SYNOPSIS Get object property value. .EXAMPLE PS C:\>$object = New-Object psobject -Property @{ title = 'title value' } PS C:\>$object | Get-ObjectPropertyValue -Property 'title' Get value of object property named title. .EXAMPLE PS C:\>$object = New-Object psobject -Property @{ lvl1 = (New-Object psobject -Property @{ nextLevel = 'lvl2 data' }) } PS C:\>Get-ObjectPropertyValue $object -Property 'lvl1', 'nextLevel' Get value of nested object property named nextLevel. .INPUTS System.Collections.Hashtable System.Management.Automation.PSObject #> function Get-ObjectPropertyValue { [CmdletBinding()] [OutputType([psobject])] param ( # Object containing property values [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [AllowNull()] [psobject] $InputObjects, # Name of property. Specify an array of property names to tranverse nested objects. [Parameter(Mandatory = $true, ValueFromRemainingArguments = $true)] [string[]] $Property ) process { foreach ($InputObject in $InputObjects) { for ($iProperty = 0; $iProperty -lt $Property.Count; $iProperty++) { ## Get property value if ($InputObject -is [hashtable]) { if ($InputObject.ContainsKey($Property[$iProperty])) { $PropertyValue = $InputObject[$Property[$iProperty]] } else { $PropertyValue = $null } } else { $PropertyValue = Select-Object -InputObject $InputObject -ExpandProperty $Property[$iProperty] -ErrorAction Ignore } ## Check for more nested properties if ($iProperty -lt $Property.Count - 1) { $InputObject = $PropertyValue if ($null -eq $InputObject) { break } } else { Write-Output $PropertyValue } } } } } #endregion #region Get-SpreadsheetJson.ps1 <# .SYNOPSIS Reads all the named ranges in a spreadsheet and returns them as a name value pair .EXAMPLE PS C:\>$object = Get-SpreadsheetJson -SpreadsheetFilePath './InterviewQuestions.xlsx' Gets all the named key value pairs in the spreadsheet. .INPUTS string #> function Get-SpreadsheetJson { [CmdletBinding()] [OutputType([psobject])] param ( # Object containing property values [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [AllowNull()] [string] $SpreadsheetFilePath ) process { if(!(Test-Path $SpreadsheetFilePath)){ Write-Error "File not found at $SpreadsheetFilePath" return } $tempFolder = Join-Path (Join-Path ([IO.Path]::GetTempPath()) 'AADAssess') ([guid]::NewGuid()) if (!(Test-Path $tempFolder)) { New-Item $tempFolder -ItemType Directory | Out-Null } #$tempFolder = ".\temp\" #Remove-Item ./temp/ -Recurse -Force # move the excel in temp as zip (to be able to expand it) Copy-Item -Path $SpreadsheetFilePath -Destination (Join-Path $tempFolder "AzureADAssessment-interview-xlsx.zip") Expand-Archive -Path (Join-Path $tempFolder "AzureADAssessment-interview-xlsx.zip") -DestinationPath $tempFolder $wbFilePath = Join-Path (Join-Path $tempFolder 'xl') 'workbook.xml' $sheetFilePath = Join-Path (Join-Path $tempFolder 'xl') 'worksheets' $ssFilePath = Join-Path (Join-Path $tempFolder 'xl') 'sharedStrings.xml' [xml]$xmlWb = Get-Content $wbFilePath [xml]$ss = Get-Content $ssFilePath $xmlWorksheets = @{} $sheetIndex = 1 foreach ($ws in $xmlWb.workbook.sheets.ChildNodes) { $wsFilePath = Join-Path $sheetFilePath "sheet$($sheetIndex).xml" [xml]$xmlWs = Get-Content $wsFilePath $xmlWorksheets[$ws.name] = $xmlWs $sheetIndex = $sheetIndex + 1 } Remove-Item -Path $tempFolder -Recurse -Force #Clean up $nrValues = @{} foreach($nr in $xmlWb.workbook.definedNames.ChildNodes){ $name = $nr.name $range = $nr.InnerText $nrValue = [PSCustomObject]@{ Name = $name Range = $range Value = '' } $nrValues[$name] = $nrValue $rangeValue = $range -Split '!' $sheet = $rangeValue[0].Replace("'", "") $cell = $rangeValue[1] -Replace '\$','' if($xmlWorksheets[$sheet]){ $c = Select-Xml -Xml $xmlWorksheets[$sheet] -XPath "//*[@r='$cell']" $node = Get-ObjectPropertyValue $c 'Node' if($node){ $type = Get-ObjectPropertyValue $node 't' $innerText = $c.Node.InnerText #Write-Host $name $range $c.Node.InnerText $type switch ($type) { 's' { #String format if($innerText -and $ss.sst.si[$innerText]){ $nrValue.Value = $ss.sst.si[$innerText].InnerText } else { #Write-Host "No value in cell: $range" } } Default { # Integer $nrValue.Value = $innerText } } } } else { #Write-Host "Sheet not found: $sheet" } } Write-Output $nrValues } } #endregion #region Import-Config.ps1 <# .SYNOPSIS Import Configuration .EXAMPLE PS C:\>Import-Config Import Configuration .INPUTS System.String #> function Import-Config { [CmdletBinding()] [OutputType([psobject])] param ( # Configuration File Path [Parameter(Mandatory = $false)] [string] $Path = 'config.json' ) ## Initialize if (![IO.Path]::IsPathRooted($Path)) { $AppDataDirectory = Join-Path ([System.Environment]::GetFolderPath([System.Environment+SpecialFolder]::ApplicationData)) 'AzureADAssessment' $Path = Join-Path $AppDataDirectory $Path } if (Test-Path $Path) { ## Load from File $ModuleConfigPersistent = Get-Content $Path -Raw | ConvertFrom-Json ## Return Config return $ModuleConfigPersistent } } #endregion #region New-AadReferencedIdCache.ps1 function New-AadReferencedIdCache { [CmdletBinding()] #[OutputType([psobject])] param () [PSCustomObject]@{ user = New-Object 'System.Collections.Generic.HashSet[guid]' group = New-Object 'System.Collections.Generic.HashSet[guid]' application = New-Object 'System.Collections.Generic.HashSet[guid]' servicePrincipal = New-Object 'System.Collections.Generic.HashSet[guid]' appId = New-Object 'System.Collections.Generic.HashSet[guid]' roleGroup = New-Object 'System.Collections.Generic.HashSet[guid]' administrativeUnit = New-Object 'System.Collections.Generic.HashSet[guid]' unknownType = New-Object 'System.Collections.Generic.HashSet[guid]' } } #endregion #region New-AppInsightsTelemetry.ps1 <# .SYNOPSIS Get new telemetry entry. .EXAMPLE PS C:\>New-AppInsightsTelemetry 'AppEvents' Get new entry for AppEvent. .INPUTS System.String #> function New-AppInsightsTelemetry { [CmdletBinding()] [Alias('New-AITelemetry')] [OutputType([hashtable])] param ( # Telemetry Type Name [Parameter(Mandatory = $true)] [ValidateSet('AppDependencies', 'AppEvents', 'AppExceptions', 'AppRequests', 'AppTraces')] [string] $Name, # Instrumentation Key [Parameter(Mandatory = $false)] [string] $InstrumentationKey = $script:ModuleConfig.'ai.instrumentationKey' ) [hashtable] $mapNameToBaseType = @{ 'AppDependencies' = 'RemoteDependencyData' 'AppEvents' = 'EventData' 'AppExceptions' = 'ExceptionData' 'AppRequests' = 'RequestData' 'AppTraces' = 'MessageData' } ## Return Immediately when Telemetry is Disabled if ($script:ModuleConfig.'ai.disabled') { return } if ($script:AppInsightsRuntimeState.OperationStack.Count -gt 0) { $Operation = $script:AppInsightsRuntimeState.OperationStack.Peek() } else { $Operation = @{ Id = New-Guid Name = $MyInvocation.MyCommand.Name ParentId = $null } } $AppInsightsTelemetry = [ordered]@{ name = $Name time = $null iKey = $InstrumentationKey tags = [ordered]@{ "ai.application.ver" = [string]$MyInvocation.MyCommand.Module.Version "ai.operation.id" = [string]$Operation.Id "ai.operation.name" = [string]$Operation.Name "ai.operation.parentId" = [string]$Operation.ParentId "ai.session.id" = [string]$script:AppInsightsRuntimeState.SessionId "ai.user.id" = [string]$script:AppInsightsState.UserId } data = [ordered]@{ baseType = $mapNameToBaseType[$Name] baseData = [ordered]@{ ver = 2 properties = $null } } } ## Add Prerelease tag to version number if it exists if ($MyInvocation.MyCommand.Module.PrivateData.PSData['Prerelease']) { $AppInsightsTelemetry.tags['ai.application.ver'] = '{0}-{1}' -f $MyInvocation.MyCommand.Module.Version, $MyInvocation.MyCommand.Module.PrivateData.PSData['Prerelease'] } ## Update Time if ($PSVersionTable.PSVersion -ge [version]'7.1') { $AppInsightsTelemetry['time'] = Get-Date -AsUTC -Format 'o' } else { $AppInsightsTelemetry['time'] = [datetime]::UtcNow.ToString('o') } ## Update OS if ($PSVersionTable.PSEdition -eq 'Core') { $AppInsightsTelemetry.tags['ai.device.osVersion'] = $PSVersionTable.OS } else { $AppInsightsTelemetry.tags['ai.device.osVersion'] = ('Microsoft Windows {0}' -f $PSVersionTable.BuildVersion) } ## Add Authenticated MSFT User if ((Get-ObjectPropertyValue $script:ConnectState.MsGraphToken 'Account' 'HomeAccountId' 'TenantId') -in ('72f988bf-86f1-41af-91ab-2d7cd011db47', '536279f6-15cc-45f2-be2d-61e352b51eef', 'cc7d0b33-84c6-4368-a879-2e47139b7b1f')) { $AppInsightsTelemetry.tags['ai.user.authUserId'] = $script:ConnectState.MsGraphToken.Account.HomeAccountId.Identifier } ## Add Default Custom Properties $AppInsightsTelemetry.data.baseData['properties'] = [ordered]@{ Culture = [System.Threading.Thread]::CurrentThread.CurrentCulture.Name PsEdition = $PSVersionTable.PSEdition.ToString() PsVersion = $PSVersionTable.PSVersion.ToString() Ps64BitProcess = [System.Environment]::Is64BitProcess DebugPreference = '{0} ({1})' -f $DebugPreference.ToString(), $DebugPreference.value__ } if ($script:ConnectState.MsGraphToken) { if ($script:ConnectState.MsGraphToken.TenantId) { $AppInsightsTelemetry.data.baseData['properties']['TenantId'] = $script:ConnectState.MsGraphToken.TenantId } else { $AppInsightsTelemetry.data.baseData['properties']['TenantId'] = Expand-JsonWebTokenPayload $script:ConnectState.MsGraphToken.AccessToken | Select-Object -ExpandProperty tid } $AppInsightsTelemetry.data.baseData['properties']['CloudEnvironment'] = $script:ConnectState.CloudEnvironment } return $AppInsightsTelemetry } #endregion #region New-LookupCache.ps1 function New-LookupCache { [CmdletBinding()] #[OutputType([psobject])] param () [PSCustomObject]@{ user = New-Object 'System.Collections.Generic.Dictionary[guid,pscustomobject]' userRegistrationDetails = New-Object 'System.Collections.Generic.Dictionary[guid,pscustomobject]' group = New-Object 'System.Collections.Generic.Dictionary[guid,pscustomobject]' servicePrincipal = New-Object 'System.Collections.Generic.Dictionary[guid,pscustomobject]' servicePrincipalAppId = New-Object 'System.Collections.Generic.Dictionary[guid,pscustomobject]' application = New-Object 'System.Collections.Generic.Dictionary[guid,pscustomobject]' administrativeUnit = New-Object 'System.Collections.Generic.Dictionary[guid,pscustomobject]' } } #endregion #region Remove-Diacritics.ps1 <# .SYNOPSIS Decompose characters to their base character equivilents and remove diacritics. .DESCRIPTION .EXAMPLE PS C:\>Remove-Diacritics 'àáâãäåÀÁÂÃÄÅfi⁵ẛ' Decompose characters to their base character equivilents and remove diacritics. .EXAMPLE PS C:\>Remove-Diacritics 'àáâãäåÀÁÂÃÄÅfi⁵ẛ' -CompatibilityDecomposition Decompose composite characters to their base character equivilents and remove diacritics. .INPUTS System.String .LINK https://github.com/jasoth/Utility.PS #> function Remove-Diacritics { [CmdletBinding()] param ( # String value to transform. [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] [AllowEmptyString()] [string[]] $InputStrings, # Use compatibility decomposition instead of canonical decomposition which further decomposes composite characters and many formatting distinctions are removed. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [switch] $CompatibilityDecomposition ) process { [System.Text.NormalizationForm] $NormalizationForm = [System.Text.NormalizationForm]::FormD if ($CompatibilityDecomposition) { $NormalizationForm = [System.Text.NormalizationForm]::FormKD } foreach ($InputString in $InputStrings) { $NormalizedString = $InputString.Normalize($NormalizationForm) $OutputString = New-Object System.Text.StringBuilder foreach ($char in $NormalizedString.ToCharArray()) { if ([Globalization.CharUnicodeInfo]::GetUnicodeCategory($char) -ne [Globalization.UnicodeCategory]::NonSpacingMark) { [void] $OutputString.Append($char) } } Write-Output $OutputString.ToString() } } } #endregion #region Remove-InvalidFileNameCharacters.ps1 <# .SYNOPSIS Remove invalid filename characters from string. .DESCRIPTION .EXAMPLE PS C:\>Remove-InvalidFileNameCharacters 'à/1\b?2|ć*3<đ>4 ē' Remove invalid filename characters from string. .EXAMPLE PS C:\>Remove-InvalidFileNameCharacters 'à/1\b?2|ć*3<đ>4 ē' -RemoveDiacritics Remove invalid filename characters and diacritics from string. .INPUTS System.String .LINK https://github.com/jasoth/Utility.PS #> function Remove-InvalidFileNameCharacters { [CmdletBinding()] param ( # String value to transform. [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] [AllowEmptyString()] [string[]] $InputStrings, # Character used as replacement for invalid characters. Use '' to simply remove. [Parameter(Mandatory = $false)] [string] $ReplacementCharacter = '-', # Replace characters with diacritics to their non-diacritic equivilent. [Parameter(Mandatory = $false)] [switch] $RemoveDiacritics ) process { foreach ($InputString in $InputStrings) { [string] $OutputString = $InputString if ($RemoveDiacritics) { $OutputString = Remove-Diacritics $OutputString -CompatibilityDecomposition } $OutputString = [regex]::Replace($OutputString, ('[{0}]' -f [regex]::Escape([System.IO.Path]::GetInvalidFileNameChars() -join '')), $ReplacementCharacter) Write-Output $OutputString } } } #endregion #region Set-Config.ps1 <# .SYNOPSIS Set Configuration .EXAMPLE PS C:\>Set-Config Set Configuration .INPUTS System.String #> function Set-Config { [CmdletBinding()] #[OutputType([psobject])] param ( # Configuration Object [Parameter(Mandatory = $false, Position = 0, ValueFromPipeline = $true)] [psobject] $InputObject, # Application Insights Telemetry Disabled [Parameter(Mandatory = $false)] [bool] $AIDisabled, # Application Insights Instrumentation Key [Parameter(Mandatory = $false)] [string] $AIInstrumentationKey, # Application Insights Ingestion Endpoint [Parameter(Mandatory = $false)] [string] $AIIngestionEndpoint, # Variable to output config [Parameter(Mandatory = $false)] [ref] $OutConfig = ([ref]$script:ModuleConfig) ) ## Update local configuration if ($InputObject) { if ($InputObject -is [hashtable]) { $InputObject = [PSCustomObject]$InputObject } foreach ($Property in $InputObject.psobject.Properties) { if ($OutConfig.Value.psobject.Properties.Name -contains $Property.Name) { $OutConfig.Value.($Property.Name) = $Property.Value } else { Write-Warning ('Ignoring invalid configuration property [{0}].' -f $Property.Name) } } } if ($PSBoundParameters.ContainsKey('AIDisabled')) { $OutConfig.Value.'ai.disabled' = $AIDisabled } if ($PSBoundParameters.ContainsKey('AIInstrumentationKey')) { $OutConfig.Value.'ai.instrumentationKey' = $AIInstrumentationKey } if ($PSBoundParameters.ContainsKey('AIIngestionEndpoint')) { $OutConfig.Value.'ai.ingestionEndpoint' = $AIIngestionEndpoint } ## Return updated local configuration #return $OutConfig.Value } #endregion #region Start-AppInsightsRequest.ps1 <# .SYNOPSIS Start Operation and Stopwatch for Application Insights Request. .EXAMPLE PS C:\>Start-AppInsightsRequest $MyInvocation.MyCommand.Name Start Operation and Stopwatch for Application Insights Request. .INPUTS System.String #> function Start-AppInsightsRequest { [CmdletBinding()] [Alias('Start-AIRequest')] param ( # Operation Name [Parameter(Mandatory = $true)] [string] $Name ) ## Return Immediately when Telemetry is Disabled if ($script:ModuleConfig.'ai.disabled') { return } $Operation = @{ Id = New-Guid Name = $Name ParentId = $null Stopwatch = [System.Diagnostics.Stopwatch]::StartNew() } if ($script:AppInsightsRuntimeState.OperationStack.Count -gt 0) { $Operation['ParentId'] = $script:AppInsightsRuntimeState.OperationStack.Peek().Id $Operation['Id'] = $script:AppInsightsRuntimeState.OperationStack.Peek().Id # Use the same id as parent } $script:AppInsightsRuntimeState.OperationStack.Push($Operation) Write-AppInsightsTrace "Invoking Command: $Name" -SeverityLevel Information #return $Operation #return New-Object System.Collections.ArrayList } #endregion #region Use-Progress.ps1 <# .SYNOPSIS Display progress bar for processing array of objects. .EXAMPLE PS C:\>Use-Progress -InputObjects @(1..10) -Activity "Processing Parent Objects" -ScriptBlock { $Parent = $args[0] Use-Progress -InputObjects @(1..200) -Activity "Processing Child Objects" -ScriptBlock { $Child = $args[0] Write-Host "Child $Child of Parent $Parent." Start-Sleep -Milliseconds 50 } } Display progress bar for processing array of objects. .INPUTS System.Object[] .LINK Adapted from: https://github.com/jasoth/Utility.PS #> function Use-Progress { [CmdletBinding()] param ( # Array of objects to loop through. [Parameter(Mandatory = $true, ValueFromPipeline = $true)] [psobject[]] $InputObjects, # Specifies the first line of text in the heading above the status bar. This text describes the activity whose progress is being reported. [Parameter(Mandatory = $true)] [string] $Activity, # Total Number of Items [Parameter(Mandatory = $false)] [int] $Total, # Script block to execute for each object in array. [Parameter(Mandatory = $false)] [scriptblock] $ScriptBlock, # Property name to use for current operation [Parameter(Mandatory = $false)] [string] $Property, # Minimum timespan between each progress update. [Parameter(Mandatory = $false)] [timespan] $MinimumUpdateFrequency = (New-TimeSpan -Seconds 1), # Output input objects as they are processed. [Parameter(Mandatory = $false)] [switch] $PassThru, # Write summary to host [Parameter(Mandatory = $false)] [switch] $WriteSummary ) begin { if (!$Total -and $InputObjects) { $Total = $InputObjects.Count } $ProgressState = Start-Progress -Activity $Activity -Total $Total -MinimumUpdateFrequency $MinimumUpdateFrequency } process { try { foreach ($InputObject in $InputObjects) { if ($Property) { $CurrentOperation = $InputObject.$Property } else { $CurrentOperation = $InputObject } Update-Progress $ProgressState -IncrementBy 1 -CurrentOperation $CurrentOperation if ($ScriptBlock) { Invoke-Command -ScriptBlock $ScriptBlock -ArgumentList $InputObject } if ($PassThru) { $InputObject } } } catch { Stop-Progress $ProgressState throw } } end { Stop-Progress $ProgressState -WriteSummary:$WriteSummary } } function Start-Progress { [CmdletBinding()] param ( # Specifies the first line of text in the heading above the status bar. This text describes the activity whose progress is being reported. [Parameter(Mandatory = $true)] [string] $Activity, # Total Number of Items [Parameter(Mandatory = $false)] [int] $Total, # Minimum timespan between each progress update. [Parameter(Mandatory = $false)] [timespan] $MinimumUpdateFrequency = (New-TimeSpan -Seconds 1) ) [int] $Id = 0 if (!(Get-Variable stackProgressId -Scope Script -ErrorAction Ignore)) { New-Variable -Name stackProgressId -Scope Script -Value (New-Object System.Collections.Generic.Stack[int]) } while ($stackProgressId.Contains($Id)) { $Id += 1 } [hashtable] $paramWriteProgress = @{ Id = $Id Activity = $Activity } if ($stackProgressId.Count -gt 0) { $paramWriteProgress['ParentId'] = $stackProgressId.Peek() } $stackProgressId.Push($Id) ## Progress Bar [timespan] $TimeElapsed = New-TimeSpan if ($Total) { Write-Progress -Status ("{0:P0} Completed ({1:N0} of {2:N0}) in {3:c}" -f 0, 0, $Total, $TimeElapsed) -PercentComplete 0 @paramWriteProgress } # else { # Write-Progress -Status ("Completed {0} in {1:c}" -f 0, $TimeElapsed) @paramWriteProgress # } [PSCustomObject]@{ WriteProgressParameters = $paramWriteProgress CurrentIteration = 0 Total = $Total MinimumUpdateFrequency = $MinimumUpdateFrequency TimeElapsed = $TimeElapsed Stopwatch = [System.Diagnostics.Stopwatch]::StartNew() } } function Update-Progress { [CmdletBinding()] param ( # Progress State Object [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [psobject] $InputObject, # Number of items being completed [Parameter(Mandatory = $true)] [int] $IncrementBy, # Specifies the line of text below the progress bar. This text describes the operation that is currently taking place. [Parameter(Mandatory = $false)] [string] $CurrentOperation ) if ($InputObject.Total -gt 0 -and $InputObject.CurrentIteration -ge $InputObject.Total) { $InputObject.Total = $InputObject.CurrentIteration + $IncrementBy } [hashtable] $paramWriteProgress = $InputObject.WriteProgressParameters if ($CurrentOperation) { $paramWriteProgress['CurrentOperation'] = $CurrentOperation } ## Progress Bar if ($InputObject.CurrentIteration -eq 0 -or ($InputObject.Stopwatch.Elapsed - $InputObject.TimeElapsed) -gt $InputObject.MinimumUpdateFrequency) { $InputObject.TimeElapsed = $InputObject.Stopwatch.Elapsed if ($InputObject.Total -gt 0) { [int] $SecondsRemaining = -1 $PercentComplete = $InputObject.CurrentIteration / $InputObject.Total $PercentCompleteRoundDown = [System.Math]::Truncate([decimal]($PercentComplete * 100)) if ($PercentComplete -gt 0) { $SecondsRemaining = $InputObject.TimeElapsed.TotalSeconds / $PercentComplete - $InputObject.TimeElapsed.TotalSeconds } Write-Progress -Status ("{0:P0} Completed ({1:N0} of {2:N0}) in {3:c}" -f ($PercentCompleteRoundDown / 100), $InputObject.CurrentIteration, $InputObject.Total, $InputObject.TimeElapsed.Subtract($InputObject.TimeElapsed.Ticks % [TimeSpan]::TicksPerSecond)) -PercentComplete $PercentCompleteRoundDown -SecondsRemaining $SecondsRemaining @paramWriteProgress } elseif ($InputObject.TimeElapsed.TotalSeconds -gt 0 -and ($InputObject.CurrentIteration / $InputObject.TimeElapsed.TotalSeconds) -ge 1) { Write-Progress -Status ("Completed {0:N0} in {1:c} ({2:N0}/sec)" -f $InputObject.CurrentIteration, $InputObject.TimeElapsed.Subtract($InputObject.TimeElapsed.Ticks % [TimeSpan]::TicksPerSecond), ($InputObject.CurrentIteration / $InputObject.TimeElapsed.TotalSeconds)) @paramWriteProgress } elseif ($InputObject.TimeElapsed.TotalMinutes -gt 0 -and ($InputObject.CurrentIteration / $InputObject.TimeElapsed.TotalMinutes) -ge 1) { Write-Progress -Status ("Completed {0:N0} in {1:c} ({2:N0}/min)" -f $InputObject.CurrentIteration, $InputObject.TimeElapsed.Subtract($InputObject.TimeElapsed.Ticks % [TimeSpan]::TicksPerSecond), ($InputObject.CurrentIteration / $InputObject.TimeElapsed.TotalMinutes)) @paramWriteProgress } else { Write-Progress -Status ("Completed {0:N0} in {1:c}" -f $InputObject.CurrentIteration, $InputObject.TimeElapsed.Subtract($InputObject.TimeElapsed.Ticks % [TimeSpan]::TicksPerSecond)) @paramWriteProgress } } $InputObject.CurrentIteration += $IncrementBy } function Stop-Progress { [CmdletBinding()] param ( # Progress State Object [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [psobject] $InputObject, # Write summary to host [Parameter(Mandatory = $false)] [switch] $WriteSummary ) if ($InputObject -and $InputObject.Stopwatch.IsRunning) { [void] $script:stackProgressId.Pop() $InputObject.Stopwatch.Stop() [hashtable] $paramWriteProgress = $InputObject.WriteProgressParameters Write-Progress -Completed @paramWriteProgress if ($WriteSummary) { $Completed = if ($InputObject.Total -gt 0) { $InputObject.Total } else { $InputObject.CurrentIteration } Write-Host ("{2}: Completed {0:N0} in {1:c}" -f $Completed, $InputObject.TimeElapsed.Subtract($InputObject.TimeElapsed.Ticks % [TimeSpan]::TicksPerSecond), $InputObject.WriteProgressParameters.Activity) } } } #endregion #region Write-AppInsightsDependency.ps1 <# .SYNOPSIS Write Dependency to Application Insights. .EXAMPLE PS C:\>Write-AppInsightsDependency Write Dependency to Application Insights. .INPUTS System.String #> function Write-AppInsightsDependency { [CmdletBinding()] [Alias('Write-AIDependency')] param ( # Dependency Name [Parameter(Mandatory = $true)] [string] $Name, # Dependency Type Name [Parameter(Mandatory = $false)] [string] $Type, # Dependency Data [Parameter(Mandatory = $true)] [string] $Data, # Dependency Start Time [Parameter(Mandatory = $false)] [datetime] $StartTime, # Dependency Duration [Parameter(Mandatory = $true)] [timespan] $Duration, # Dependency Result [Parameter(Mandatory = $true)] [bool] $Success, # Custom Properties [Parameter(Mandatory = $false)] [hashtable] $Properties, # Custom Ordered Properties. An ordered dictionary can be defined as: [ordered]@{ first = '1'; second = '2' } [Parameter(Mandatory = $false)] [System.Collections.Specialized.OrderedDictionary] $OrderedProperties, # Instrumentation Key [Parameter(Mandatory = $false)] [string] $InstrumentationKey = $script:ModuleConfig.'ai.instrumentationKey', # Ingestion Endpoint [Parameter(Mandatory = $false)] [string] $IngestionEndpoint = $script:ModuleConfig.'ai.ingestionEndpoint' ) ## Return Immediately when Telemetry is Disabled if ($script:ModuleConfig.'ai.disabled') { return } ## Initialize Parameters if (!$StartTime) { $StartTime = (Get-Date).Subtract($Duration) } Set-Variable 'MaxDataLength' -Value (8 * 1024) -Option Constant ## Get New Telemetry Entry $AppInsightsTelemetry = New-AppInsightsTelemetry 'AppDependencies' -InstrumentationKey $InstrumentationKey ## Update Telemetry Data $AppInsightsTelemetry['time'] = $StartTime.ToUniversalTime().ToString('o') if ($Type) { $AppInsightsTelemetry.data.baseData['type'] = $Type } $AppInsightsTelemetry.data.baseData['name'] = $Name $AppInsightsTelemetry.data.baseData['data'] = $Data $AppInsightsTelemetry.data.baseData['duration'] = $Duration.ToString() $AppInsightsTelemetry.data.baseData['success'] = $Success if ($OrderedProperties) { $AppInsightsTelemetry.data.baseData['properties'] += $OrderedProperties } if ($Properties) { $AppInsightsTelemetry.data.baseData['properties'] += $Properties } if ($AppInsightsTelemetry.data.baseData['data'].Length -gt $MaxDataLength) { $AppInsightsTelemetry.data.baseData['data'].Substring(0, $MaxDataLength) } ## Write Data to Application Insights Write-Debug ($AppInsightsTelemetry | ConvertTo-Json -Depth 3) try { $result = Invoke-RestMethod -UseBasicParsing -Method Post -Uri $IngestionEndpoint -ContentType 'application/json' -Body ($AppInsightsTelemetry | ConvertTo-Json -Depth 3 -Compress) -Verbose:$false -ErrorAction SilentlyContinue } catch {} } #endregion #region Write-AppInsightsEvent.ps1 <# .SYNOPSIS Write Custom Event to Application Insights. .EXAMPLE PS C:\>Write-AppInsightsEvent 'EventName' Write Custom Event to Application Insights. .INPUTS System.String #> function Write-AppInsightsEvent { [CmdletBinding()] [Alias('Write-AIEvent')] param ( # Event Name [Parameter(Mandatory = $true)] [string] $Name, # Custom Properties [Parameter(Mandatory = $false)] [hashtable] $Properties, # Custom Ordered Properties. An ordered dictionary can be defined as: [ordered]@{ first = '1'; second = '2' } [Parameter(Mandatory = $false)] [System.Collections.Specialized.OrderedDictionary] $OrderedProperties, # Override Default Custom Properties [Parameter(Mandatory = $false)] [switch] $OverrideProperties, # Instrumentation Key [Parameter(Mandatory = $false)] [string] $InstrumentationKey = $script:ModuleConfig.'ai.instrumentationKey', # Ingestion Endpoint [Parameter(Mandatory = $false)] [string] $IngestionEndpoint = $script:ModuleConfig.'ai.ingestionEndpoint' ) ## Return Immediately when Telemetry is Disabled if ($script:ModuleConfig.'ai.disabled') { return } ## Get New Telemetry Entry $AppInsightsTelemetry = New-AppInsightsTelemetry 'AppEvents' -InstrumentationKey $InstrumentationKey ## Update Telemetry Data $AppInsightsTelemetry.data.baseData['name'] = $Name if ($OverrideProperties) { $AppInsightsTelemetry.data.baseData['properties'] = @{} } if ($OrderedProperties) { $AppInsightsTelemetry.data.baseData['properties'] += $OrderedProperties } if ($Properties) { $AppInsightsTelemetry.data.baseData['properties'] += $Properties } ## Write Data to Application Insights Write-Debug ($AppInsightsTelemetry | ConvertTo-Json -Depth 3) try { $result = Invoke-RestMethod -UseBasicParsing -Method Post -Uri $IngestionEndpoint -ContentType 'application/json' -Body ($AppInsightsTelemetry | ConvertTo-Json -Depth 3 -Compress) -Verbose:$false -ErrorVariable SilentlyContinue } catch {} } #endregion #region Write-AppInsightsException.ps1 <# .SYNOPSIS Write Exception to Application Insights. .EXAMPLE PS C:\>Write-AppInsightsEvent $exception Write Exception to Application Insights. .INPUTS System.Exception #> function Write-AppInsightsException { [CmdletBinding()] [Alias('Write-AIException')] param ( # Exceptions [Parameter(Mandatory = $true, ParameterSetName = 'Exception', Position = 1)] [Exception[]] $Exception, # ErrorRecords [Parameter(Mandatory = $true, ParameterSetName = 'ErrorRecord', Position = 1)] [System.Management.Automation.ErrorRecord[]] $ErrorRecord, # Severity Level [Parameter(Mandatory = $false)] [ValidateSet('Verbose', 'Information', 'Warning', 'Error', 'Critical')] [string] $SeverityLevel, # Custom Properties [Parameter(Mandatory = $false)] [hashtable] $Properties, # Custom Ordered Properties. An ordered dictionary can be defined as: [ordered]@{ first = '1'; second = '2' } [Parameter(Mandatory = $false)] [System.Collections.Specialized.OrderedDictionary] $OrderedProperties, # Include process processor and memory usage statistics. [Parameter(Mandatory = $false)] [switch] $IncludeProcessStatistics, # Instrumentation Key [Parameter(Mandatory = $false)] [string] $InstrumentationKey = $script:ModuleConfig.'ai.instrumentationKey', # Ingestion Endpoint [Parameter(Mandatory = $false)] [string] $IngestionEndpoint = $script:ModuleConfig.'ai.ingestionEndpoint' ) begin { ## Return Immediately when Telemetry is Disabled if ($script:ModuleConfig.'ai.disabled') { return } ## Application Insights Exception Helper Functions # https://github.com/microsoft/ApplicationInsights-dotnet/blob/81288f26921df1e8e713d31e7e9c2187ac9e6590/BASE/src/Microsoft.ApplicationInsights/Extensibility/Implementation/ExceptionConverter.cs#L9 Set-Variable MaxParsedStackLength -Value 32768 -Option Constant <# .SYNOPSIS Convert Exceptions Tree to ExceptionDetails .LINK https://github.com/microsoft/ApplicationInsights-dotnet/blob/81288f26921df1e8e713d31e7e9c2187ac9e6590/BASE/src/Microsoft.ApplicationInsights/DataContracts/ExceptionTelemetry.cs#L386 #> function ConvertExceptionTree ([Exception] $exception, [hashtable] $parentExceptionDetails, [System.Collections.Generic.List[hashtable]] $exceptions) { if ($null -eq $exception) { $exception = New-Object Exception -ArgumentList 'n/a' } [hashtable] $exceptionDetails = ConvertToExceptionDetails $exception $parentExceptionDetails ## For upper level exception see if Message was provided and do not use exceptiom.message in that case #if ($null -eq $parentExceptionDetails -and ![string]::IsNullOrWhiteSpace($this.Message)) { # $exceptionDetails.message = $this.Message #} $exceptions.Add($exceptionDetails) [AggregateException] $aggregate = $exception -as [AggregateException] if ($null -ne $aggregate) { foreach ($inner in $aggregate.InnerExceptions) { ConvertExceptionTree $inner $exceptionDetails $exceptions } } elseif ($null -ne $exception.InnerException) { ConvertExceptionTree $exception.InnerException $exceptionDetails $exceptions } } <# .SYNOPSIS Converts a Exception to a Microsoft.ApplicationInsights.Extensibility.Implementation.TelemetryTypes.ExceptionDetails. .LINK https://github.com/microsoft/ApplicationInsights-dotnet/blob/81288f26921df1e8e713d31e7e9c2187ac9e6590/BASE/src/Microsoft.ApplicationInsights/Extensibility/Implementation/ExceptionConverter.cs#L14 #> function ConvertToExceptionDetails ([Exception]$exception, [hashtable]$parentExceptionDetails) { [hashtable] $exceptionDetails = CreateWithoutStackInfo $exception $parentExceptionDetails $stack = New-Object System.Diagnostics.StackTrace -ArgumentList $Exception, $true $frames = $stack.GetFrames() $sanitizedTuple = SanitizeStackFrame $frames $exceptionDetails['parsedStack'] = $sanitizedTuple[0] $exceptionDetails['hasFullStack'] = $sanitizedTuple[1] return $exceptionDetails } <# .SYNOPSIS Creates a new instance of ExceptionDetails from a Exception and a parent ExceptionDetails. .LINK https://github.com/microsoft/ApplicationInsights-dotnet/blob/81288f26921df1e8e713d31e7e9c2187ac9e6590/BASE/src/Microsoft.ApplicationInsights/Extensibility/Implementation/External/ExceptionDetailsImplementation.cs#L13 #> function CreateWithoutStackInfo ([Exception]$exception, [hashtable]$parentExceptionDetails) { if ($null -eq $exception) { throw (New-Object ArgumentNullException -ArgumentList $exception.GetType().Name) } [hashtable] $exceptionDetails = [ordered]@{ id = $exception.GetHashCode() typeName = $exception.GetType().FullName message = $exception.Message } if ($null -ne $parentExceptionDetails) { $exceptionDetails.outerId = $parentExceptionDetails.id } return $exceptionDetails } <# .SYNOPSIS Sanitizing stack to 32k while selecting the initial and end stack trace. .LINK https://github.com/microsoft/ApplicationInsights-dotnet/blob/81288f26921df1e8e713d31e7e9c2187ac9e6590/BASE/src/Microsoft.ApplicationInsights/Extensibility/Implementation/ExceptionConverter.cs#L93 #> function SanitizeStackFrame ([System.Diagnostics.StackFrame[]]$inputList) { [System.Collections.Generic.List[hashtable]] $orderedStackTrace = New-Object System.Collections.Generic.List[hashtable] [bool] $hasFullStack = $true if ($null -ne $inputList -and $inputList.Count -gt 0) { [int] $currentParsedStackLength = 0 for ($level = 0; $level -lt $inputList.Count; $level++) { ## Skip middle part of the stack [int] $current = if ($level % 2 -eq 0) { ($inputList.Count - 1 - ($level / 2)) } else { ($level / 2) } [hashtable] $convertedStackFrame = GetStackFrame $inputList[$current] $current $currentParsedStackLength += GetStackFrameLength $convertedStackFrame if ($currentParsedStackLength -gt $MaxParsedStackLength) { $hasFullStack = $false break } $orderedStackTrace.Insert($orderedStackTrace.Count / 2, $convertedStackFrame) } } return $orderedStackTrace, $hasFullStack } <# .SYNOPSIS Converts a System.Diagnostics.StackFrame to a Microsoft.ApplicationInsights.Extensibility.Implementation.TelemetryTypes.StackFrame. .LINK https://github.com/microsoft/ApplicationInsights-dotnet/blob/81288f26921df1e8e713d31e7e9c2187ac9e6590/BASE/src/Microsoft.ApplicationInsights/Extensibility/Implementation/ExceptionConverter.cs#L36 #> function GetStackFrame ([System.Diagnostics.StackFrame]$stackFrame, [int]$frameId) { [hashtable] $convertedStackFrame = [ordered]@{ level = $frameId } $methodInfo = $stackFrame.GetMethod() [string] $fullName = $null [string] $assemblyName = $null if ($null -eq $methodInfo) { $fullName = "unknown" $assemblyName = "unknown" } else { $assemblyName = $methodInfo.Module.Assembly.FullName if ($null -ne $methodInfo.DeclaringType) { $fullName = $methodInfo.DeclaringType.FullName + "." + $methodInfo.Name } else { $fullName = $methodInfo.Name } } $convertedStackFrame['method'] = $fullName $convertedStackFrame['assembly'] = $assemblyName $convertedStackFrame['fileName'] = $stackFrame.GetFileName() ## 0 means it is unavailable [int] $line = $stackFrame.GetFileLineNumber() if ($line -ne 0) { $convertedStackFrame['line'] = $line } return $convertedStackFrame } <# .SYNOPSIS Gets the stack frame length for only the strings in the stack frame. .LINK https://github.com/microsoft/ApplicationInsights-dotnet/blob/81288f26921df1e8e713d31e7e9c2187ac9e6590/BASE/src/Microsoft.ApplicationInsights/Extensibility/Implementation/ExceptionConverter.cs#L82 #> function GetStackFrameLength ([hashtable]$stackFrame) { [int] $stackFrameLength = if ($null -eq $stackFrame.method) { 0 } else { $stackFrame.method.Length } $stackFrameLength += if ($null -eq $stackFrame.assembly) { 0 } else { $stackFrame.assembly.Length } $stackFrameLength += if ($null -eq $stackFrame.fileName) { 0 } else { $stackFrame.fileName.Length } return $stackFrameLength } } process { ## Return Immediately when Telemetry is Disabled if ($script:ModuleConfig.'ai.disabled') { return } switch ($PSCmdlet.ParameterSetName) { 'Exception' { $InputObjects = $Exception break } 'ErrorRecord' { $InputObjects = $ErrorRecord break } } foreach ($InputObject in $InputObjects) { ## Get New Telemetry Entry $AppInsightsTelemetry = New-AppInsightsTelemetry 'AppExceptions' -InstrumentationKey $InstrumentationKey ## Determine ErrorRecord from Exception input [Exception] $InputException = $null if ($InputObject -is [System.Management.Automation.ErrorRecord]) { $InputException = $InputObject.Exception $AppInsightsTelemetry.data.baseData['properties']['ScriptStackTrace'] = $InputObject.ScriptStackTrace.Replace($MyInvocation.MyCommand.Module.ModuleBase,'') } elseif ($InputObject -is [System.Management.Automation.ErrorRecord]) { $InputException = $InputObject } if ($InputException) { ## Get Exception Details [System.Collections.Generic.List[hashtable]] $exceptions = New-Object System.Collections.Generic.List[hashtable] ConvertExceptionTree $InputException $null $exceptions $AppInsightsTelemetry.data.baseData['exceptions'] = $exceptions } ## Update Telemetry Data if ($SeverityLevel) { $AppInsightsTelemetry.data.baseData['severityLevel'] = $SeverityLevel } if ($IncludeProcessStatistics) { $PsProcess = Get-Process -PID $PID $AppInsightsTelemetry.data.baseData['properties']['TotalProcessorTime'] = $PsProcess.TotalProcessorTime.ToString() $AppInsightsTelemetry.data.baseData['properties']['VirtualMemorySize'] = Format-DataSize $PsProcess.VM $AppInsightsTelemetry.data.baseData['properties']['WorkingSetMemorySize'] = Format-DataSize $PsProcess.WS $AppInsightsTelemetry.data.baseData['properties']['PagedMemorySize'] = Format-DataSize $PsProcess.PM $AppInsightsTelemetry.data.baseData['properties']['NonpagedMemorySize'] = Format-DataSize $PsProcess.NPM $AppInsightsTelemetry.data.baseData['properties']['PeakVirtualMemorySize'] = Format-DataSize $PsProcess.PeakVirtualMemorySize64 $AppInsightsTelemetry.data.baseData['properties']['PeakWorkingSetMemorySize'] = Format-DataSize $PsProcess.PeakWorkingSet64 $AppInsightsTelemetry.data.baseData['properties']['PeakPagedMemorySize'] = Format-DataSize $PsProcess.PeakPagedMemorySize64 $AppInsightsTelemetry.data.baseData['properties']['TotalProcessorTimeInSeconds'] = $PsProcess.CPU $AppInsightsTelemetry.data.baseData['properties']['VirtualMemoryInBytes'] = $PsProcess.VM $AppInsightsTelemetry.data.baseData['properties']['WorkingSetMemoryInBytes'] = $PsProcess.WS $AppInsightsTelemetry.data.baseData['properties']['PagedMemoryInBytes'] = $PsProcess.PM $AppInsightsTelemetry.data.baseData['properties']['NonpagedMemoryInBytes'] = $PsProcess.NPM $AppInsightsTelemetry.data.baseData['properties']['PeakVirtualMemoryInBytes'] = $PsProcess.PeakVirtualMemorySize64 $AppInsightsTelemetry.data.baseData['properties']['PeakWorkingSetMemoryInBytes'] = $PsProcess.PeakWorkingSet64 $AppInsightsTelemetry.data.baseData['properties']['PeakPagedMemoryInBytes'] = $PsProcess.PeakPagedMemorySize64 } if ($OrderedProperties) { $AppInsightsTelemetry.data.baseData['properties'] += $OrderedProperties } if ($Properties) { $AppInsightsTelemetry.data.baseData['properties'] += $Properties } ## Write Data to Application Insights Write-Debug (([PSCustomObject]$AppInsightsTelemetry) | ConvertTo-Json -Depth 6) try { $result = Invoke-RestMethod -UseBasicParsing -Method Post -Uri $IngestionEndpoint -ContentType 'application/json' -Body ($AppInsightsTelemetry | ConvertTo-Json -Depth 6 -Compress) -Verbose:$false -ErrorAction SilentlyContinue } catch {} } } } #endregion #region Write-AppInsightsRequest.ps1 <# .SYNOPSIS Write Request to Application Insights. .EXAMPLE PS C:\>Write-AppInsightsRequest Write Request to Application Insights. .INPUTS System.String #> function Write-AppInsightsRequest { [CmdletBinding()] [Alias('Write-AIRequest')] param ( # Request Name [Parameter(Mandatory = $true)] [string] $Name, # Request Start Time [Parameter(Mandatory = $false)] [datetime] $StartTime, # Request Duration [Parameter(Mandatory = $true)] [timespan] $Duration, # Request Response Code [Parameter(Mandatory = $false)] [string] $responseCode, # Request Result [Parameter(Mandatory = $true)] [bool] $Success, # Custom Properties [Parameter(Mandatory = $false)] [hashtable] $Properties, # Custom Ordered Properties. An ordered dictionary can be defined as: [ordered]@{ first = '1'; second = '2' } [Parameter(Mandatory = $false)] [System.Collections.Specialized.OrderedDictionary] $OrderedProperties, # Instrumentation Key [Parameter(Mandatory = $false)] [string] $InstrumentationKey = $script:ModuleConfig.'ai.instrumentationKey', # Ingestion Endpoint [Parameter(Mandatory = $false)] [string] $IngestionEndpoint = $script:ModuleConfig.'ai.ingestionEndpoint' ) ## Return Immediately when Telemetry is Disabled if ($script:ModuleConfig.'ai.disabled') { return } ## Initialize Parameters if (!$StartTime) { $StartTime = (Get-Date).Subtract($Duration) } ## Get New Telemetry Entry $AppInsightsTelemetry = New-AppInsightsTelemetry 'AppRequests' -InstrumentationKey $InstrumentationKey ## Update Telemetry Data $AppInsightsTelemetry['time'] = $StartTime.ToUniversalTime().ToString('o') $AppInsightsTelemetry.data.baseData['id'] = (New-Guid).ToString() $AppInsightsTelemetry.data.baseData['name'] = $Name $AppInsightsTelemetry.data.baseData['responseCode'] = if ($Success) { 'Success' } else { 'Failure' } $AppInsightsTelemetry.data.baseData['duration'] = $Duration.ToString() $AppInsightsTelemetry.data.baseData['success'] = $Success if ($OrderedProperties) { $AppInsightsTelemetry.data.baseData['properties'] += $OrderedProperties } if ($Properties) { $AppInsightsTelemetry.data.baseData['properties'] += $Properties } ## Write Data to Application Insights Write-Debug ($AppInsightsTelemetry | ConvertTo-Json -Depth 3) try { $result = Invoke-RestMethod -UseBasicParsing -Method Post -Uri $IngestionEndpoint -ContentType 'application/json' -Body ($AppInsightsTelemetry | ConvertTo-Json -Depth 3 -Compress) -Verbose:$false -ErrorAction SilentlyContinue } catch {} } #endregion #region Write-AppInsightsTrace.ps1 <# .SYNOPSIS Write Trace Message to Application Insights. .EXAMPLE PS C:\>Write-AppInsightsEvent 'Message' Write Trace Message to Application Insights. .INPUTS System.String #> function Write-AppInsightsTrace { [CmdletBinding()] [Alias('Write-AITrace')] param ( # Event Name [Parameter(Mandatory = $true)] [string] $Message, # Severity Level [Parameter(Mandatory = $false)] [ValidateSet('Verbose', 'Information', 'Warning', 'Error', 'Critical')] [string] $SeverityLevel, # Custom Properties [Parameter(Mandatory = $false)] [hashtable] $Properties, # Custom Ordered Properties. An ordered dictionary can be defined as: [ordered]@{ first = '1'; second = '2' } [Parameter(Mandatory = $false)] [System.Collections.Specialized.OrderedDictionary] $OrderedProperties, # Include process processor and memory usage statistics. [Parameter(Mandatory = $false)] [switch] $IncludeProcessStatistics, # Instrumentation Key [Parameter(Mandatory = $false)] [string] $InstrumentationKey = $script:ModuleConfig.'ai.instrumentationKey', # Ingestion Endpoint [Parameter(Mandatory = $false)] [string] $IngestionEndpoint = $script:ModuleConfig.'ai.ingestionEndpoint' ) ## Return Immediately when Telemetry is Disabled if ($script:ModuleConfig.'ai.disabled') { return } ## Get New Telemetry Entry $AppInsightsTelemetry = New-AppInsightsTelemetry 'AppTraces' -InstrumentationKey $InstrumentationKey ## Update Telemetry Data $AppInsightsTelemetry.data.baseData['message'] = $Message if ($SeverityLevel) { $AppInsightsTelemetry.data.baseData['severityLevel'] = $SeverityLevel } if ($IncludeProcessStatistics) { $PsProcess = Get-Process -PID $PID $AppInsightsTelemetry.data.baseData['properties']['TotalProcessorTime'] = $PsProcess.TotalProcessorTime.ToString() $AppInsightsTelemetry.data.baseData['properties']['VirtualMemorySize'] = Format-DataSize $PsProcess.VM $AppInsightsTelemetry.data.baseData['properties']['WorkingSetMemorySize'] = Format-DataSize $PsProcess.WS $AppInsightsTelemetry.data.baseData['properties']['PagedMemorySize'] = Format-DataSize $PsProcess.PM $AppInsightsTelemetry.data.baseData['properties']['NonpagedMemorySize'] = Format-DataSize $PsProcess.NPM $AppInsightsTelemetry.data.baseData['properties']['PeakVirtualMemorySize'] = Format-DataSize $PsProcess.PeakVirtualMemorySize64 $AppInsightsTelemetry.data.baseData['properties']['PeakWorkingSetMemorySize'] = Format-DataSize $PsProcess.PeakWorkingSet64 $AppInsightsTelemetry.data.baseData['properties']['PeakPagedMemorySize'] = Format-DataSize $PsProcess.PeakPagedMemorySize64 $AppInsightsTelemetry.data.baseData['properties']['TotalProcessorTimeInSeconds'] = $PsProcess.CPU $AppInsightsTelemetry.data.baseData['properties']['VirtualMemoryInBytes'] = $PsProcess.VM $AppInsightsTelemetry.data.baseData['properties']['WorkingSetMemoryInBytes'] = $PsProcess.WS $AppInsightsTelemetry.data.baseData['properties']['PagedMemoryInBytes'] = $PsProcess.PM $AppInsightsTelemetry.data.baseData['properties']['NonpagedMemoryInBytes'] = $PsProcess.NPM $AppInsightsTelemetry.data.baseData['properties']['PeakVirtualMemoryInBytes'] = $PsProcess.PeakVirtualMemorySize64 $AppInsightsTelemetry.data.baseData['properties']['PeakWorkingSetMemoryInBytes'] = $PsProcess.PeakWorkingSet64 $AppInsightsTelemetry.data.baseData['properties']['PeakPagedMemoryInBytes'] = $PsProcess.PeakPagedMemorySize64 } if ($OrderedProperties) { $AppInsightsTelemetry.data.baseData['properties'] += $OrderedProperties } if ($Properties) { $AppInsightsTelemetry.data.baseData['properties'] += $Properties } ## Write Data to Application Insights Write-Debug ($AppInsightsTelemetry | ConvertTo-Json -Depth 3) try { $result = Invoke-RestMethod -UseBasicParsing -Method Post -Uri $IngestionEndpoint -ContentType 'application/json' -Body ($AppInsightsTelemetry | ConvertTo-Json -Depth 3 -Compress) -Verbose:$false -ErrorAction SilentlyContinue } catch {} } #endregion #region Write-RecommendationsReport.ps1 function Write-RecommendationsReport($data, $recommendationsList) { $html = @' <head><title>Azure AD Assessment - Recommendations</title></head> <script type="module" src="https://cdn.jsdelivr.net/gh/zerodevx/zero-md@1/src/zero-md.min.js"></script> <zero-md> <script type="text/markdown"> @@MARKDOWN@@ </script> </zero-md> '@ $qna = $data['QnA.json'] $md = "# Azure AD Assessment - Recommendations`n" $md += " | | |`n" $md += " | --- | --- |`n" $md += " |**Organization Name**|$(Get-ObjectPropertyValue $qna['AD_OrgName'] 'value')|`n" $md += " |**Tenant ID**|$(Get-ObjectPropertyValue $qna['AD_TenantId'] 'value')|`n" $md += " |**Organization Primary Contact**|$(Get-ObjectPropertyValue $qna['AD_OrgPrimaryContact'] 'value')|`n" $md += " |**Assessment Carried Out By**|$(Get-ObjectPropertyValue $qna['AD_AssessorName'] 'value')|`n" $md += " |**Assessment Date**|$(Get-ObjectPropertyValue $qna['AD_AssessmentDate'] 'value')|`n" $md += "## Assessment Summary`n" $md += "The table below lists a summary of the findings for this tenant.`n" $md += Get-PrioritySummaryTable $recommendationsList $md += "`n## Assessment Details`n" $md += "Click on the name of the check to learn more about the finding and how you can remediate the issue.`n`n" $md += "`n |**Category**|**Area**|**Name**|**Status**|`n" $md += " | --- | --- | --- | --- |`n" $recommendationsList = $recommendationsList | Sort-Object SortOrder,Category,Area,ID,Name foreach ($reco in $recommendationsList) { $md += " | $($reco.Category) | $($reco.Area) | [$(Get-RecoTitle $reco)](#$(Get-RecoTitleLink $reco)) | $(Get-PriorityIcon($reco)) $($reco.Priority) |`n" } $md += @' ## Overview This document describes the checks performed during the Azure Active Directory (Azure AD) Configuration Assessment workshop around the following Identity and Access Management (IAM) areas: - **Identity Management:** Ability to manage the lifecycle of identities and their entitlements - **Access Management:** Ability to manage credentials, define authentication experience, delegate assignment, measure usage, and define access policies based on enterprise security posture - **Governance:** Ability to assess and attest the access granted non-privileged and privileged identities, audit and control changes to the environment - **Operations:** Optimize the operations Azure Active Directory (Azure AD) Each category is divided into different checks. Then, each check defines some recommendations as follows: - **🟥 P0:** Implement as soon as possible. This typically indicates a security risk - **🟧 P1:** Implement over the next 30 days. This typically indicates an operational gap - **🟨 P2:** Implement over the next 60 days. This typically indicates optimization in the current operation to make better use of Azure AD provided capabilities - **🟦 P3:** Implement after 60+ days. This is a cleanup, streamlining recommendation. Each check may contain several forms of results: - **Summaries:** Notable findings illustrating the current state of the environment being assessed. - **Recommendations** : Actionable items that improve the alignment of the environment with Microsoft's best practices. - **Data Reports** : Reports based on data elements retrieved directly from the environment. Some checks might not be applicable at the time of the assessment due to customers' environment (e.g. AD FS best practices might not apply if customer uses password hash sync). Please be aware of the following disclaimers - The recommendations in this document are current as of the date of this engagement. This changes constantly, and customers should be continuously evaluating their IAM practices as Microsoft products and services evolve over time - The recommendations are based on the data provided during the interview, and telemetry. - The recommendations cover several IAM areas, but there is not meant to be taken as of absolute coverage '@ foreach ($reco in $recommendationsList) { $md += "`n`n[⤴️ Back To Summary](#assessment-summary)`n" $md += "## $(Get-RecoTitle $reco)`n" $md += "### Priority → $(Get-PriorityIcon($reco)) $($reco.Priority)`n" $md += "> $($reco.Category) > $($reco.Area)`n`n" $md += "### Summary`n" $md += "$($reco.Summary)`n" $md += "### Recommendation`n" $md += "$($reco.Recommendation)`n" $md += "`n" if($null -ne $reco.Data -and ((Get-ObjectPropertyValue $reco.Data 'Length') -and $reco.Data.Length -gt 0)){ $md += "`n |" $hr = "`n |" foreach($prop in $reco.Data[0].PsObject.Properties){ $md += "$($prop.Name)|" $hr += " --- |" } $md += $hr foreach ($item in $reco.Data) { $md += "`n |" foreach($prop in $item.PsObject.Properties){ $md += "$($prop.Value)|" } } } $md += "`n`n" } $md += "`n`n" $html = $html.Replace("@@MARKDOWN@@", $md) $htmlReportPath = Join-Path $OutputDirectory "AssessmentReport.html" #Set-Content -Path $htmlReportPath -Value $html $Utf8BomEncoding = New-Object System.Text.UTF8Encoding $true [System.IO.File]::WriteAllLines($htmlReportPath, $html, $Utf8BomEncoding) try { Invoke-Item $htmlReportPath -ErrorAction SilentlyContinue } catch {} } function Get-RecoTitle($reco){ return "$($reco.ID) - $($reco.Name)" } function Get-RecoTitleLink($reco){ $title = Get-RecoTitle $reco return $title.ToLower().Replace(" ", "-").Replace('"', '') } function Set-SortOrder($reco){ $priority = Get-ObjectPropertyValue $reco 'Priority' switch ($priority) { 'N/A' { $reco.SortOrder = 20 } # Show last 'Passed' { $reco.SortOrder = 10 } 'P0' { $reco.SortOrder = 0 } 'P1' { $reco.SortOrder = 1 } 'P2' { $reco.SortOrder = 2 } 'P3' { $reco.SortOrder = 3 } Default { $reco.SortOrder = 7 } } } function Get-PriorityIcon($reco){ $priority = Get-ObjectPropertyValue $reco 'Priority' return Get-IconForPriority $priority } function Get-IconForPriority($priority){ switch ($priority) { 'Passed' { $icon = "✅" } 'P0' { $icon = "🟥" } 'P1' { $icon = "🟧" } 'P2' { $icon = "🟨" } 'P3' { $icon = "🟦" } 'Not Answered' { $icon = "❓" } 'N/A' { $icon = "" } Default { $icon = "🟪" } } return $icon } function Get-PrioritySummaryTable { param ( $recommendationsList ) $summary = $recommendationsList.Priority | Group-Object -NoElement | Select-Object Name, Count $p0 = 0; $p1 = 0; $p2 = 0; $p3 = 0; $passed = 0 foreach ($item in $summary) { switch ($item.Name) { 'P0' { $p0 = $item.Count } 'P1' { $p1 = $item.Count } 'P2' { $p2 = $item.Count } 'P3' { $p3 = $item.Count } 'Passed' { $passed = $item.Count } Default {} } } $md = "`n`n | $(Get-IconForPriority 'P0') P0 | $(Get-IconForPriority 'P1') P1 | $(Get-IconForPriority 'P2') P2 | $(Get-IconForPriority 'P3') P3 | $(Get-IconForPriority 'Passed') Passed |" foreach ($item in $summary) { if($item.Name -notin 'P0', 'P1', 'P2', 'P3', 'Passed', 'N/A' ){ $md += " $(Get-IconForPriority $item.Name) $($item.Name) | " } } $md += "`n | :-: | :-: | :-: | :-: | :-: |" foreach ($item in $summary) { if($item.Name -notin 'P0', 'P1', 'P2', 'P3', 'Passed', 'N/A' ){ $md += " :-: |" } } $md += "`n | $($p0) | $($p1) | $($p2) | $($p3) | $($passed) |" foreach ($item in $summary) { if($item.Name -notin 'P0', 'P1', 'P2', 'P3', 'Passed', 'N/A' ){ $md += "$($item.Count) | " } } return $md } #endregion #region Complete-AADAssessmentReports.ps1 <# .SYNOPSIS Produces the Azure AD Configuration reports required by the Azure AD assesment .DESCRIPTION This cmdlet reads the configuration information from the target Azure AD Tenant and produces the output files in a target directory .EXAMPLE PS C:\> Complete-AADAssessmentReports Expand assessment data and reports to "C:\AzureADAssessment". .EXAMPLE PS C:\> Complete-AADAssessmentReports -OutputDirectory "C:\Temp" Expand assessment data and reports to "C:\Temp". #> function Complete-AADAssessmentReports { [CmdletBinding()] param ( # Specifies a path [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [string] $Path, # Full path of the directory where the output files will be copied. [Parameter(Mandatory = $false)] [string] $OutputDirectory = (Join-Path $env:SystemDrive 'AzureADAssessment'), # Skip copying data and PowerBI dashboards to "C:\AzureADAssessment\PowerBI" [Parameter(Mandatory = $false)] [switch] $SkipPowerBIWorkingDirectory, # Includes the new recommendations report in the output [Parameter(Mandatory = $false)] [switch] $IncludeRecommendations, # Path to the spreadsheet with the interview answers [Parameter(Mandatory = $false)] [string] $InterviewSpreadsheetPath ) Start-AppInsightsRequest $MyInvocation.MyCommand.Name try { ## Return Immediately when Telemetry is Disabled if(!($script:ModuleConfig.'ai.disabled')) { if (!$script:ConnectState.MsGraphToken) { #Connect-AADAssessment if (!$script:ConnectState.ClientApplication) { $script:ConnectState.ClientApplication = New-MsalClientApplication -ClientId $script:ModuleConfig.'aad.clientId' -ErrorAction Stop $script:ConnectState.CloudEnvironment = 'Global' } $CorrelationId = New-Guid if ($script:AppInsightsRuntimeState.OperationStack.Count -gt 0) { $CorrelationId = $script:AppInsightsRuntimeState.OperationStack.Peek().Id } ## Authenticate with Lightweight Consent $script:ConnectState.MsGraphToken = Get-MsalToken -PublicClientApplication $script:ConnectState.ClientApplication -Scopes 'openid' -UseEmbeddedWebView:$true -CorrelationId $CorrelationId -Verbose:$false -ErrorAction Stop } } if ($MyInvocation.CommandOrigin -eq 'Runspace') { ## Reset Parent Progress Bar New-Variable -Name stackProgressId -Scope Script -Value (New-Object 'System.Collections.Generic.Stack[int]') -ErrorAction SilentlyContinue $stackProgressId.Clear() $stackProgressId.Push(0) } ## Initalize Directory Paths #$OutputDirectory = Join-Path (Split-Path $Path) ([IO.Path]::GetFileNameWithoutExtension($Path)) #$OutputDirectory = Join-Path $OutputDirectory "AzureADAssessment" $OutputDirectoryData = Join-Path $OutputDirectory ([IO.Path]::GetFileNameWithoutExtension($Path)) $AssessmentDetailPath = Join-Path $OutputDirectoryData "AzureADAssessment.json" ## Expand Data Package Write-Progress -Id 0 -Activity 'Microsoft Azure AD Assessment Complete Reports' -Status 'Expand Data' -PercentComplete 0 # Remove destination before extract if (Test-Path -Path $OutputDirectoryData) { Remove-Item $OutputDirectoryData -Recurse -Force } # Extract content #Expand-Archive $Path -DestinationPath $OutputDirectoryData -Force -ErrorAction Stop [System.IO.Compression.ZipFile]::ExtractToDirectory($Path,$OutputDirectoryData) $AssessmentDetail = Get-Content $AssessmentDetailPath -Raw | ConvertFrom-Json #Check for DataFiles $OutputDirectoryAAD = Join-Path $OutputDirectoryData 'AAD-*' -Resolve -ErrorAction Stop [array] $DataFiles = Get-Item -Path (Join-Path $OutputDirectoryAAD "*") -Include "*Data.xml" $SkippedReportOutput = $DataFiles -and $DataFiles.Count -ge 8 ## Check the provided archive $archiveState = Test-AADAssessmentPackage -Path $Path -SkippedReportOutput $SkippedReportOutput if (!$archiveState) { Write-Warning "The provided package is incomplete. Please review how data was collected and any related errors" Write-Warning "If reporting has been skipped this command will generate the reports" } # Check assessment version $moduleVersion = $MyInvocation.MyCommand.Module.Version [System.Version]$packageVersion = $AssessmentDetail.AssessmentVersion if ($packageVersion.Build -eq -1) { Write-Warning "The package was not generate with a module installed from the PowerShell Gallery" Write-Warning "Please install the module from the gallery to generate the package:" Write-Warning "PS > Install-Module -Name AzureADAssessment" } elseif ($moduleVersion.Build -eq -1) { Write-Warning "The Azure AD Assessment module was not installed from the PowerShell Gallery" Write-Warning "Please install the module from the gallery to complete the assessment:" Write-Warning "PS > Install-Module -Name AzureADAssessment" } elseif ($moduleVersion -ne $packageVersion) { Write-Warning "The module version differs from the provided package and the Assessment module version used to run the complete command" Write-Warning "Please use the same module version to generate the package and complete the assessment" Write-Warning "" Write-Warning "package version: $packageVersion" Write-Warning "module version: $moduleVersion" Write-Warning "" Write-Warning "To install a specific version of the module:" Write-Warning "PS > Remove-Module -Name AzureADAssessment" Write-Warning "PS > Install-Module -Name AzureADAssessment -RequiredVersion $packageVersion" Write-Warning "PS > Import-Module -Name AzureADAssessment -RequiredVersion $packageVersion" } ## Load Data Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment Complete Reports - {0}' -f $AssessmentDetail.AssessmentTenantDomain) -Status 'Load Data' -PercentComplete 10 ## Generate Reports if ($SkippedReportOutput) { Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment Complete Reports - {0}' -f $AssessmentDetail.AssessmentTenantDomain) -Status 'Output Report Data' -PercentComplete 20 Export-AADAssessmentReportData -SourceDirectory $OutputDirectoryAAD -OutputDirectory $OutputDirectoryAAD Remove-Item -Path (Join-Path $OutputDirectoryAAD "*") -Include "*Data.xml" -ErrorAction Ignore } ## Generate Recommendations if($IncludeRecommendations) { Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment Complete Reports - {0}' -f $AssessmentDetail.AssessmentTenantDomain) -Status 'Generating Recommendations' -PercentComplete 30 New-AADAssessmentRecommendations -Path $OutputDirectory -OutputDirectory $OutputDirectory -InterviewSpreadsheetPath $InterviewSpreadsheetPath -SkipExpand } ## Report Complete Write-AppInsightsEvent 'AAD Assessment Report Generation Complete' -OverrideProperties -Properties @{ AssessmentId = $AssessmentDetail.AssessmentId AssessmentVersion = $AssessmentDetail.AssessmentVersion AssessmentTenantId = $AssessmentDetail.AssessmentTenantId AssessorTenantId = if ((Get-ObjectPropertyValue $script:ConnectState.MsGraphToken 'Account') -and $script:ConnectState.MsGraphToken.Account) { $script:ConnectState.MsGraphToken.Account.HomeAccountId.TenantId } else { if (Get-ObjectPropertyValue $script:ConnectState.MsGraphToken 'AccessToken') { Expand-JsonWebTokenPayload $script:ConnectState.MsGraphToken.AccessToken | Select-Object -ExpandProperty tid } } AssessorUserId = if ((Get-ObjectPropertyValue $script:ConnectState.MsGraphToken 'Account') -and $script:ConnectState.MsGraphToken.Account -and $script:ConnectState.MsGraphToken.Account.HomeAccountId.TenantId -in ('72f988bf-86f1-41af-91ab-2d7cd011db47', 'cc7d0b33-84c6-4368-a879-2e47139b7b1f')) { $script:ConnectState.MsGraphToken.Account.HomeAccountId.ObjectId } } ## Rename #Rename-Item $OutputDirectoryData -NewName $AssessmentDetail.AssessmentTenantDomain -Force #$OutputDirectoryData = Join-Path $OutputDirectory $AssessmentDetail.AssessmentTenantDomain ## Download Additional Tools Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment Complete Reports - {0}' -f $AssessmentDetail.AssessmentTenantDomain) -Status 'Download Reporting Tools' -PercentComplete 80 $AdfsAadMigrationModulePath = Join-Path $OutputDirectoryData 'ADFSAADMigrationUtils.psm1' Invoke-WebRequest -Uri $script:ModuleConfig.'tool.ADFSAADMigrationUtilsUri' -UseBasicParsing -OutFile $AdfsAadMigrationModulePath ## Download PowerBI Dashboards $PBITemplateAssessmentPath = Join-Path $OutputDirectoryData 'AzureADAssessment.pbit' Invoke-WebRequest -Uri $script:ModuleConfig.'pbi.assessmentTemplateUri' -UseBasicParsing -OutFile $PBITemplateAssessmentPath $PBITemplateConditionalAccessPath = Join-Path $OutputDirectoryData 'AzureADAssessment-ConditionalAccess.pbit' Invoke-WebRequest -Uri $script:ModuleConfig.'pbi.conditionalAccessTemplateUri' -UseBasicParsing -OutFile $PBITemplateConditionalAccessPath ## Copy to PowerBI Default Working Directory Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment Complete Reports - {0}' -f $AssessmentDetail.AssessmentTenantDomain) -Status 'Copy to PowerBI Working Directory' -PercentComplete 90 if (!$SkipPowerBIWorkingDirectory) { $PowerBIWorkingDirectory = Join-Path "C:\AzureADAssessment" "PowerBI" Assert-DirectoryExists $PowerBIWorkingDirectory Copy-Item -Path (Join-Path $OutputDirectoryAAD '*') -Destination $PowerBIWorkingDirectory -Force Copy-Item -LiteralPath $PBITemplateAssessmentPath, $PBITemplateConditionalAccessPath -Destination $PowerBIWorkingDirectory -Force # try { # Invoke-Item $PowerBIWorkingDirectory -ErrorAction SilentlyContinue # } # catch {} } ## Expand AAD Connect ## Expand other zips? ## Complete Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment Complete Reports - {0}' -f $AssessmentDetail.AssessmentTenantDomain) -Completed try { Invoke-Item $OutputDirectoryData -ErrorAction SilentlyContinue } catch {} } catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw } finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? } } #endregion #region Connect-AADAssessment.ps1 <# .SYNOPSIS Connect the Azure AD Assessment module to Azure AD tenant. .EXAMPLE PS C:\>Connect-AADAssessment Connect to home tenant of authenticated user. .EXAMPLE PS C:\>Connect-AADAssessment -TenantId '00000000-0000-0000-0000-000000000000' Connect to specified tenant. #> function Connect-AADAssessment { [CmdletBinding(DefaultParameterSetName = 'PublicClient')] param ( # Specifies the client application or client application options to use for authentication. [Parameter(Mandatory = $true, ParameterSetName = 'InputObject', Position = 0, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] [psobject] $ClientApplication, # Identifier of the client requesting the token. [Parameter(Mandatory = $false, ParameterSetName = 'PublicClient', Position = 0, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] [Parameter(Mandatory = $true, ParameterSetName = 'ConfidentialClientCertificate', Position = 0, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] [string] $ClientId = $script:ModuleConfig.'aad.clientId', # Client assertion certificate of the client requesting the token. [Parameter(Mandatory = $true, ParameterSetName = 'ConfidentialClientCertificate', ValueFromPipelineByPropertyName = $true)] [System.Security.Cryptography.X509Certificates.X509Certificate2] $ClientCertificate, # Instance of Azure Cloud [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [ValidateSet('Global', 'China', 'Germany', 'USGov', 'USGovDoD')] [string] $CloudEnvironment = 'Global', # Tenant identifier of the authority to issue token. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [string] $TenantId = 'organizations', # User account to authenticate. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [string] $User, # Disable Telemetry [Parameter(Mandatory = $false)] [switch] $DisableTelemetry ) ## Update Telemetry Setting if ($PSBoundParameters.ContainsKey($DisableTelemetry)) { Set-Config -AIDisabled $DisableTelemetry } ## Track Command Execution and Performance Start-AppInsightsRequest $MyInvocation.MyCommand.Name try { ## Parameter Validation if ($CloudEnvironment -ne 'Global' -and $ClientId -eq $script:ModuleConfig.'aad.clientId') { Write-Error -Exception (New-Object System.ArgumentException -ArgumentList "Connecting to Cloud Environment [$CloudEnvironment] requires a ClientId to be specified for an application in your tenant.") -ErrorId 'ClientIdParameterRequired' -Category InvalidArgument -ErrorAction Stop } ## Update WebSession User Agent String with Module Info $script:MsGraphSession.UserAgent = $script:MsGraphSession.UserAgent -replace 'AzureADAssessment(/[0-9.]*)?', ('{0}/{1}' -f $PSCmdlet.MyInvocation.MyCommand.Module.Name, $MyInvocation.MyCommand.Module.Version) ## Create Client Application switch ($PSCmdlet.ParameterSetName) { 'InputObject' { $script:ConnectState.ClientApplication = $ClientApplication break } 'PublicClient' { $script:ConnectState.ClientApplication = New-MsalClientApplication -ClientId $ClientId -TenantId $TenantId -AzureCloudInstance $script:mapMgEnvironmentToAzureCloudInstance[$CloudEnvironment] -RedirectUri $script:mapMgEnvironmentToAadRedirectUri[$CloudEnvironment] break } 'ConfidentialClientCertificate' { $script:ConnectState.ClientApplication = New-MsalClientApplication -ClientId $ClientId -ClientCertificate $ClientCertificate -TenantId $TenantId -AzureCloudInstance $script:mapMgEnvironmentToAzureCloudInstance[$CloudEnvironment] break } } $script:ConnectState.CloudEnvironment = $CloudEnvironment if ($script:ConnectState.ClientApplication -is [Microsoft.Identity.Client.IConfidentialClientApplication]) { Write-Warning 'Using a confidential client is non-interactive and requires that the necessary scopes/permissions be added to the application or have permissions on-behalf-of a user.' } Confirm-ModuleAuthentication $script:ConnectState.ClientApplication -CloudEnvironment $script:ConnectState.CloudEnvironment -User $User -CorrelationId $script:AppInsightsRuntimeState.OperationStack.Peek().Id -ErrorAction Stop #Get-MgContext #Get-AzureADCurrentSessionInfo Write-Debug ($script:ConnectState.MsGraphToken.Scopes -join ' ') } catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw } finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? } } #endregion #region Disconnect-AADAssessment.ps1 <# .SYNOPSIS Disconnects the current session from an Azure Active Directory tenant. .EXAMPLE PS C:\>Disconnect-AADAssessment This command disconnects your session from a tenant. #> function Disconnect-AADAssessment { [CmdletBinding()] param () ## Track Command Execution and Performance Start-AppInsightsRequest $MyInvocation.MyCommand.Name try { $script:ConnectState = @{ ClientApplication = $null CloudEnvironment = $null MsGraphToken = $null } } catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw } finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? } } #endregion #region Expand-AADAssessAADConnectConfig.ps1 <# .SYNOPSIS Produces the Azure AD Connect Config Documenter report .DESCRIPTION This cmdlet downloads and executes the Azure AD Config Documenter tool against supplied input files, and returns the full path of the HTML report to the powershell pipeline. This cmdlet also will create subdirectories and files under the root output directory supplied as a parameter. .EXAMPLE .\Expand-AADAssessAADConnectConfig -AADConnectProdConfigZipFilePath "c:\temp\contoso\prod.zip" ` -AADConnectProdStagingZipFilePath "c:\temp\contoso\staging.zip" ` -OutputRootPath "c:\temp\contoso"` -CustomerName "contoso" This command will return a string with full path of the report "C:\Temp\Contoso\Report\Contoso_Production_AppliedTo_Contoso_Staging_AADConnectSync_report.html" .EXAMPLE .\Expand-AADAssessAADConnectConfig -AADConnectProdConfigZipFilePath "c:\temp\contoso\prod.zip" ` -OutputRootPath "c:\temp\contoso" ` -CustomerName "contoso" This command will return a string with full path of the report "C:\Temp\Contoso\Report\Contoso_Production_AppliedTo_Contoso_Production_AADConnectSync_report.html" #> function Expand-AADAssessAADConnectConfig { [CmdletBinding()] param ( # Full path of the ZIP file that from the Azure AD Connect environment in production [Parameter(Mandatory = $true)] [String]$AADConnectProdConfigZipFilePath, # Full path of the ZIP file that from the Azure AD Connect environment in staging [Parameter(Mandatory = $false)] [String]$AADConnectProdStagingZipFilePath, # Full path of an output directory where the tool will be downloaded, and ZIP files will be expanded. This cmdlet will NOT clean up the files there. [Parameter(Mandatory = $true)] [String]$OutputRootPath, # String label that identifies the customer. This is used to create folder names and report filenames. [Parameter(Mandatory = $true)] [String]$CustomerName ) Start-AppInsightsRequest $MyInvocation.MyCommand.Name try { #Step 1: Create SubFolder $WorkingPath = mkdir -Path $OutputRootPath -Name $CustomerName #Step 2: Download the AAD Config Documenter [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $ConfigToolPath = Join-Path $WorkingPath.FullName "AzureADConnectSyncDocumenter.zip" Invoke-WebRequest -Uri "https://aka.ms/aadcfgdocumenter/release" -OutFile $ConfigToolPath Expand-Archive -Path $ConfigToolPath -DestinationPath $WorkingPath.FullName #Step 3: Expand input files $ConfigToolDataPath = Join-Path $WorkingPath.FullName "Data" $ConfigtoolCustomerDataPath = (mkdir -Path $ConfigToolDataPath -Name "$CustomerName").FullName Expand-Archive -Path $AADConnectProdConfigZipFilePath -DestinationPath $ConfigtoolCustomerDataPath Rename-Item -Path (Join-Path $ConfigtoolCustomerDataPath "AzureADConnectSyncConfig") -NewName "Production" #Craft the names of the relative paths that will be called by the tool. Setting both to prod to start, and then #override the second argument if staging is provided $ToolArgument1 = Join-Path $CustomerName "Production" $ToolArgument2 = $ToolArgument1 if (-not [String]::IsNullOrWhiteSpace($AADConnectProdStagingZipFilePath)) { Expand-Archive -Path $AADConnectProdStagingZipFilePath -DestinationPath $ConfigtoolCustomerDataPath Rename-Item -Path (Join-Path $ConfigtoolCustomerDataPath "AzureADConnectSyncConfig") -NewName "Staging" $ToolArgument2 = Join-Path $CustomerName "Staging" } Set-Location $WorkingPath Invoke-Expression ('.\AzureADConnectSyncDocumenterCmd.exe "{1}" "{0}"' -f $ToolArgument1, $ToolArgument2) $report = (Get-ChildItem -Path (Join-Path $WorkingPath "Report") | Select-Object -First 1) Write-Output $report.FullName } catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw } finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? } } #endregion #region Export-AADAssessmentPortableModule.ps1 <# .SYNOPSIS Export a portable assessment module that can be copied to servers for data collection. .EXAMPLE PS C:\> Export-AADAssessmentPortableModule "c:\temp\contoso" Exports the module file to "c:\temp\contoso". #> function Export-AADAssessmentPortableModule { [CmdletBinding()] [OutputType([System.IO.FileInfo])] param ( # Directory to output portable module [Parameter(Mandatory = $true)] [string] $OutputDirectory ) Start-AppInsightsRequest $MyInvocation.MyCommand.Name try { ## Copy AAD Assessment Portable Module $ModulePath = Join-Path $MyInvocation.MyCommand.Module.ModuleBase 'AzureADAssessmentPortable.psm1' Copy-Item $ModulePath -Destination $OutputDirectory -Force -PassThru ## Download and Save ADFSAADMigrationUtils Module #$AdfsAadMigrationModulePath = Join-Path $OutputDirectory 'ADFSAADMigrationUtils.psm1' #Invoke-WebRequest -Uri 'https://github.com/AzureAD/Deployment-Plans/raw/master/ADFS%20to%20AzureAD%20App%20Migration/ADFSAADMigrationUtils.psm1' -UseBasicParsing -OutFile $AdfsAadMigrationModulePath } catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw } finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? } } #endregion #region Export-AADAssessConditionalAccessData.ps1 <# .SYNOPSIS Produces the Azure AD Conditional Access reports required by the Azure AD assesment .DESCRIPTION This cmdlet reads the conditional access from the target Azure AD Tenant and produces the output files in a target directory .EXAMPLE .\Export-AADAssessConditionalAccessData -OutputDirectory "c:\temp\contoso" #> function Export-AADAssessConditionalAccessData { [CmdletBinding()] param ( # Full path of the directory where the output files will be generated. [Parameter(Mandatory = $true)] [string] $OutputDirectory ) Start-AppInsightsRequest $MyInvocation.MyCommand.Name try { ## Create Cache for Referenced IDs $ReferencedIdCache = New-AadReferencedIdCache ## Get Conditional Access Policies Get-MsGraphResults "identity/conditionalAccess/policies" ` | Use-Progress -Activity 'Exporting conditionalAccessPolicies' -Property displayName -PassThru ` | Add-AadReferencesToCache -Type conditionalAccessPolicy -ReferencedIdCache $ReferencedIdCache -PassThru ` | Export-JsonArray (Join-Path $OutputDirectory "conditionalAccessPolicies.json") -Depth 5 -Compress ## Get Named Locations Get-MsGraphResults "identity/conditionalAccess/namedLocations" ` | Use-Progress -Activity 'Exporting namedLocations' -Property displayName -PassThru ` | Export-JsonArray (Join-Path $OutputDirectory "namedLocations.json") -Depth 5 -Compress ## Get Referenced Users Set-Content -Path (Join-Path $OutputDirectory "users.csv") -Value 'id,userPrincipalName,displayName' Get-MsGraphResults 'users?$select=id,userPrincipalName,displayName' -UniqueId $ReferencedIdCache.user -DisableUniqueIdDeduplication ` | Use-Progress -Activity 'Exporting referenced users' -Property displayName -PassThru ` | Select-Object -Property "*" -ExcludeProperty '@odata.type' ` | Export-Csv (Join-Path $OutputDirectory "users.csv") -NoTypeInformation #| Export-JsonArray (Join-Path $OutputDirectory "users.json") -Depth 5 -Compress ## Get Referenced Groups Set-Content -Path (Join-Path $OutputDirectory "groups.csv") -Value 'id,displayName' Get-MsGraphResults 'groups?$select=id,displayName' -UniqueId $ReferencedIdCache.group -DisableUniqueIdDeduplication ` | Use-Progress -Activity 'Exporting referenced groups' -Property displayName -PassThru ` | Select-Object -Property "*" -ExcludeProperty '@odata.type' ` | Export-Csv (Join-Path $OutputDirectory "groups.csv") -NoTypeInformation #| Export-JsonArray (Join-Path $OutputDirectory "groups.json") -Depth 5 -Compress ## Get Referenced ServicePrincipals (AppIDs) Set-Content -Path (Join-Path $OutputDirectory "servicePrincipals.csv") -Value 'id,appId,displayName' Get-MsGraphResults 'servicePrincipals?$select=id,appId,displayName' -Filter "appId eq '{0}'" -UniqueId $ReferencedIdCache.appId -DisableUniqueIdDeduplication ` | Use-Progress -Activity 'Exporting referenced apps/servicePrincipals' -Property displayName -PassThru ` | Export-Csv (Join-Path $OutputDirectory "servicePrincipals.csv") -NoTypeInformation #| Export-JsonArray (Join-Path $OutputDirectory "servicePrincipals.json") -Depth 5 -Compress } catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw } finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? } } #endregion #region Get-AADAssessAppAssignmentReport.ps1 <# .SYNOPSIS Gets a report of all assignments to all applications .DESCRIPTION This functions returns a list indicating the applications and their user/groups assignments .EXAMPLE PS C:\> Get-AADAssessAppAssignmentReport | Export-Csv -Path ".\AppAssignmentsReport.csv" #> function Get-AADAssessAppAssignmentReport { [CmdletBinding()] param ( # App Role Assignment Data [Parameter(Mandatory = $false)] [psobject] $AppRoleAssignmentData, # Generate Report Offline, only using the data passed in parameters [Parameter(Mandatory = $false)] [switch] $Offline ) Start-AppInsightsRequest $MyInvocation.MyCommand.Name try { if ($Offline -and (!$PSBoundParameters['AppRoleAssignmentData'])) { Write-Error -Exception (New-Object System.Management.Automation.ItemNotFoundException -ArgumentList 'Use of the offline parameter requires that all data be provided using the data parameters.') -ErrorId 'DataParametersRequired' -Category ObjectNotFound return } if ($AppRoleAssignmentData) { $AppRoleAssignmentData } else { Write-Verbose "Getting servicePrincipals..." Get-MsGraphResults 'servicePrincipals?$select=id,displayName,appOwnerOrganizationId,appRoles&$expand=appRoleAssignedTo' -Top 999 ` | Select-Object -ExpandProperty appRoleAssignedTo } } catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw } finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? } } #endregion #region Get-AADAssessAppCredentialExpirationReport.ps1 <# .SYNOPSIS Provides a report to show all the keys expiration date accross application and service principals .DESCRIPTION Provides a report to show all the keys expiration date accross application and service principals .EXAMPLE PS C:\> Get-AADAssessAppCredentialExpirationReport | Export-Csv -Path ".\AppCredentialsReport.csv" #> function Get-AADAssessAppCredentialExpirationReport { [CmdletBinding()] param ( # Application Data [Parameter(Mandatory = $false)] [psobject] $ApplicationData, # Service Principal Data [Parameter(Mandatory = $false)] [psobject] $ServicePrincipalData, # Generate Report Offline, only using the data passed in parameters [Parameter(Mandatory = $false)] [switch] $Offline ) Start-AppInsightsRequest $MyInvocation.MyCommand.Name try { if ($Offline -and (!$PSBoundParameters['ApplicationData'] -or !$PSBoundParameters['ServicePrincipalData'])) { Write-Error -Exception (New-Object System.Management.Automation.ItemNotFoundException -ArgumentList 'Use of the offline parameter requires that all data be provided using the data parameters.') -ErrorId 'DataParametersRequired' -Category ObjectNotFound return } function Process-AppCredentials { param ( # [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [psobject] $InputObject, # [Parameter(Mandatory = $true)] [string] $ObjectType ) process { Write-Verbose "Processing $($ObjectType): $($InputObject.displayName) ($($InputObject.id)) " foreach ($credential in $InputObject.keyCredentials) { # check for hasExtensionAttribute $hasExtendedValue = $null if ( [bool]($credential.PSobject.Properties.name -match "hasExtendedValue") ) { $hasExtendedValue = $credential.hasExtendedValue } if ($credential.type -eq "AsymmetricX509Cert" -and ![string]::IsNullOrEmpty($credential.key)) { # credential is a cert and has a key $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new([System.Convert]::FromBase64String($credential.key)) $certSignatureAlgorithm = $cert.SignatureAlgorithm.FriendlyName $certKeySize = $null if ($cert.PublicKey.Key) { $certKeySize = $cert.PublicKey.Key.KeySize } elseif (!$certKeySize -and $certSignatureAlgorithm -match "RSA") { try { $certKeySize = $cert.PublicKey.GetRSAPublicKey().KeySize } catch {} } elseif (!$certKeySize -and $certSignatureAlgorithm -match "ECDSA") { try { $certKeySize = $cert.PublicKey.GetECDsaPublicKey().KeySize } catch {} } [PSCustomObject]@{ displayName = $InputObject.displayName objectType = $ObjectType credentialType = $credential.type credentialStartDateTime = $credential.startDateTime credentialEndDateTime = $credential.endDateTime credentialUsage = $credential.usage certSubject = $cert.Subject certIssuer = $cert.Issuer certIsSelfSigned = ($cert.Subject -eq $cert.Issuer) certSignatureAlgorithm = $certSignatureAlgorithm certKeySize = $certKeySize credentialHasExtendedValue = $hasExtendedValue } } else { [PSCustomObject]@{ displayName = $InputObject.displayName objectType = $ObjectType credentialType = $credential.type credentialStartDateTime = $credential.startDateTime credentialEndDateTime = $credential.endDateTime credentialUsage = $credential.usage certSubject = $null certIssuer = $null certIsSelfSigned = $null certSignatureAlgorithm = $null certKeySize = $null credentialHasExtendedValue = $hasExtendedValue } } } foreach ($credential in $InputObject.passwordCredentials) { [PSCustomObject]@{ displayName = $InputObject.displayName objectType = $ObjectType credentialType = "Password" credentialStartDateTime = $credential.startDateTime credentialEndDateTime = $credential.endDateTime credentialUsage = $null certSubject = $null certIssuer = $null certIsSelfSigned = $null certSignatureAlgorithm = $null certKeySize = $null credentialHasExtendedValue = $null } } } } ## Get Applications if ($ApplicationData) { if ($ApplicationData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) { $ApplicationData.Values | Process-AppCredentials -ObjectType 'Application' } else { $ApplicationData | Process-AppCredentials -ObjectType 'Application' } } else { Write-Verbose "Getting applications..." Get-MsGraphResults 'applications?$select=id,displayName,keyCredentials,passwordCredentials' -Top 999 ` | Process-AppCredentials -ObjectType 'Application' } ## Get Service Principals if ($ServicePrincipalData) { if ($ServicePrincipalData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) { $ServicePrincipalData.Values | Process-AppCredentials -ObjectType 'Service Principal' } else { $ServicePrincipalData | Process-AppCredentials -ObjectType 'Service Principal' } } else { Write-Verbose "Getting serviceprincipals..." Get-MsGraphResults 'servicePrincipals?$select=id,displayName,keyCredentials,passwordCredentials' -Top 999 ` | Process-AppCredentials -ObjectType 'Service Principal' } } catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw } finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? } } #endregion #region Get-AADAssessConsentGrantReport.ps1 <# .SYNOPSIS Gets a report of all members of roles .DESCRIPTION This functions returns a list of consent grants in the directory .EXAMPLE PS C:\> Get-AADAssessConsentGrantReport | Export-Csv -Path ".\ConsentGrantReport.csv" #> function Get-AADAssessConsentGrantReport { [CmdletBinding()] param( # App Role Assignment Data [Parameter(Mandatory = $false)] [psobject] $AppRoleAssignmentData, # OAuth2 Permission Grants Data [Parameter(Mandatory = $false)] [psobject] $OAuth2PermissionGrantData, # User Data [Parameter(Mandatory = $false)] [psobject] $UserData, # Service Principal Data [Parameter(Mandatory = $false)] [psobject] $ServicePrincipalData, # Generate Report Offline, only using the data passed in parameters [Parameter(Mandatory = $false)] [switch] $Offline ) Start-AppInsightsRequest $MyInvocation.MyCommand.Name try { if ($Offline -and (!$PSBoundParameters['AppRoleAssignmentData'] -or !$PSBoundParameters['OAuth2PermissionGrantData'] -or !$PSBoundParameters['UserData'] -or !$PSBoundParameters['ServicePrincipalData'])) { Write-Error -Exception (New-Object System.Management.Automation.ItemNotFoundException -ArgumentList 'Use of the offline parameter requires that all data be provided using the data parameters.') -ErrorId 'DataParametersRequired' -Category ObjectNotFound return } function Extract-AppRoleAssignments { param ( # [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [psobject] $InputObject, # [Parameter(Mandatory = $true)] [psobject] $ListVariable, # [Parameter(Mandatory = $false)] [switch] $PassThru ) process { [PSCustomObject[]] $AppRoleAssignment = $InputObject.appRoleAssignedTo $ListVariable.AddRange($AppRoleAssignment) if ($PassThru) { return $InputObject } } } function Process-OAuth2PermissionGrant { param ( # [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [psobject] $InputObject, # [Parameter(Mandatory = $true)] [psobject] $LookupCache, # [Parameter(Mandatory = $false)] [switch] $UseLookupCacheOnly ) process { $oauth2PermissionGrant = $InputObject if ($oauth2PermissionGrant.scope) { [string[]] $scopes = $oauth2PermissionGrant.scope.Trim().Split(" ") foreach ($scope in $scopes) { $client = Get-AadObjectById $oauth2PermissionGrant.clientId -Type servicePrincipal -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly -Properties 'id,displayName,appOwnerOrganizationId,appRoles' $resource = Get-AadObjectById $oauth2PermissionGrant.resourceId -Type servicePrincipal -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly -Properties 'id,displayName,appOwnerOrganizationId,appRoles' if ($oauth2PermissionGrant.principalId) { $principal = Get-AadObjectById $oauth2PermissionGrant.principalId -Type user -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly -Properties 'id,displayName' } [PSCustomObject]@{ permission = $scope permissionType = 'Delegated' clientId = $oauth2PermissionGrant.clientId clientDisplayName = if ($client) { $client.displayName } else { $null } clientOwnerTenantId = if ($client) { $client.appOwnerOrganizationId } else { $null } resourceObjectId = $oauth2PermissionGrant.resourceId resourceDisplayName = if ($resource) { $resource.displayName } else { $null } consentType = $oauth2PermissionGrant.consentType principalObjectId = $oauth2PermissionGrant.principalId principalDisplayName = if ($oauth2PermissionGrant.principalId -and $principal) { $principal.displayName } else { $null } } } } } } function Process-AppRoleAssignment { param ( # [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [psobject] $InputObject, # [Parameter(Mandatory = $true)] [psobject] $LookupCache, # [Parameter(Mandatory = $false)] [switch] $UseLookupCacheOnly ) process { $appRoleAssignment = $InputObject if ($appRoleAssignment.principalType -eq "ServicePrincipal") { $client = Get-AadObjectById $appRoleAssignment.principalId -Type $appRoleAssignment.principalType -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly -Properties 'id,displayName,appOwnerOrganizationId,appRoles' $resource = Get-AadObjectById $appRoleAssignment.resourceId -Type servicePrincipal -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly -Properties 'id,displayName,appOwnerOrganizationId,appRoles' $appRole = $resource.appRoles | Where-Object id -EQ $appRoleAssignment.appRoleId [PSCustomObject]@{ permission = if ($appRole) { $appRole.value } else { $null } permissionType = 'Application' clientId = $appRoleAssignment.principalId clientDisplayName = if ($client) { $client.displayName } else { $null } clientOwnerTenantId = if ($client) { $client.appOwnerOrganizationId } else { $null } resourceObjectId = $appRoleAssignment.ResourceId resourceDisplayName = if ($resource) { $resource.displayName } else { $null } consentType = $null principalObjectId = $null principalDisplayName = $null } } } } $LookupCache = New-LookupCache if ($UserData) { if ($UserData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) { $LookupCache.user = $UserData } else { $UserData | Add-AadObjectToLookupCache -Type user -LookupCache $LookupCache } } if ($ServicePrincipalData) { if ($ServicePrincipalData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) { $LookupCache.servicePrincipal = $ServicePrincipalData } else { $ServicePrincipalData | Add-AadObjectToLookupCache -Type servicePrincipal -LookupCache $LookupCache } } ## Get Service Principal Permissions if ($AppRoleAssignmentData) { $AppRoleAssignmentData | Process-AppRoleAssignment -LookupCache $LookupCache -UseLookupCacheOnly:$Offline } else { Write-Verbose "Getting servicePrincipals..." $listAppRoleAssignments = New-Object 'System.Collections.Generic.List[psobject]' Get-MsGraphResults 'servicePrincipals?$select=id,displayName,appOwnerOrganizationId,appRoles&$expand=appRoleAssignedTo' -Top 999 ` | Extract-AppRoleAssignments -ListVariable $listAppRoleAssignments -PassThru ` | Select-Object -Property "*" -ExcludeProperty 'appRoleAssignedTo', 'appRoleAssignedTo@odata.context' ` | Add-AadObjectToLookupCache -Type servicePrincipal -LookupCache $LookupCache $listAppRoleAssignments | Process-AppRoleAssignment -LookupCache $LookupCache Remove-Variable listAppRoleAssignments } ## Get OAuth2 Permission Grants if ($OAuth2PermissionGrantData) { $OAuth2PermissionGrantData | Process-OAuth2PermissionGrant -LookupCache $LookupCache -UseLookupCacheOnly:$Offline } else { Write-Verbose "Getting oauth2PermissionGrants..." ## https://graph.microsoft.com/v1.0/oauth2PermissionGrants cannot be used for large tenants because it eventually fails with "Service is temorarily unavailable." #Get-MsGraphResults 'oauth2PermissionGrants' -Top 999 $LookupCache.servicePrincipal.Keys | Get-MsGraphResults 'servicePrincipals/{0}/oauth2PermissionGrants' -Top 999 -TotalRequests $LookupCache.servicePrincipal.Count -DisableUniqueIdDeduplication ` | Process-OAuth2PermissionGrant -LookupCache $LookupCache } } catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw } finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? } } #endregion #region Get-AADAssessNotificationEmailsReport.ps1 <# .SYNOPSIS Gets various email addresses that Azure AD sends notifications to .DESCRIPTION This functions returns a list with the email notification scope and type, the recipient name and an email address .EXAMPLE PS C:\> Get-AADAssessNotificationEmailsReport | Export-Csv -Path ".\NotificationsEmailsReport.csv" #> function Get-AADAssessNotificationEmailsReport { [CmdletBinding()] param ( # Organization Data [Parameter(Mandatory = $false)] [psobject] $OrganizationData, # User Data [Parameter(Mandatory = $false)] [psobject] $UserData, # Group Data [Parameter(Mandatory = $false)] [psobject] $GroupData, # Directory Role Data [Parameter(Mandatory = $false)] [psobject] $DirectoryRoleData, # Generate Report Offline, only using the data passed in parameters [Parameter(Mandatory = $false)] [switch] $Offline ) Start-AppInsightsRequest $MyInvocation.MyCommand.Name try { if ($Offline -and (!$PSBoundParameters['OrganizationData'] -or !$PSBoundParameters['UserData'] -or !$PSBoundParameters['GroupData'] -or !$PSBoundParameters['DirectoryRoleData'])) { Write-Error -Exception (New-Object System.Management.Automation.ItemNotFoundException -ArgumentList 'Use of the offline parameter requires that all data be provided using the data parameters.') -ErrorId 'DataParametersRequired' -Category ObjectNotFound return } # Confirm-ModuleAuthentication -ErrorAction Stop -MsGraphScopes @( # 'https://graph.microsoft.com/Organization.Read.All' # 'https://graph.microsoft.com/RoleManagement.Read.Directory' # 'https://graph.microsoft.com/User.Read.All' # 'https://graph.microsoft.com/Group.Read.All' # ) ## Get Organization Technical Contacts if (!$OrganizationData) { $OrganizationData = Get-MsGraphResults 'organization?$select=technicalNotificationMails' } if ($OrganizationData) { foreach ($technicalNotificationMail in $OrganizationData.technicalNotificationMails) { $result = [PSCustomObject]@{ notificationType = "Technical Notification" notificationScope = "Tenant" recipientType = "emailAddress" recipientEmail = $technicalNotificationMail recipientEmailAlternate = $null recipientId = $null recipientUserPrincipalName = $null recipientDisplayName = $null } if ($UserData) { if ($UserData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) { $user = $UserData.Values | Where-Object { $_.proxyAddresses -Contains "smtp:$technicalNotificationMail" -or $_.otherMails -Contains $technicalNotificationMail } | Select-Object -First 1 } else { $user = $UserData | Where-Object { $_.proxyAddresses -Contains "smtp:$technicalNotificationMail" -or $_.otherMails -Contains $technicalNotificationMail } | Select-Object -First 1 } } else { $user = Get-MsGraphResults 'users?$select=id,userPrincipalName,displayName,mail,otherMails,proxyAddresses' -Filter "proxyAddresses/any(c:c eq 'smtp:$technicalNotificationMail') or otherMails/any(c:c eq '$technicalNotificationMail')" | Select-Object -First 1 } # if (!$PSBoundParameters.ContainsKey('UserData')) { # $user = Get-MsGraphResults 'users?$select=id,userPrincipalName,displayName,mail,otherMails,proxyAddresses' -Filter "proxyAddresses/any(c:c eq 'smtp:$technicalNotificationMail') or otherMails/any(c:c eq '$technicalNotificationMail')" | Select-Object -First 1 # } # else { # $user = $UserData | Where-Object { $_.proxyAddresses -Contains "smtp:$technicalNotificationMail" -or $_.otherMails -Contains $technicalNotificationMail } | Select-Object -First 1 # } if ($user) { $result.recipientType = 'user' $result.recipientId = $user.id $result.recipientUserPrincipalName = $user.userPrincipalName $result.recipientDisplayName = $user.displayName $result.recipientEmailAlternate = $user.otherMails -join ';' } if ($GroupData) { if ($GroupData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) { $group = $GroupData.Values | Where-Object { $_.proxyAddresses -Contains "smtp:$technicalNotificationMail" } | Select-Object -First 1 } else { $group = $GroupData | Where-Object { $_.proxyAddresses -Contains "smtp:$technicalNotificationMail" } | Select-Object -First 1 } } else { $group = Get-MsGraphResults 'groups?$select=id,displayName,mail,proxyAddresses' -Filter "proxyAddresses/any(c:c eq 'smtp:$technicalNotificationMail')" | Select-Object -First 1 } # if (!$PSBoundParameters.ContainsKey('GroupData')) { # $group = Get-MsGraphResults 'groups?$select=id,displayName,mail,proxyAddresses' -Filter "proxyAddresses/any(c:c eq 'smtp:$technicalNotificationMail')" | Select-Object -First 1 # } # else { # $group = $GroupData | Where-Object { $_.proxyAddresses -Contains "smtp:$technicalNotificationMail" } | Select-Object -First 1 # } if ($group) { $result.recipientType = 'group' $result.recipientId = $group.id $result.recipientDisplayName = $group.displayName } Write-Output $result } } ## Get email addresses of all users with privileged roles if (!$DirectoryRoleData) { $DirectoryRoleData = Get-MsGraphResults 'directoryRoles?$select=id,displayName' ` | Expand-MsGraphRelationship -ObjectType directoryRoles -PropertyName members -References } foreach ($role in $DirectoryRoleData) { foreach ($roleMember in $role.members) { $member = $null if ($roleMember.'@odata.type' -eq '#microsoft.graph.user') { if ($UserData) { if ($UserData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) { $member = $UserData.Values | Where-Object id -EQ $roleMember.id | Select-Object -First 1 } else { $member = $UserData | Where-Object id -EQ $roleMember.id | Select-Object -First 1 } } else { $member = Get-MsGraphResults 'users?$select=id,userPrincipalName,displayName,mail,otherMails,proxyAddresses' -UniqueId $roleMember.id | Select-Object -First 1 } } elseif ($roleMember.'@odata.type' -eq '#microsoft.graph.group') { if ($GroupData) { if ($GroupData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) { $member = $GroupData.Values | Where-Object id -EQ $roleMember.id | Select-Object -First 1 } else { $member = $GroupData | Where-Object id -EQ $roleMember.id | Select-Object -First 1 } } else { $member = Get-MsGraphResults 'groups?$select=id,displayName,mail,proxyAddresses' -UniqueId $roleMember.id | Select-Object -First 1 } } [PSCustomObject]@{ notificationType = $role.displayName notificationScope = 'Role' recipientType = (Get-ObjectPropertyValue $roleMember '@odata.type') -replace '#microsoft.graph.', '' recipientEmail = (Get-ObjectPropertyValue $member 'mail') recipientEmailAlternate = (Get-ObjectPropertyValue $member 'otherMails') -join ';' recipientId = (Get-ObjectPropertyValue $member 'id') recipientUserPrincipalName = (Get-ObjectPropertyValue $member 'userPrincipalName') recipientDisplayName = (Get-ObjectPropertyValue $member 'displayName') } } ## ToDo: Resolve group memberships? } } catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw } finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? } } #endregion #region Get-AADAssessRoleAssignmentReport.ps1 <# .SYNOPSIS Gets a report of all role assignments .DESCRIPTION This function returns a list of role assignments .EXAMPLE PS C:\> Get-AADAssessRoleAssignmentReport | Export-Csv -Path ".\RoleAssignmentReport.csv" #> function Get-AADAssessRoleAssignmentReport { [CmdletBinding()] param ( # Role Assignments [Parameter(Mandatory = $false)] [psobject] $RoleAssignmentsData, # Role Assignment Schedule Instance Data [Parameter(Mandatory = $false)] [psobject] $RoleAssignmentScheduleInstancesData, # Role Eligible Schedule Instance Data [Parameter(Mandatory = $false)] [psobject] $RoleEligibilityScheduleInstancesData, # Organization Data [Parameter(Mandatory = $false)] [psobject] $OrganizationData, # Administrative Unit Data [Parameter(Mandatory = $false)] [psobject] $AdministrativeUnitsData, # User Data [Parameter(Mandatory = $false)] [psobject] $UsersData, # Group Data [Parameter(Mandatory = $false)] [psobject] $GroupsData, # Application Data [Parameter(Mandatory = $false)] [psobject] $ApplicationsData, # Service Principal Data [Parameter(Mandatory = $false)] [psobject] $ServicePrincipalsData, # Generate Report Offline, only using the data passed in parameters [Parameter(Mandatory = $false)] [switch] $Offline ) Start-AppInsightsRequest $MyInvocation.MyCommand.Name try { # there may be no elegibile roles so it isn't counted to check for offline but collection will be prevented # role assignement should have some members if at least for one global administrator if ($Offline -and (!($PSBoundParameters['RoleAssignmentScheduleInstancesData'] -or $PSBoundParameters['RoleEligibilityScheduleInstancesData']) -and !$PSBoundParameters['roleAssignmentsData'])) { Write-Error -Exception (New-Object System.Management.Automation.ItemNotFoundException -ArgumentList 'Use of the offline parameter requires that all data be provided using the data parameters.') -ErrorId 'DataParametersRequired' -Category ObjectNotFound return } function Process-RoleAssignment { param ( # [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [psobject] $InputObject, # [Parameter(Mandatory = $true)] [psobject] $LookupCache, # [Parameter(Mandatory = $false)] [switch] $UseLookupCacheOnly ) process { $RoleScheduleInstances = $InputObject foreach ($RoleScheduleInstance in $RoleScheduleInstances) { # get details of directory scope if ($RoleScheduleInstance.directoryScopeId -match '/(?:(.+)s/)?([0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12})') { $ObjectId = $Matches[2] $directoryScopeType = $Matches[1] if ($directoryScopeType) { $directoryScope = Get-AadObjectById $ObjectId -Type $directoryScopeType -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly } else { $directoryScope = Get-AadObjectById $ObjectId -Type servicePrincipal -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly if ($directoryScope) { $directoryScopeType = 'servicePrincipal' } else { $directoryScope = Get-AadObjectById $ObjectId -Type application -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly if ($directoryScope) { $directoryScopeType = 'application' } } } } else { $directoryScopeType = "tenant" $directoryScope = @{ id = $OrganizationData.id displayName = $OrganizationData.displayName } } # get details of principal $principalType = 'user' $principal = Get-AadObjectById $RoleScheduleInstance.principalId -Type $principalType -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly -Properties 'id,displayName,mail,otherMails' if (!$principal) { $principalType = 'group' $principal = Get-AadObjectById $RoleScheduleInstance.principalId -Type $principalType -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly -Properties 'id,displayName,mail' } if (!$principal) { $principalType = 'servicePrincipal' $principal = Get-AadObjectById $RoleScheduleInstance.principalId -Type $principalType -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly -Properties 'id,displayName' } if (!$principal) { $principalType = 'unknown' } $OutputObject = [PSCustomObject]@{ id = $RoleScheduleInstance.id directoryScopeId = $RoleScheduleInstance.directoryScopeId directoryScopeObjectId = if ($directoryScope) { $directoryScope.id } else { $null } directoryScopeDisplayName = if ($directoryScope) { $directoryScope.displayName } else { $null } directoryScopeType = $directoryScopeType roleDefinitionId = $RoleScheduleInstance.roleDefinition.id roleDefinitionTemplateId = $RoleScheduleInstance.roleDefinition.templateId roleDefinitionDisplayName = $RoleScheduleInstance.roleDefinition.displayName principalId = $RoleScheduleInstance.principalId principalDisplayName = if ($principal) { $principal.displayName } else { $null } principalType = $principalType principalMail = if ($principal) { Get-ObjectPropertyValue $principal mail } else { $null } principalOtherMails = if ($principal) { Get-ObjectPropertyValue $principal otherMails } else { $null } memberType = $RoleScheduleInstance.memberType assignmentType = $RoleScheduleInstance.assignmentType startDateTime = if ($RoleScheduleInstance.psobject.Properties.Name.Contains('startDateTime')) { $RoleScheduleInstance.startDateTime } else { $null } endDateTime = if ($RoleScheduleInstance.psobject.Properties.Name.Contains('endDateTime')) { $RoleScheduleInstance.endDateTime } else { $null } } $OutputObject if ($principalType -eq 'group') { $OutputObject.memberType = 'Group' if ($UseLookupCacheOnly) { Expand-GroupTransitiveMembership $RoleScheduleInstance.principalId -LookupCache $LookupCache ` | ForEach-Object { $principalType = $_.'@odata.type' -replace '#microsoft.graph.', '' $principal = Get-AadObjectById $_.id -Type $principalType -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly $OutputObject.principalId = $_.id $OutputObject.principalDisplayName = if ($principal) { $principal.displayName } else { $null } $OutputObject.principalType = $principalType $OutputObject.principalMail = if ($principal) { Get-ObjectPropertyValue $principal mail } else { $null } $OutputObject.principalOtherMails = if ($principal) { Get-ObjectPropertyValue $principal otherMails } else { $null } $OutputObject } } else { Get-MsGraphResults 'groups/{0}/transitiveMembers' -UniqueId $RoleScheduleInstance.principalId -Select id, displayName, mail, otherMails -Top 999 -DisableUniqueIdDeduplication ` | ForEach-Object { $OutputObject.principalId = $_.id $OutputObject.principalDisplayName = $_.displayName $OutputObject.principalType = $_.'@odata.type' -replace '#microsoft.graph.', '' $OutputObject.principalMail = if ($principal) { Get-ObjectPropertyValue $principal mail } else { $null } $OutputObject.principalOtherMails = if ($principal) { Get-ObjectPropertyValue $principal otherMails } else { $null } $OutputObject } } } } } } if (!$OrganizationData) { $OrganizationData = Get-MsGraphResults 'organization?$select=id,displayName' } $LookupCache = New-LookupCache if ($AdministrativeUnitsData) { if ($AdministrativeUnitsData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) { $LookupCache.administrativeUnit = $AdministrativeUnitsData } else { $AdministrativeUnitsData | Add-AadObjectToLookupCache -Type administrativeUnit -LookupCache $LookupCache } } if ($UsersData) { if ($UsersData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) { $LookupCache.user = $UsersData } else { $UsersData | Add-AadObjectToLookupCache -Type user -LookupCache $LookupCache } } if ($GroupsData) { if ($GroupsData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) { $LookupCache.group = $GroupsData } else { $GroupsData | Add-AadObjectToLookupCache -Type group -LookupCache $LookupCache } } if ($ApplicationsData) { if ($ApplicationsData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) { $LookupCache.application = $ApplicationsData } else { $ApplicationsData | Add-AadObjectToLookupCache -Type application -LookupCache $LookupCache } } if ($ServicePrincipalsData) { if ($ServicePrincipalsData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) { $LookupCache.servicePrincipal = $ServicePrincipalsData } else { $ServicePrincipalsData | Add-AadObjectToLookupCache -Type servicePrincipal -LookupCache $LookupCache } } ## Get Role Assignments [bool] $isAadP2Tenant = $true if ($RoleAssignmentScheduleInstancesData) { $isAadP2Tenant = $true $RoleAssignmentScheduleInstancesData | Process-RoleAssignment -LookupCache $LookupCache -UseLookupCacheOnly:$Offline } elseif ($RoleAssignmentsData) { $isAadP2Tenant = $false $RoleAssignmentsData | Select-Object -Property *, @{Name = "memberType"; Expression = { "Direct" } }, @{Name = "assignmentType"; Expression = { "Assigned" } } ` | Process-RoleAssignment -LookupCache $LookupCache -UseLookupCacheOnly:$Offline } elseif (!$Offline) { try { Get-MsGraphResults 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentScheduleInstances?$top=1' -ApiVersion beta -DisablePaging -ErrorAction Stop | Out-Null } catch { $isAadP2Tenant = $false } if ($isAadP2Tenant) { Write-Verbose "Getting roleAssignmentScheduleInstances..." #Get-MsGraphResults 'roleManagement/directory/roleAssignmentSchedules' -Select 'id,directoryScopeId,memberType,scheduleInfo,status,assignmentType' -Filter "status eq 'Provisioned' and assignmentType eq 'Assigned'" -QueryParameters @{ '$expand' = 'principal($select=id),roleDefinition($select=id,templateId,displayName)' } -ApiVersion 'beta' ` Get-MsGraphResults 'roleManagement/directory/roleAssignmentScheduleInstances' -Select 'id,directoryScopeId,assignmentType,memberType,principalId,startDateTime,endDateTime' -QueryParameters @{ '$expand' = 'principal($select=id),roleDefinition($select=id,templateId,displayName)' } ` | Process-RoleAssignment -LookupCache $LookupCache } else { Write-Verbose "Getting roleAssignments..." Get-MsGraphResults 'roleManagement/directory/roleAssignments' -Select 'id,directoryScopeId,principalId' -QueryParameters @{ '$expand' = 'roleDefinition($select=id,templateId,displayName)' } ` | Select-Object -Property *, @{Name = "memberType"; Expression = { "Direct" } }, @{Name = "assignmentType"; Expression = { "Assigned" } } ` | Process-RoleAssignment -LookupCache $LookupCache } } if ($RoleEligibilityScheduleInstancesData) { $RoleEligibilityScheduleInstancesData | Select-Object -Property *, @{Name = "assignmentType"; Expression = { "Eligible" } } ` | Process-RoleAssignment -LookupCache $LookupCache -UseLookupCacheOnly:$Offline } elseif (!$Offline -and $isAadP2Tenant) { Write-Verbose "Getting roleEligibleScheduleInstances..." #Get-MsGraphResults 'roleManagement/directory/roleEligibilitySchedules' -Select 'id,directoryScopeId,memberType,scheduleInfo,status' -Filter "status eq 'Provisioned'" -QueryParameters @{ '$expand' = 'principal($select=id),roleDefinition($select=id,templateId,displayName)' } -ApiVersion 'beta' ` Get-MsGraphResults 'roleManagement/directory/roleEligibilityScheduleInstances' -Select 'id,directoryScopeId,memberType,principalId,startDateTime,endDateTime' -QueryParameters @{ '$expand' = 'principal($select=id),roleDefinition($select=id,templateId,displayName)' } ` | Select-Object -Property *, @{Name = "assignmentType"; Expression = { "Eligible" } } ` | Process-RoleAssignment -LookupCache $LookupCache } } catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw } finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? } } #endregion #region Get-AADAssessUserReport.ps1 <# .SYNOPSIS Gets a report selected users in the tenant .DESCRIPTION This function returns a list of users in the tenant It will collect the lastsignindatetime (interactive or non interactive) and check the authenticationmethods available to the user .EXAMPLE PS C:\> Get-AADAssessUserReport | Export-Csv -Path ".\users.csv" #> function Get-AADAssessUserReport { [CmdletBinding()] param ( # User Data [Parameter(Mandatory = $false)] [psobject] $UserData, [Parameter(Mandatory = $false)] [psobject] $RegistrationDetailsData, [Parameter(Mandatory = $false)] [switch] $Offline ) Start-AppInsightsRequest $MyInvocation.MyCommand.Name try { function Process-User { param ( # Input Object (user) [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [psobject] $InputObject, # LookupCache [Parameter(Mandatory = $true)] [psobject] $LookupCache ) begin { $aadp1plan = "41781fb2-bc02-4b7c-bd55-b576c07bb09d" $aadp2plan = "eec0eb4f-6444-4f95-aba0-50c24d67f998" } process { # check user license $aadLicense = "None" if ($InputObject.psobject.Properties.Name.Contains('assignedPlans')) { $plans = $InputObject.assignedPlans | foreach-object { $_.servicePlanId } if ($plans -contains $aadp2plan) { $aadLicense = "AADP2" } elseif ($plans -contains $aadp1plan) { $aadLicense = "AADP1" } } # get last signindate times $lastInteractiveSignInDateTime = "" $lastNonInteractiveSignInDateTime = "" if ($InputObject.psobject.Properties.Name.Contains('signInActivity')) { $lastInteractiveSignInDateTime = $InputObject.signInActivity.lastSignInDateTime $lastNonInteractiveSignInDateTime = $InputObject.signInActivity.lastNonInteractiveSignInDateTime } # get the registered methods and MFA capability $registerationDetails = $LookupCache.userRegistrationDetails[$InputObject.id] # set default values $isMfaCapable = $false $isMfaRegistered = $false $methodsRegistered = "" $defaultMfaMethod = "" if ($registerationDetails) { $isMfaRegistered = $registerationDetails.isMfaRegistered $isMfaCapable = $registerationDetails.isMfaCapable $methodsRegistered = $registerationDetails.methodsRegistered -join ";" if ($registerationDetails.defaultMfaMethod -ne "none") { $defaultMfaMethod = $registerationDetails.defaultMfaMethod } } # else { # Write-Warning "authentication method registration not found for $($InputObject.id)" # } # output user object [PSCustomObject]@{ "id" = $InputObject.id "userPrincipalName" = $InputObject.userPrincipalName "displayName" = $InputObject.displayName -replace "`n","" "userType" = $InputObject.UserType "accountEnabled" = $InputObject.accountEnabled "onPremisesSyncEnabled" = [bool]$_.onPremisesSyncEnabled "onPremisesImmutableId" = ![string]::IsNullOrWhiteSpace($InputObject.onPremisesImmutableId) "mail" = $InputObject.mail "otherMails" = $InputObject.otherMails "AADLicense" = $aadLicense "lastInteractiveSignInDateTime" = $lastInteractiveSignInDateTime "lastNonInteractiveSignInDateTime" = $lastNonInteractiveSignInDateTime "isMfaRegistered" = $isMfaRegistered "isMfaCapable" = $isMfaCapable "methodsRegistered" = $methodsRegistered "defaultMfaMethod" = $defaultMfaMethod } } } if ($Offline -and (!$PSBoundParameters['UserData'] -or !$PSBoundParameters['RegistrationDetailsData'])) { Write-Error -Exception (New-Object System.Management.Automation.ItemNotFoundException -ArgumentList 'Use of the offline parameter requires that all data be provided using the data parameters.') -ErrorId 'DataParametersRequired' -Category ObjectNotFound return } ## Initialize lookup cache $LookupCache = New-LookupCache ## Check UserData presence if ($UserData) { if ($UserData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) { $LookupCache.user = $UserData } else { $UserData | Add-AadObjectToLookupCache -Type user -LookupCache $LookupCache } } else { Write-Warning "Getting all users (this can take a while)..." Get-MsGraphResults 'users' -Select 'id,userPrincipalName,userType,displayName,accountEnabled,onPremisesSyncEnabled,onPremisesImmutableId,mail,otherMails,proxyAddresses,assignedPlans,signInActivity' -ApiVersion 'beta'` | Add-AadObjectToLookupCache -Type user -LookupCache $LookupCache } ## Check RegistrationDetails presence if ($RegistrationDetailsData) { if ($RegistrationDetailsData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) { $LookupCache.userRegistrationDetails = $RegistrationDetailsData } else { $RegistrationDetailsData | Add-AadObjectToLookupCache -Type "userRegistrationDetails" -LookupCache $LookupCache } } else { Get-MsGraphResults 'reports/authenticationMethods/userRegistrationDetails' -ApiVersion 'beta' | Add-AadObjectToLookupCache -Type "userRegistrationDetails" -LookupCache $LookupCache } ## Generate user report infos $LookupCache.user.Values | Process-User -LookupCache $LookupCache } catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw } finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? } } #endregion #region Invoke-AADAssessmentDataCollection.ps1 <# .SYNOPSIS Produces the Azure AD Configuration reports required by the Azure AD assesment .DESCRIPTION This cmdlet reads the configuration information from the target Azure AD Tenant and produces the output files in a target directory .EXAMPLE PS C:\> Invoke-AADAssessmentDataCollection Collect and package assessment data to "C:\AzureADAssessment". .EXAMPLE PS C:\> Invoke-AADAssessmentDataCollection -OutputDirectory "C:\Temp" Collect and package assessment data to "C:\Temp". #> function Invoke-AADAssessmentDataCollection { [CmdletBinding()] param ( # Full path of the directory where the output files will be generated. [Parameter(Mandatory = $false)] [string] $OutputDirectory = (Join-Path $env:SystemDrive 'AzureADAssessment'), # Generate Reports [Parameter(Mandatory = $false)] [switch] $SkipReportOutput, # Skip Packaging [Parameter(Mandatory = $false)] [switch] $SkipPackaging, [Parameter(Mandatory = $false)] # Skip getting user assigned plans [switch] $NoAssignedPlans ) Start-AppInsightsRequest $MyInvocation.MyCommand.Name try { $ReferencedIdCache = New-AadReferencedIdCache #$ReferencedIdCacheCA = New-AadReferencedIdCache function Get-ReferencedIdCacheDetail { param ( # ReferencedIdCache Object [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [psobject] $ReferencedIdCache ) process { $Output = [ordered]@{} foreach ($Property in $ReferencedIdCache.psobject.Properties) { $Output.Add(('RefIdCacheCount: {0}' -f $Property.Name), $Property.Value.Count) } Write-Output $Output } } function Extract-AppRoleAssignments { param ( # [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [psobject] $InputObject, # [Parameter(Mandatory = $true)] [psobject] $ListVariable, # [Parameter(Mandatory = $false)] [switch] $PassThru ) process { [PSCustomObject[]] $AppRoleAssignment = $InputObject.appRoleAssignedTo $ListVariable.AddRange($AppRoleAssignment) if ($PassThru) { return $InputObject } } } if ($MyInvocation.CommandOrigin -eq 'Runspace') { ## Reset Parent Progress Bar New-Variable -Name stackProgressId -Scope Script -Value (New-Object 'System.Collections.Generic.Stack[int]') -ErrorAction SilentlyContinue $stackProgressId.Clear() $stackProgressId.Push(0) } ### Initalize Directory Paths #$OutputDirectory = Join-Path $OutputDirectory "AzureADAssessment" $OutputDirectoryData = Join-Path $OutputDirectory "AzureADAssessmentData" $AssessmentDetailPath = Join-Path $OutputDirectoryData "AzureADAssessment.json" $PackagePath = Join-Path $OutputDirectory "AzureADAssessmentData.aad" ### Start Output Log #Start-Transcript -OutputDirectory $OutputDirectoryData -Force -IncludeInvocationHeader | Out-Null #$ErrorStartCount = $Error.Count ### Organization Data - 0 Write-AppInsightsTrace ("{0} - Organization Details" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache) Write-Progress -Id 0 -Activity 'Microsoft Azure AD Assessment' -Status 'Organization Details' -PercentComplete 0 $OrganizationData = Get-MsGraphResults 'organization?$select=id,displayName,verifiedDomains,technicalNotificationMails' -ErrorAction Stop $InitialTenantDomain = $OrganizationData.verifiedDomains | Where-Object isInitial -EQ $true | Select-Object -ExpandProperty name -First 1 $PackagePath = $PackagePath.Replace("AzureADAssessmentData.aad", "AzureADAssessmentData-$InitialTenantDomain.aad") $OutputDirectoryAAD = Join-Path $OutputDirectoryData "AAD-$InitialTenantDomain" Assert-DirectoryExists $OutputDirectoryAAD ConvertTo-Json -InputObject $OrganizationData -Depth 10 | Set-Content (Join-Path $OutputDirectoryAAD "organization.json") ### Generate Assessment Data $AssessmentData = [PSCustomObject]@{ AssessmentDateTime = Get-Date AssessmentId = if ($script:AppInsightsRuntimeState.OperationStack.Count -gt 0) { $script:AppInsightsRuntimeState.OperationStack.Peek().Id.ToString() } else { (New-Guid).ToString() } AssessmentVersion = $MyInvocation.MyCommand.Module.Version.ToString() AssessmentTenantId = $OrganizationData.id AssessmentTenantDomain = $InitialTenantDomain } Assert-DirectoryExists $OutputDirectoryData ConvertTo-Json -InputObject $AssessmentData | Set-Content $AssessmentDetailPath ### Licenses - 1 Write-AppInsightsTrace ("{0} - Subscribed SKU" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache) Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Subscribed SKU' -PercentComplete 5 Get-MsGraphResults "subscribedSkus" -Select "prepaidunits", "consumedunits", "skuPartNumber", "servicePlans" -OutVariable skus ` | Export-JsonArray (Join-Path $OutputDirectoryAAD "subscribedSkus.json") -Depth 5 -Compress # Check tenant license status $licenseType = "Free" if ($skus | Where-Object { $_.prepaidUnits.enabled -gt 0 -and ($_.servicePlans | Where-Object { $_.servicePlanId -eq "41781fb2-bc02-4b7c-bd55-b576c07bb09d" })}) { $licenseType = "P1" } elseif ($skus | Where-Object { $_.prepaidUnits.enabled -gt 0 -and ($_.servicePlans | Where-Object { $_.servicePlanId -eq "eec0eb4f-6444-4f95-aba0-50c24d67f998" })}) { $licenseType = "P2" } Remove-Variable skus ### Conditional Access policies - 2 Write-AppInsightsTrace ("{0} - Conditional Access Policies" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache) Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Conditional Access Policies' -PercentComplete 10 #Get-MsGraphResults "identity/conditionalAccess/policies" -ErrorAction Stop ` Get-MsGraphResults "identity/conditionalAccess/policies" ` | Add-AadReferencesToCache -Type conditionalAccessPolicy -ReferencedIdCache $ReferencedIdCache -PassThru ` | Export-JsonArray (Join-Path $OutputDirectoryAAD "conditionalAccessPolicies.json") -Depth 5 -Compress ### Named location - 3 Write-AppInsightsTrace ("{0} - Conditional Access Named locations" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache) Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Conditional Access Named locations' -PercentComplete 15 Get-MsGraphResults "identity/conditionalAccess/namedLocations" ` | Export-JsonArray (Join-Path $OutputDirectoryAAD "namedLocations.json") -Depth 5 -Compress ### EOTP Policy - 4 Write-AppInsightsTrace ("{0} - Email Auth Method Policy" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache) Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Email Auth Method Policy' -PercentComplete 20 Get-MsGraphResults "policies/authenticationMethodsPolicy/authenticationMethodConfigurations/email" ` | ConvertTo-Json -Depth 5 -Compress | Set-Content -Path (Join-Path $OutputDirectoryAAD "emailOTPMethodPolicy.json") ### Directory Role Data - 5 (Remove from next release) # Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Directory Roles' -PercentComplete 21 # ## $expand on directoryRole members caps results at 20 members with no NextLink so call members endpoint for each. # Get-MsGraphResults 'directoryRoles?$select=id,displayName,roleTemplateId' -DisableUniqueIdDeduplication ` # | Expand-MsGraphRelationship -ObjectType directoryRoles -PropertyName members -References ` # | Add-AadReferencesToCache -Type directoryRole -ReferencedIdCache $ReferencedIdCache -PassThru ` # | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "directoryRoleData.xml") ### Directory Role Definitions - 6 Write-AppInsightsTrace ("{0} - Directory Role Definitions" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache) Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Directory Role Definitions' -PercentComplete 25 Get-MsGraphResults 'roleManagement/directory/roleDefinitions' -Select 'id,templateId,displayName,isBuiltIn,isEnabled' -ApiVersion 'v1.0' -OutVariable roleDefinitions ` | Where-Object { $_.isEnabled } ` | Select-Object id, templateId, displayName, isBuiltIn, isEnabled ` | Export-Csv (Join-Path $OutputDirectoryAAD "roleDefinitions.csv") -NoTypeInformation if ($licenseType -eq "P2") { ### Directory Role Assignments - 7 Write-AppInsightsTrace ("{0} - Directory Role Assignments" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache) Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Directory Role Assignments' -PercentComplete 30 ## Getting role assignments via unified role API # Get-MsGraphResults 'roleManagement/directory/roleAssignmentScheduleInstances' -Select 'id,directoryScopeId,assignmentType,memberType,principalId,startDateTime,endDateTime' -QueryParameters @{ '$expand' = 'principal($select=id),roleDefinition($select=id,templateId,displayName)' } -ApiVersion 'v1.0' ` $roleDefinitions | Get-MsGraphResults 'roleManagement/directory/roleAssignmentScheduleInstances' -Select 'id,directoryScopeId,assignmentType,memberType,principalId,startDateTime,endDateTime' -Filter "roleDefinitionId eq '{0}'" -QueryParameters @{ '$expand' = 'principal($select=id),roleDefinition($select=id,templateId,displayName)' } -TotalRequests $roleDefinitions.Count -ApiVersion 'v1.0' ` | Add-AadReferencesToCache -Type roleAssignmentScheduleInstances -ReferencedIdCache $ReferencedIdCache -PassThru ` | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "roleAssignmentScheduleInstancesData.xml") ### Directory Role Eligibility - 8 Write-AppInsightsTrace ("{0} - Directory Role Eligibility" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache) Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Directory Role Eligibility' -PercentComplete 35 # Getting role eligibility via unified role API #Get-MsGraphResults 'roleManagement/directory/roleEligibilityScheduleInstances' -Select 'id,directoryScopeId,memberType,principalId,startDateTime,endDateTime' -QueryParameters @{ '$expand' = 'principal($select=id),roleDefinition($select=id,templateId,displayName)' } -ApiVersion 'v1.0' ` $roleDefinitions | Get-MsGraphResults 'roleManagement/directory/roleEligibilityScheduleInstances' -Select 'id,directoryScopeId,memberType,principalId,startDateTime,endDateTime' -Filter "roleDefinitionId eq '{0}'" -QueryParameters @{ '$expand' = 'principal($select=id),roleDefinition($select=id,templateId,displayName)' } -TotalRequests $roleDefinitions.Count -ApiVersion 'v1.0' ` | Add-AadReferencesToCache -Type roleAssignmentScheduleInstances -ReferencedIdCache $ReferencedIdCache -PassThru ` | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "roleEligibilityScheduleInstancesData.xml") #| Export-JsonArray (Join-Path $OutputDirectoryAAD "roleEligibilityScheduleInstances.json") -Depth 5 -Compress } else { ### Directory Role Assignments - 7 Write-AppInsightsTrace ("{0} - Directory Role Assignments" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache) Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Directory Role Assignments' -PercentComplete 30 if ($script:ConnectState.CloudEnvironment -in 'USGov', 'USGovDoD', 'China') { ## MS Graph endpoint roleManagement/directory/roleAssignments must still have filter on Gov tenants $roleDefinitions | Get-MsGraphResults 'roleManagement/directory/roleAssignments' -Select 'id,directoryScopeId,principalId' -Filter "roleDefinitionId eq '{0}'" -QueryParameters @{ '$expand' = 'roleDefinition($select=id,templateId,displayName)' } ` | Add-AadReferencesToCache -Type roleAssignments -ReferencedIdCache $ReferencedIdCache -PassThru ` | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "roleAssignmentsData.xml") } else { Get-MsGraphResults 'roleManagement/directory/roleAssignments' -Select 'id,directoryScopeId,principalId' -QueryParameters @{ '$expand' = 'roleDefinition($select=id,templateId,displayName)' } ` | Add-AadReferencesToCache -Type roleAssignments -ReferencedIdCache $ReferencedIdCache -PassThru ` | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "roleAssignmentsData.xml") } } Remove-Variable roleDefinitions # Lookup ObjectIds with Unknown Types $ReferencedIdCache.unknownType | Get-MsGraphResults 'directoryObjects' -Select 'id' ` | ForEach-Object { $ObjectType = $_.'@odata.type' -replace '#microsoft.graph.', '' [void] $ReferencedIdCache.$ObjectType.Add($_.id) if ($ObjectType -eq 'group') { [void] $ReferencedIdCache.roleGroup.Add($_.id) } } $ReferencedIdCache.unknownType.Clear() ### Application Data - 9 Write-AppInsightsTrace ("{0} - Applications" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache) Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Applications' -PercentComplete 40 Get-MsGraphResults 'applications?$select=id,appId,displayName,appRoles,keyCredentials,passwordCredentials' -Top 999 -ApiVersion 'v1.0' ` | Where-Object { $_.keyCredentials.Count -or $_.passwordCredentials.Count -or $ReferencedIdCache.application.Contains($_.id) -or $ReferencedIdCache.appId.Contains($_.appId) } ` | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "applicationData.xml") ### Service Principal Data - 10 Write-AppInsightsTrace ("{0} - Service Principals" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache) Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Service Principals' -PercentComplete 45 ## Option 1: Get servicePrincipal objects without appRoleAssignments. Get appRoleAssignments # $servicePrincipalsCount = Get-MsGraphResults 'servicePrincipals/$count' ` # ## Although much more performant, $expand on servicePrincipal appRoleAssignedTo appears to miss certain appRoleAssignments. # Get-MsGraphResults 'servicePrincipals?$select=id,appId,servicePrincipalType,displayName,accountEnabled,appOwnerOrganizationId,appRoles,oauth2PermissionScopes,keyCredentials,passwordCredentials' -Top 999 ` # | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "servicePrincipalData.xml") ## Option 2: Expand appRoleAssignedTo when retrieving servicePrincipal object. This is at least 50x faster but appears to miss some appRoleAssignments. $listAppRoleAssignments = New-Object 'System.Collections.Generic.List[psobject]' Get-MsGraphResults 'servicePrincipals?$select=id,appId,servicePrincipalType,displayName,accountEnabled,appOwnerOrganizationId,appRoles,oauth2PermissionScopes,keyCredentials,passwordCredentials&$expand=appRoleAssignedTo' -Top 999 -ApiVersion 'v1.0' ` | Extract-AppRoleAssignments -ListVariable $listAppRoleAssignments -PassThru ` | Select-Object -Property "*" -ExcludeProperty 'appRoleAssignedTo', 'appRoleAssignedTo@odata.context' ` | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "servicePrincipalData.xml") ### App Role Assignments Data - 11 Write-AppInsightsTrace ("{0} - App Role Assignments" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache) Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'App Role Assignments' -PercentComplete 50 ## Option 1: Loop through all servicePrincipals to get appRoleAssignments # Import-Clixml -Path (Join-Path $OutputDirectoryAAD "servicePrincipalData.xml") ` # | Get-MsGraphResults 'servicePrincipals/{0}/appRoleAssignedTo' -Top 999 -TotalRequests $servicePrincipalsCount -DisableUniqueIdDeduplication ` # | Add-AadReferencesToCache -Type appRoleAssignment -ReferencedIdCache $ReferencedIdCache -PassThru ` # | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "appRoleAssignmentData.xml") ## Option 2: Use expanded appRoleAssignedTo from servicePrincipals. This is at least 50x faster but appears to miss some appRoleAssignments. $listAppRoleAssignments ` | Add-AadReferencesToCache -Type appRoleAssignment -ReferencedIdCache $ReferencedIdCache -PassThru ` | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "appRoleAssignmentData.xml") Remove-Variable listAppRoleAssignments ### OAuth2 Permission Grants Data - 12 Write-AppInsightsTrace ("{0} - OAuth2 Permission Grants" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache) Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'OAuth2 Permission Grants' -PercentComplete 55 ## https://graph.microsoft.com/v1.0/oauth2PermissionGrants fails with "Service is temorarily unavailable" if too much data is returned in a single request. 600 works on microsoft.onmicrosoft.com. Get-MsGraphResults 'oauth2PermissionGrants' -Top 600 ` | Add-AadReferencesToCache -Type oauth2PermissionGrant -ReferencedIdCache $ReferencedIdCache -PassThru ` | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "oauth2PermissionGrantData.xml") ### Filter Service Principals - 13 Write-AppInsightsTrace ("{0} - Filtering Service Principals" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache) Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Filtering Service Principals' -PercentComplete 60 Remove-Item (Join-Path $OutputDirectoryAAD "servicePrincipalData-Unfiltered.xml") -ErrorAction Ignore Rename-Item (Join-Path $OutputDirectoryAAD "servicePrincipalData.xml") -NewName "servicePrincipalData-Unfiltered.xml" Import-Clixml -Path (Join-Path $OutputDirectoryAAD "servicePrincipalData-Unfiltered.xml") ` | Where-Object { $_.keyCredentials.Count -or $_.passwordCredentials.Count -or $ReferencedIdCache.servicePrincipal.Contains($_.id) -or $ReferencedIdCache.appId.Contains($_.appId) } ` | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "servicePrincipalData.xml") Remove-Item (Join-Path $OutputDirectoryAAD "servicePrincipalData-Unfiltered.xml") -Force $ReferencedIdCache.servicePrincipal.Clear() ### Administrative units data - 14 Write-AppInsightsTrace ("{0} - Administrative Units" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache) Set-Content -Path (Join-Path $OutputDirectoryAAD "administrativeUnits.csv") -Value 'id,displayName,visibility' Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Administrative Units' -PercentComplete 65 Get-MsGraphResults 'directory/administrativeUnits' -Select 'id,displayName,visibility' ` | Export-Csv (Join-Path $OutputDirectoryAAD "administrativeUnits.csv") -NoTypeInformation -Append ### Registration details data - 15 if ($licenseType -ne "Free") { Write-AppInsightsTrace ("{0} - Registration Details" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache) Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Registration Details' -PercentComplete 70 Get-MsGraphResults 'reports/authenticationMethods/userRegistrationDetails' -ApiVersion 'beta' ` | Export-JsonArray (Join-Path $OutputDirectoryAAD "userRegistrationDetails.json") -Depth 5 -Compress } ### Group Data - 16 Write-AppInsightsTrace ("{0} - Groups" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache) Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Groups' -PercentComplete 75 # add technical notifications groups if ($OrganizationData) { $OrganizationData.technicalNotificationMails | Get-MsGraphResults 'groups?$select=id' -Filter "proxyAddresses/any(c:c eq 'smtp:{0}')" ` | ForEach-Object { [void]$ReferencedIdCache.group.Add($_.id) } } # Add nested groups if ($ReferencedIdCache.roleGroup.Count -gt 0) { $ReferencedIdCache.roleGroup.guid | Get-MsGraphResults 'groups/{0}/transitiveMembers/microsoft.graph.group?$count=true&$select=id' -Top 999 -TotalRequests $ReferencedIdCache.roleGroup.Count -DisableUniqueIdDeduplication ` | ForEach-Object { [void]$ReferencedIdCache.group.Add($_.id) } } ## Option 1: Populate direct members on groups (including nested groups) and calculate transitiveMembers later. ## $expand on group members caps results at 20 members with no NextLink so call members endpoint for each. $ReferencedIdCache.group | Get-MsGraphResults 'groups?$select=id,groupTypes,displayName,mail,proxyAddresses,mailEnabled,securityEnabled,onPremisesSyncEnabled' -TotalRequests $ReferencedIdCache.group.Count -DisableUniqueIdDeduplication -BatchSize 1 -GetByIdsBatchSize 20 ` | Expand-MsGraphRelationship -ObjectType groups -PropertyName members -References -Top 999 -SkipRelationshipThreshold 100 ` | Add-AadReferencesToCache -Type group -ReferencedIdCache $ReferencedIdCache -ReferencedTypes '#microsoft.graph.user', '#microsoft.graph.servicePrincipal' -PassThru ` | Select-Object -Property "*" -ExcludeProperty '@odata.type' ` | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "groupData.xml") # | ForEach-Object { # foreach ($Object in $_.member) { # if ($Object.'@odata.type' -in ('#microsoft.graph.user', '#microsoft.graph.servicePrincipal')) { # $ObjectType = $Object.'@odata.type' -replace '#microsoft.graph.', '' # [void] $ReferencedIdCache.$ObjectType.Add($Object.id) # } # } # } ## Option 2: Get groups without member data and let Azure AD calculate transitiveMembers. # $ReferencedIdCache.group | Get-MsGraphResults 'groups?$select=id,groupTypes,displayName,mail,proxyAddresses,mailEnabled,securityEnabled' -TotalRequests $ReferencedIdCache.group.Count -DisableUniqueIdDeduplication ` # | Select-Object -Property "*" -ExcludeProperty '@odata.type' ` # | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "groupData.xml") # ### Group Transitive members - 16 # Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Group Transitive Membership' -PercentComplete 75 # $ReferencedIdCache.group | Get-MsGraphResults 'groups/{0}/transitiveMembers/$ref' -Top 999 -TotalRequests $ReferencedIdCache.group.Count -IncapsulateReferenceListInParentObject -DisableUniqueIdDeduplication ` # | ForEach-Object { # $group = $_ # #[array] $directMembers = Get-MsGraphResults 'groups/{0}/members/$ref' -UniqueId $_.id -Top 999 -DisableUniqueIdDeduplication | Expand-ODataId | Select-Object -ExpandProperty id # $group.transitiveMembers | Expand-ODataId | ForEach-Object { # if ($_.'@odata.type' -eq '#microsoft.graph.user') { [void]$ReferencedIdCache.user.Add($_.id) } # [PSCustomObject]@{ # id = $group.id # #'@odata.type' = $group.'@odata.type' # memberId = $_.id # memberType = $_.'@odata.type' -replace '#microsoft.graph.', '' # #direct = $directMembers -and $directMembers.Contains($_.id) # } # } # } ` # | Export-Csv (Join-Path $OutputDirectoryAAD "groupTransitiveMembers.csv") -NoTypeInformation $ReferencedIdCache.group.Clear() ### User Data - 17 Write-AppInsightsTrace ("{0} - Users" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache) Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Users' -PercentComplete 80 # add technical notifications users if ($OrganizationData) { $OrganizationData.technicalNotificationMails | Get-MsGraphResults 'users?$select=id' -Filter "proxyAddresses/any(c:c eq 'smtp:{0}') or otherMails/any(c:c eq '{0}')" ` | ForEach-Object { [void]$ReferencedIdCache.user.Add($_.id) } } # get user information #$ReferencedIdCache.user | Get-MsGraphResults 'users/{0}?$select=id,userPrincipalName,userType,displayName,accountEnabled,onPremisesSyncEnabled,onPremisesImmutableId,mail,otherMails,proxyAddresses,assignedPlans,signInActivity' -TotalRequests $ReferencedIdCache.user.Count -DisableUniqueIdDeduplication -ApiVersion 'beta' ` $userQuery = 'users/{0}?$select=id,userPrincipalName,userType,displayName,accountEnabled,onPremisesSyncEnabled,onPremisesImmutableId,mail,otherMails,proxyAddresses' if (!$NoAssignedPlans) { $userQuery += ",assignedPlans" } $ReferencedIdCache.user | Get-MsGraphResults $userQuery -TotalRequests $ReferencedIdCache.user.Count -DisableUniqueIdDeduplication -BatchSize 20 -ApiVersion 'beta' ` | Select-Object -Property "*" -ExcludeProperty '@odata.type' ` | Select-Object -Property "*", @{ Name = "assignedPlans"; Expression = { Write-Output @($_.assignedPlans | Where-Object service -EQ 'AADPremiumService') -NoEnumerate } } -ExcludeProperty 'assignedPlans' ` | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "userData.xml") $ReferencedIdCache.user.Clear() ### Generate Reports if (!$SkipReportOutput) { Write-AppInsightsTrace ("{0} - Output Reports" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache) Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Output Report Data' -PercentComplete 85 Export-AADAssessmentReportData -SourceDirectory $OutputDirectoryAAD -LicenseType $licenseType -Force ## Remove Raw Data Output Remove-Item -Path (Join-Path $OutputDirectoryAAD "*") -Include "*Data.xml" -ErrorAction Ignore Remove-Item -Path (Join-Path $OutputDirectoryAAD "*") -Include "*Data.csv" -ErrorAction Ignore } ### Package Output if (!$SkipPackaging) { Write-AppInsightsTrace ("{0} - Package Output" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache) Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Packaging Data' -PercentComplete 95 ### Remove pre existing package (zip) if it exists if (Test-Path -Path $PackagePath) { Remove-Item $PackagePath -Force } ### Package Output #Compress-Archive (Join-Path $OutputDirectoryData '\*') -DestinationPath $PackagePath -Force -ErrorAction Stop [System.IO.Compression.ZipFile]::CreateFromDirectory($OutputDirectoryData, $PackagePath) $PackageFileInfo = Get-Item $PackagePath Write-AppInsightsTrace ("{0} - Package Complete" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties ((Get-ReferencedIdCacheDetail $ReferencedIdCache) + [ordered]@{ PackageSize = Format-DataSize $PackageFileInfo.Length; PackageSizeInBytes = $PackageFileInfo.Length }) Remove-Item $OutputDirectoryData -Recurse -Force } ### Complete Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Completed ### Write Custom Event Write-AppInsightsEvent 'AAD Assessment Data Collection Complete' -OverrideProperties -Properties @{ AssessmentId = $AssessmentData.AssessmentId AssessmentVersion = $MyInvocation.MyCommand.Module.Version.ToString() AssessmentTenantId = $OrganizationData.id } ### Stop Transcript #Stop-Transcript #$Error | Select-Object -Last ($Error.Count - $ErrorStartCount) | Export-Clixml -Path (Join-Path $OutputDirectoryData "PowerShell_errors.xml") -Depth 10 ### Open Directory try { Invoke-Item $OutputDirectory -ErrorAction SilentlyContinue } catch {} } catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw } finally { ## Stop transcript if not already #try { Stop-Transcript | Out-Null } #catch {} # check generated package and issue warning $issue = $false if (!(Test-Path -PathType Leaf -Path $PackagePath) -and !$SkipPackaging) { Write-Warning "The export package has not been generated" $issue = $true } elseif (!$SkipPackaging) { if (!(Test-AADAssessmentPackage -Path $PackagePath -SkippedReportOutput $SkipReportOutput)) { Write-Warning "The generated package is missing some data" $issue = $true } } if ($issue) { Write-Warning "If you are working with microsoft or a provider on the assessment please warn them" Write-Warning "Please check GitHub issues and fill a new one or reply on existing ones mentionning the errors seen" Write-warning "https://github.com/AzureAD/AzureADAssessment/issues" } Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? } } #endregion #region New-AADAssessmentRecommendations.ps1 <# .SYNOPSIS Produces the Azure AD Assessment recommendations from collected data. .DESCRIPTION This cmdlet reads data collected and generates recommendations accordingly. .EXAMPLE PS C:\> New-AADAssessmentRecommendations Collect and package assessment data from "C:\AzureADAssessment" and generate recommendations in the same folder. .EXAMPLE PS C:\> New-AADAssessmentRecommendations -OutputDirectory "C:\Temp" Collect and package assessment data from "C:\Temp" and generate recommendations in the same folder. #> function New-AADAssessmentRecommendations { [CmdletBinding()] param ( # Specifies a path where extracted data resides (folder) [Parameter(Mandatory = $false)] [string] $Path = (Join-Path $env:SystemDrive 'AzureADAssessment'), # Full path of the directory where the output files will be copied. [Parameter(Mandatory = $false)] [string] $OutputDirectory = (Join-Path $env:SystemDrive 'AzureADAssessment'), [Parameter(Mandatory = $false)] [switch] $SkipExpand = $false, # Path to the spreadsheet with the interview answers [Parameter(Mandatory = $false)] [string] $InterviewSpreadsheetPath ) Start-AppInsightsRequest $MyInvocation.MyCommand.Name ## Expand extracted data if (-not $SkipExpand) { $Archives = Get-ChildItem -Path $Path | Where-Object {$_.Name -like "AzureADAssessmentData-*.zip" } $ExtractedDirectories = @() foreach($Archive in $Archives) { $OutputDirectoryData = Join-Path $OutputDirectory ([IO.Path]::GetFileNameWithoutExtension($Archive.Name)) Expand-Archive -Path $Archive.FullName -DestinationPath $OutputDirectoryData -Force -ErrorAction Stop $ExtractedDirectories += $OutputDirectoryData } } ## Determine folder contents $TenantDirectoryData = $null $AADCDirecotryData = @() $ADFSDirectoryData = @() $AADAPDirectoryData = @() foreach($Directory in Get-ChildItem -Path $Path -Directory) { Switch -Wildcard ($Directory.Name) { "AzureADAssessmentData-*.onmicrosoft.com" { $TenantDirectoryData = $Directory.FullName } "AzureADAssessmentData-AADC-*" { $AADCDirecotryData += $Directory.FullName } "AzureADAssessmentData-ADFS-*" { $ADFSDirectoryData += $Directory.FullName } "AzureADAssessmentData-AADAP-*" { $AADAPDirectoryData += $Directory.FullName } default { Write-Warning "Unrecognized directory $($Directory.Name)" } } } # Generate recommendations from tenant data if (![String]::IsNullOrWhiteSpace($TenantDirectoryData)) { $data = @{} ### Load all the data on AAD # Load Interview questions if($null -ne $InterviewSpreadsheetPath){ $interviewQna = Get-SpreadsheetJson $InterviewSpreadsheetPath $interviewQnaPath = Join-Path $TenantDirectoryData "QnA.json" $interviewQna | ConvertTo-Json | Out-File $interviewQnaPath $data['QnA.json'] = $interviewQna } # Prepare paths $AssessmentDetailPath = Join-Path $TenantDirectoryData "AzureADAssessment.json" # Read assessment data $AssessmentDetail = Get-Content $AssessmentDetailPath -Raw | ConvertFrom-Json # Generate AAD data path $AADPath = Join-Path $TenantDirectoryData "AAD-$($AssessmentDetail.AssessmentTenantDomain)" <# do not load file before hand but only when necessary $files = get-childitem -Path $AADPath -File foreach($file in $files) { switch -Wildcard ($file.Name) { "*.json" { $data[$file.Name] = get-content -Path $file.FullName | ConvertFrom-Json } "*.csv" { $data[$file.Name] = Import-Csv -Path $file.FullName } "*.xml" { $data[$file.Name] = Import-Clixml -Path $file.FullName } default { Write-Warning "Unsupported data file format: $($file.Name)" } } }#> ### Load configuration file $recommendations = Select-Xml -Path (Join-Path $PSScriptRoot "AADRecommendations.xml") -XPath "/recommendations" $recommendationList = @() $idUniqueCheck = @{} # Hashtable to validate that IDs are unique foreach($recommendationDef in $recommendations.Node.recommendation) { if($idUniqueCheck.ContainsKey($recommendationDef.ID)){ Write-Error "Found duplicate recommendation $($recommendationDef.ID)" } else { $idUniqueCheck.Add($recommendationDef.ID, $recommendationDef.ID) } if(Get-ObjectPropertyValue $recommendationDef 'Sources'){ # make sure necessary files are loaded $fileMissing = $false foreach($fileName in $recommendationDef.Sources.File) { $filePath = Join-Path $AADPath $fileName if (!(Test-Path -Path $filePath)) { Write-Warning "File not found: $filePath" $fileMissing = $true break } if ($fileName -in $data.Keys) { continue } switch -Wildcard ($fileName) { "*.json" { $data[$fileName] = get-content -Path $filePath | ConvertFrom-Json } "*.csv" { $data[$fileName] = Import-Csv -Path $filePath } "*.xml" { $data[$fileName] = Import-Clixml -Path $filePath } default { Write-Warning "Unsupported data file format: $($fileName)" } } } if ($fileMissing) { write-warning "A necessary file is missing" continue } } $recommendation = $recommendationDef | select-object ID,Category,Area,Name,Summary,Recommendation,Priority,Data,SortOrder # Manual checks won't have a PowerShell script to run if(Get-ObjectPropertyValue $recommendationDef 'PowerShell'){ $scriptblock = [Scriptblock]::Create($recommendationDef.PowerShell) $result = Invoke-Command -ScriptBlock $scriptblock -ArgumentList $Data $recommendation.Priority = $result.Priority $recommendation.Data = $result.Data } else { if((Get-ObjectPropertyValue $recommendationDef 'Type') -eq 'QnA'){ Set-TypeQnAResult $data $recommendationDef $recommendation } } Set-SortOrder $recommendation $recommendationList += $recommendation } #Set-Content -Value ($idUniqueCheck.GetEnumerator() | Sort-Object name | Select-Object name) -Path ./log.txt #Write-Output "Total checks: $($idUniqueCheck.Count)" Write-Output "Completed $($recommendationList.Length) checks." Write-Verbose "Writing recommendations" Write-RecommendationsReport $data $recommendationList Write-Verbose "Recommendations written" # generate Trusted network locations #Get-TrustedNetworksRecommendation -Path $TenantDirectoryData } else { Write-Error "No Tenant Data found" } Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? } function Set-TypeQnAResult($data, $recommendationDef, $recommendation){ $qnaData = $data['QnA.json'] $qnaReco = Get-ObjectPropertyValue $recommendationDef 'QnA' $namedRange = Get-ObjectPropertyValue $qnaReco 'Name' $userValue = Get-ObjectPropertyValue $qnaData[$namedRange] 'Value' switch ($userValue) { '' { $recommendation.Priority = "Not Answered" } 'Not Applicable' { $recommendation.Priority = "N/A" } Default { foreach($answer in $qnaReco.Answers.Answer){ if($userValue -eq $answer.Value){ $recommendation.Priority = $answer.Priority } } } } } #endregion #region Export-AADAssessmentRecommendations.ps1 <# .SYNOPSIS Exports AAD Assessment Recommendations to file .DESCRIPTION This cmdlet gets recommendations from input and generate a recommendation file. If no recommendations are provided it will generate them .EXAMPLE PS C:\> Export-AADAssessmentRecommendations Analyse assessment data from "C:\AzureADAssessment" and export recommendations file in the same folder. .EXAMPLE PS C:\> Export-AADAssessmentRecommendations -OutputDirectory "C:\Temp" Analyse assessment data from "C:\Temp" and export recommendations file in the same folder. .EXAMPLE PS C:\> New-AADAssessmentREcommendations | Export-AADAssessmentRecommendations Exports recommandations file in "C:\AzureADAssessment" #> function Export-AADAssessmentRecommendations { [CmdletBinding()] param ( # Recommendations to export [Parameter(Mandatory = $false, Position = 0, ValueFromPipeline = $true)] [Object[]] $Recommandations, [Parameter(Mandatory = $true)] [string] $TenantName, # Specifies a path where extracted data resides (folder) [Parameter(Mandatory = $false)] [string] $Path = (Join-Path $env:SystemDrive 'AzureADAssessment'), # Full path of the directory where the output files will be copied. [Parameter(Mandatory = $false)] [string] $OutputDirectory = (Join-Path $env:SystemDrive 'AzureADAssessment'), [Parameter(Mandatory = $false)] [ValidateSet("json","md","docx")] $OutputType = "json", [Parameter(Mandatory = $false)] [bool] $SkipExpand = $false ) #Start-AppInsightsRequest $MyInvocation.MyCommand.Name if ($null -eq $Recommandations -or $Recommandations.Count -eq 0) { $Recommandations = New-AADAssessmentRecommendations -Path $Path -OutputDirectory $OutputDirectory -SkipExpand $SkipExpand } if ($OutputType -eq "json") { # Export recommendations to json $Recommandations | Export-JsonArray (Join-Path $OutputDirectory "recommendations.json") } if ($OutputType -eq "md") { $data = "" | Select-Object Tenant,Date,Version,Summary,Categories $data.Tenant = $TenantName $data.Date = get-date -Format "dd/MM/yyyy" $data.Version = "AzureADAssessment - 2.0" # Main Summary $data.Summary = "" | Select-Object P1,P2,P3,Passed,P1infos $P1s = @($Recommandations | Where-Object {$_.Priority -eq "P1"} | Select-Object Category,Area,Name) $P2s = @($Recommandations | Where-Object {$_.Priority -eq "P2"} | Select-Object Category,Area,Name) $P3s = @($Recommandations | Where-Object {$_.Priority -eq "P3"} | Select-Object Category,Area,Name) $Passed = @($Recommandations | Where-Object {$_.Priority -eq "Passed"} | Select-Object Category,Area,Name) $data.Summary.P1 = $P1s.Count $data.Summary.P2 = $P2s.Count $data.Summary.P3 = $P3s.Count $data.Summary.Passed = $Passed.Count $data.Summary.P1Infos = @{} $data.Categories = @() $perCategory = $Recommandations | Group-Object -Property Category foreach($catGroup in $perCategory) { $catData = "" | Select-Object Category,Summary,Areas $catDAta.Category = $catGroup.Name $catData.Areas = @{} $catData.Summary = "" | Select-Object P1,P2,P3,Passed $catRecommendations = $catGroup.Group $catData.Summary.P1 = @($catRecommendations | Where-Object {$_.Priority -eq "P1"}).Count $catData.Summary.P2 = @($catRecommendations | Where-Object {$_.Priority -eq "P2"}).Count $catData.Summary.P3 = @($catRecommendations | Where-Object {$_.Priority -eq "P3"}).Count $catData.Summary.Passed = @($catRecommendations | Where-Object {$_.Priority -eq "Passed"}).Count if ($catData.Summary.P1 -gt 0) { $data.Summary.P1Infos[$catGroup.Name] = @{} } $perArea = $catRecommendations | Group-Object -Property Area foreach ($areaGroup in $perArea) { $catData.Areas[$areaGroup.Name] = @($areaGroup.Group | Select-Object Name,Summary,Recommendation,Priority,DataReport | Sort-Object -Property Priority,Name) $areaP1s = @($catData.Areas[$areaGroup.Name] | Where-Object { $_.Priority -eq "P1"}) if ($areaP1s.Count -gt 0) { $data.Summary.P1Infos[$catGroup.Name][$areaGroup.Name] = @($areaP1s | ForEach-Object { $_.Name }) } } $data.Categories += $catData } $data | convertTo-Json -Depth 5 | Out-File -FilePath (Join-Path $OutputDirectory "recommendationsData.json") ### Output data as markdown # Title "# Azure Active Direcotry Asssement Recommendations" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append # General informations "Tenant Name: $($data.Tenant)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "Date: $($data.Date)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "Version: $($data.Version)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append # Summary "Recommandations:" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "* P1: $($data.Summary.P1)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "* P2: $($data.Summary.P2)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "* P3: $($data.Summary.P3)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "* Passed: $($data.Summary.Passed)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append if ($data.Summary.P1 -gt 0) { # Priority 1 summary "First Priority Recommendations:" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append # Adjust Sizes $categorySize = 8 $areaSize = 4 $checkSize = 14 foreach($category in $data.Summary.P1Infos.Keys) { # category if ($categorySize -lt $category.Length) { $categorySize = $category.Length } foreach($area in $data.Summary.P1Infos.$category.Keys) { # area if ($areaSize -lt $area.Length) { $areaSize = $area.Length } foreach($check in $data.Summary.P1Infos.$category.$area) { # category if ($checkSize -lt $check.Length) { $checkSize = $check.Length } } } } # add padding $categorySize += 2 $areaSize += 2 $checkSize += 2 # output table "|" + " " * (($categorySize - 8) / 2) + "Category" + " " * (($categorySize - 8) / 2) + "|" + ` " " * (($areaSize - 4) / 2) + "Area" + " " * (($areaSize - 4) / 2) + "|" + ` " " * (($checkSize - 14) / 2) + "Recommendation" + " " * (($checkSize - 14) / 2) + "|" ` | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "|" + "-" * $categorySize + "|" + ` "-" * $areaSize + "|" + ` "-" * $checkSize + "|" ` | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append foreach($category in $data.Summary.P1Infos.Keys) { # category $categoryShown = $false foreach($area in $data.Summary.P1Infos.$category.Keys) { # area $areaShown = $false foreach($check in $data.Summary.P1Infos.$category.$area) { # check if ($categoryShown -and $areaShown) { "|" + " " * $categorySize + "|" + ` " " * $areaSize + "|" + ` " " * (($checkSize - $check.Length) / 2) + $check + " " * (($checkSize - $check.Length) / 2) + "|" ` | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append } elseif ( $categoryShown -and -not $areaShown) { "|" + " " * $categorySize + "|" + ` " " * (($areaSize - $area.Length) / 2) + $area + " " * (($areaSize - $area.Length) / 2) + "|" + ` " " * (($checkSize - $check.Length) / 2) + $check + " " * (($checkSize - $check.Length) / 2) + "|" ` | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append $areaShown = $true } else { "|" + " " * (($categorySize - $category.Length) / 2) + $category + " " * (($categorySize - $category.Length) / 2) + "|" + ` " " * (($areaSize - $area.Length) / 2) + $area + " " * (($areaSize - $area.Length) / 2) + "|" + ` " " * (($checkSize - $check.Length) / 2) + $check + " " * (($checkSize - $check.Length) / 2) + "|" ` | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append $categoryShown = $true $areaShown = $true } } } } } "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append # output categories foreach($category in $data.Categories) { # title "## $($category.Category)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append # Summary "Recommandations:" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "* P1: $($category.Summary.P1)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "* P2: $($category.Summary.P2)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "* P3: $($category.Summary.P3)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "* Passed: $($category.Summary.Passed)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append # areas foreach($area in $category.Areas.Keys) { # title "### $($area)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append # checks foreach($check in $category.Areas.$area) { # title "#### $($check.Name)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append # priority "**Priority: $($check.Priority)**" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append # summary $check.Summary | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append # Recommendation "> **Recommendation:**" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append ">" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "> $($check.Recommendation)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append } } } } #Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? } #endregion #region Import-AADAssessmentEvidence.ps1 <# .SYNOPSIS Import evidence from the assessment data .PARAMETER Ref Refence of the file to look for. Composed of the package type (Tenant, AADC, ADFS, AADP) followed by the file name separated by a "/" .PARAMETER Path Path where to look for packages with data collected .DESCRIPTION This cmdlet reads data collected from package (zip) and caches it in memory Reference indicates witch file to load from which kind of package (Tenant, AADC, ADFS, AADAP) .EXAMPLE PS C:\> Import-AADAssessmentEvidence -Ref "Tenant/conditionalAccessPolicies.json" Reads conditional access policies from packages located in "C:\AzureADAssessment" .EXAMPLE PS C:\> New-AADAssessmentRecommendations -Path "C:\Temp" -Ref "Tenant/conditionalAccessPolicies.json" Reads conditional access policies from packages located in "C:\Temp" #> function Import-AADAssessmentEvidence { [CmdletBinding()] param ( [Parameter( Mandatory = $true, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true )] [string] $Ref, # Full path of the directory where the output files will be generated. [Parameter(Mandatory = $false)] [string] $Path = (Join-Path $env:SystemDrive 'AzureADAssessment') ) process { # check that reference is in a correct format $refInfo = $Ref -split "/" if ($refInfo.Length -ne 2) { throw "invalid evidence reference $Ref" } # determine whare to look for the file $component = $refInfo[0] $relativeFolder = "" $zipFile = "" Switch ($refInfo[0]) { "Tenant" { $relativeFolder = "AAD-*.onmicrosoft.com" $zipFile = "AzureADAssessmentData-*.onmicrosoft.com.zip" } "AADC" { $relativeFolder = "AADC" $zipFile = "AzureADAssessmentData-AADC-*.zip" } "ADFS" { $relativeFolder = "ADFS" $zipFile = "AzureADAssessmentData-ADFS-*.zip" } "AADAP" { $relativeFolder = "AADAP" $zipFile = "AzureADAssessmentData-AADAP-*.zip" } default { throw "unknown evidence component $($refInfo[0])" } } # determine filename $fileName = $refInfo[1] # skip if file type not supported if ($fileName -inotmatch "\.(csv|json|xml)$") { return } # get the path to the evidence archive $zipPath = Join-Path $Path $zipFile Add-Type -assembly "system.io.compression.filesystem" # resolve the file Write-Verbose "searching zips: $zipPath" $foundZipFiles = Get-ChildItem -Path $zipPath foreach($foundZipFile in $foundZipFiles) { # get the environement (tenant name or server name) $envName = $foundZipFile -replace ".zip$","" -replace "^AzureADAssessmentData*-","" # initialize env infos if (!$script:Evidences[$component].ContainsKey($envName)) { $script:Evidences[$component][$envName] = @{} } # check if file loaded if ($script:Evidences[$component][$envName].ContainsKey($fileName)) { Write-Verbose "$component/$envName/$fileName already loaded" return } # read the zip file and extract desired evidence Write-Verbose "Opening zip file: $foundZipFile" $zip = [io.compression.zipfile]::OpenRead($foundZipFile) # get the files to read $toRead = @() foreach($entry in $zip.Entries) { if (($entry -like "$relativeFolder\$fileName") -or ($entry -like "$relativeFolder/$fileName")) { $toRead += $entry } } foreach($zipEntry in $toRead) { Write-Verbose "Reading $zipEntry" $file = $zipEntry.Open() $reader = New-Object IO.StreamReader($file) switch -Wildcard ($zipEntry.Name) { "*.json" { $script:Evidences[$component][$envName][$fileName] = $reader.ReadToEnd() | ConvertFrom-Json } "*.csv" { $script:Evidences[$component][$envName][$fileName] = $reader.ReadToEnd() | ConvertFrom-Csv } "*.xml" { $script:Evidences[$component][$envName][$fileName] = [System.Xml.Serialization]::Deserialize($read) } } $reader.Close() $file.Close() } $zip.Dispose() } } } #endregion #region Export-AADAssessmentReportData.ps1 function Export-AADAssessmentReportData { [CmdletBinding()] param ( # Full path of the directory where the source xml files are located. [Parameter(Mandatory = $true)] [string] $SourceDirectory, # Full path of the directory where the output files will be generated. [Parameter(Mandatory = $false)] [string] $OutputDirectory, # LicenseType of the tenant [Parameter(Mandatory = $false)] [ValidateSet('Free','P1','P2')] [string] $licenseType = "P2", # Force report generation even if target is already present [Parameter(Mandatory = $false)] [switch] $Force ) if ([string]::IsNullOrWhiteSpace($OutputDirectory)) { $OutputDirectory = $SourceDirectory } $LookupCache = New-LookupCache function Get-LookupCacheDetail { param ( # LookupCache Object [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)] [psobject] $LookupCache ) process { $Output = [ordered]@{} foreach ($Property in $LookupCache.psobject.Properties) { $Output.Add(('LookupCacheCount: {0}' -f $Property.Name), $Property.Value.Count) } } } Write-AppInsightsTrace ("{0} - Exporting applications" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache) if (!(Test-Path -Path (Join-Path $OutputDirectory "applications.json")) -or $Force) { Import-Clixml -Path (Join-Path $SourceDirectory "applicationData.xml") ` | Use-Progress -Activity 'Exporting applications' -Property displayName -PassThru -WriteSummary ` | Export-JsonArray (Join-Path $OutputDirectory "applications.json") -Depth 5 -Compress } # Import-Clixml -Path (Join-Path $SourceDirectory "directoryRoleData.xml") ` # | Use-Progress -Activity 'Exporting directoryRoles' -Property displayName -PassThru -WriteSummary ` # | Export-JsonArray (Join-Path $OutputDirectory "directoryRoles.json") -Depth 5 -Compress Write-AppInsightsTrace ("{0} - Exporting appRoleAssignments" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache) if (!(Test-Path -Path (Join-Path $OutputDirectory "appRoleAssignments.csv")) -or $Force) { Set-Content -Path (Join-Path $OutputDirectory "appRoleAssignments.csv") -Value 'id,deletedDateTime,appRoleId,createdDateTime,principalDisplayName,principalId,principalType,resourceDisplayName,resourceId' Import-Clixml -Path (Join-Path $SourceDirectory "appRoleAssignmentData.xml") ` | Use-Progress -Activity 'Exporting appRoleAssignments' -Property id -PassThru -WriteSummary ` | Format-Csv ` | Export-Csv (Join-Path $OutputDirectory "appRoleAssignments.csv") -NoTypeInformation -Append } Write-AppInsightsTrace ("{0} - Exporting oauth2PermissionGrants" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache) if (!(Test-Path -Path (Join-Path $OutputDirectory "oauth2PermissionGrants.csv")) -or $Force) { Set-Content -Path (Join-Path $OutputDirectory "oauth2PermissionGrants.csv") -Value 'id,consentType,clientId,principalId,resourceId,scope' Import-Clixml -Path (Join-Path $SourceDirectory "oauth2PermissionGrantData.xml") ` | Use-Progress -Activity 'Exporting oauth2PermissionGrants' -Property id -PassThru -WriteSummary ` | Export-Csv (Join-Path $OutputDirectory "oauth2PermissionGrants.csv") -NoTypeInformation -Append } Write-AppInsightsTrace ("{0} - Exporting servicePrincipals (JSON)" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache) if (!(Test-Path -Path (Join-Path $OutputDirectory "servicePrincipals.json")) -or $Force) { Import-Clixml -Path (Join-Path $SourceDirectory "servicePrincipalData.xml") ` | Use-Progress -Activity 'Exporting servicePrincipals (JSON)' -Property displayName -PassThru -WriteSummary ` | Export-JsonArray (Join-Path $OutputDirectory "servicePrincipals.json") -Depth 5 -Compress } Write-AppInsightsTrace ("{0} - Exporting servicePrincipals (CSV)" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache) if (!(Test-Path -Path (Join-Path $OutputDirectory "servicePrincipals.csv")) -or $Force) { Set-Content -Path (Join-Path $OutputDirectory "servicePrincipals.csv") -Value 'id,appId,servicePrincipalType,displayName,accountEnabled,appOwnerOrganizationId' Import-Clixml -Path (Join-Path $SourceDirectory "servicePrincipalData.xml") ` | Use-Progress -Activity 'Exporting servicePrincipals (CSV)' -Property displayName -PassThru -WriteSummary ` | Select-Object -Property id, appId, servicePrincipalType, displayName, accountEnabled, appOwnerOrganizationId ` | Export-Csv (Join-Path $OutputDirectory "servicePrincipals.csv") -NoTypeInformation -Append } # Import-Clixml -Path (Join-Path $SourceDirectory "userData.xml") ` # | Use-Progress -Activity 'Exporting users' -Property displayName -PassThru -WriteSummary ` # | Export-JsonArray (Join-Path $OutputDirectory "users.json") -Depth 5 -Compress ## Comment out to generate user data via report #Set-Content -Path (Join-Path $OutputDirectory "users.csv") -Value 'id,userPrincipalName,userType,displayName,accountEnabled,onPremisesSyncEnabled,onPremisesImmutableId,mail,otherMails,AADLicense,lastSigninDateTime' #Import-Clixml -Path (Join-Path $SourceDirectory "userData.xml") ` #| Use-Progress -Activity 'Exporting users' -Property displayName -PassThru -WriteSummary ` #| Select-Object -Property id, userPrincipalName, userType, displayName, accountEnabled, # @{ Name = "onPremisesSyncEnabled"; Expression = { [bool]$_.onPremisesSyncEnabled } }, # @{ Name = "onPremisesImmutableId"; Expression = {![string]::IsNullOrWhiteSpace($_.onPremisesImmutableId)}}, # mail, # @{ Name = "otherMails"; Expression = { $_.otherMails -join ';' } }, # @{ Name = "AADLicense"; Expression = {$plans = $_.assignedPlans | foreach-object { $_.servicePlanId }; if ($plans -contains "eec0eb4f-6444-4f95-aba0-50c24d67f998") { "AADP2" } elseif ($plans -contains "41781fb2-bc02-4b7c-bd55-b576c07bb09d") { "AADP1" } else { "None" }}} ` #| Export-Csv (Join-Path $OutputDirectory "users.csv") -NoTypeInformation # Import-Clixml -Path (Join-Path $SourceDirectory "groupData.xml") ` # | Use-Progress -Activity 'Exporting groups' -Property displayName -PassThru -WriteSummary ` # | Export-JsonArray (Join-Path $OutputDirectory "groups.json") -Depth 5 -Compress Write-AppInsightsTrace ("{0} - Exporting groups" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache) if (!(Test-Path -Path (Join-Path $OutputDirectory "groups.csv")) -or $Force) { Set-Content -Path (Join-Path $OutputDirectory "groups.csv") -Value 'id,groupTypes,mailEnabled,securityEnabled,groupType,displayName,onPremisesSyncEnabled,mail' Import-Clixml -Path (Join-Path $SourceDirectory "groupData.xml") ` | Use-Progress -Activity 'Exporting groups' -Property displayName -PassThru -WriteSummary ` | Select-Object -Property id, groupTypes, mailEnabled, securityEnabled, @{ Name = "groupType"; Expression = { if ($_.groupTypes -contains "Unified") { "Microsoft 365" } elseif ($_.securityEnabled) { if ($_.mailEnabled) { "Mail-enabled Security" } else { "Security" } } elseif ($_.mailEnabled) { "Distribution" } else { "Unknown" } # not mail enabled neither security enabled }}, displayName, @{ Name = "onPremisesSyncEnabled"; Expression = { [bool]$_.onPremisesSyncEnabled } }, mail ` | Export-Csv (Join-Path $OutputDirectory "groups.csv") -NoTypeInformation -Append } ## Option 1 from Data Collection: Expand Group Membership to get transitiveMembers. # Import-Clixml -Path (Join-Path $SourceDirectory "groupData.xml") | Add-AadObjectToLookupCache -Type group -LookupCache $LookupCache # Set-Content -Path (Join-Path $OutputDirectory "groupTransitiveMembers.csv") -Value 'id,memberId,memberType' # $LookupCache.group.Values ` # | Use-Progress -Activity 'Exporting group memberships' -Property displayName -Total $LookupCache.group.Count -PassThru -WriteSummary ` # | ForEach-Object { # $group = $_ # Expand-GroupTransitiveMembership $group.id -LookupCache $LookupCache | ForEach-Object { # [PSCustomObject]@{ # id = $group.id # #'@odata.type' = $group.'@odata.type' # memberId = $_.id # memberType = $_.'@odata.type' -replace '#microsoft.graph.', '' # #direct = $group.members.id.Contains($_.id) # } # } # } ` # | Export-Csv (Join-Path $OutputDirectory "groupTransitiveMembers.csv") -NoTypeInformation # Set-Content -Path (Join-Path $OutputDirectory "administrativeUnits.csv") -Value 'id,displayName,visibility,users,groups' # Import-Clixml -Path (Join-Path $SourceDirectory "administrativeUnitsData.xml") ` # | Use-Progress -Activity 'Exporting Administrative Units' -Property displayName -PassThru -WriteSummary ` # | Select-Object id, displayName, visibility, ` # @{Name = "users"; Expression = { ($_.members | Where-Object { $_."@odata.type" -like "*.user" }).count } }, ` # @{Name = "groups"; Expression = { ($_.members | Where-Object { $_."@odata.type" -like "*.group" }).count } }` # | Export-Csv -Path (Join-Path $OutputDirectory "administrativeUnits.csv") -NoTypeInformation ### Execute Report Commands # user report if (!(Test-Path -Path (Join-Path $OutputDirectory "users.csv")) -or $Force) { Write-AppInsightsTrace ("{0} - Exporting UserReport (Start Data Load)" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache) # load data if cache empty if ($LookupCache.user.Count -eq 0) { Write-Output "Loading users in lookup cache" Import-Clixml -Path (Join-Path $SourceDirectory "userData.xml") | Add-AadObjectToLookupCache -Type user -LookupCache $LookupCache } if ($LookupCache.userRegistrationDetails.Count -eq 0 -and $licenseType -ne "Free") { Write-Output "Loading users registration details in lookup cache" # In PS5 loading directly from ConvertFrom-Json fails $userRegistrationDetails = Get-Content -Path (Join-Path $SourceDirectory "userRegistrationDetails.json") -Raw | ConvertFrom-Json $userRegistrationDetails | Add-AadObjectToLookupCache -Type userRegistrationDetails -LookupCache $LookupCache } # generate the report Write-AppInsightsTrace ("{0} - Exporting UserReport" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache) Set-Content -Path (Join-Path $OutputDirectory "users.csv") -Value 'id,userPrincipalName,displayName,userType,accountEnabled,onPremisesSyncEnabled,onPremisesImmutableId,mail,otherMails,AADLicense,lastInteractiveSignInDateTime,lastNonInteractiveSignInDateTime,isMfaRegistered,isMfaCapable,methodsRegistered,defaultMfaMethod' Get-AADAssessUserReport -Offline -UserData $LookupCache.user -RegistrationDetailsData $LookupCache.userRegistrationDetails` | Use-Progress -Activity 'Exporting UserReport' -Property id -PassThru -WriteSummary ` | Format-Csv ` | Export-Csv -Path (Join-Path $OutputDirectory "users.csv") -NoTypeInformation -Append # clean what is not used by other reports $LookupCache.userRegistrationDetails.Clear() } # # notificaiton emails report (Remove on next release) # if (!(Test-Path -Path (Join-Path $OutputDirectory "NotificationsEmailsReport.csv")) -or $Force) { # # load unique data # $OrganizationData = Get-Content -Path (Join-Path $SourceDirectory "organization.json") -Raw | ConvertFrom-Json # [array] $DirectoryRoleData = Import-Clixml -Path (Join-Path $SourceDirectory "directoryRoleData.xml") # # load data if cache empty # if ($LookupCache.user.Count -eq 0) { # Write-Output "Loading users in lookup cache" # Import-Clixml -Path (Join-Path $SourceDirectory "userData.xml") | Add-AadObjectToLookupCache -Type user -LookupCache $LookupCache # } # if ($LookupCache.group.Count -eq 0) { # Write-Output "Loading groups in lookup cache" # Import-Clixml -Path (Join-Path $SourceDirectory "groupData.xml") | Add-AadObjectToLookupCache -Type group -LookupCache $LookupCache # } # # generate the report # Set-Content -Path (Join-Path $OutputDirectory "NotificationsEmailsReport.csv") -Value 'notificationType,notificationScope,recipientType,recipientEmail,recipientEmailAlternate,recipientId,recipientUserPrincipalName,recipientDisplayName' # Get-AADAssessNotificationEmailsReport -Offline -OrganizationData $OrganizationData -UserData $LookupCache.user -GroupData $LookupCache.group -DirectoryRoleData $DirectoryRoleData ` # | Use-Progress -Activity 'Exporting NotificationsEmailsReport' -Property recipientEmail -PassThru -WriteSummary ` # | Export-Csv -Path (Join-Path $OutputDirectory "NotificationsEmailsReport.csv") -NoTypeInformation -Append # # clean unique data # Remove-Variable DirectoryRoleData # } # role assignment report if (!(Test-Path -Path (Join-Path $OutputDirectory "RoleAssignmentReport.csv")) -or $Force) { Write-AppInsightsTrace ("{0} - Exporting RoleAssignmentReport (Start Data Load)" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache) # Set file header Set-Content -Path (Join-Path $OutputDirectory "RoleAssignmentReport.csv") -Value "id,directoryScopeId,directoryScopeObjectId,directoryScopeDisplayName,directoryScopeType,roleDefinitionId,roleDefinitionTemplateId,roleDefinitionDisplayName,principalId,principalDisplayName,principalType,principalMail,principalOtherMails,memberType,assignmentType,startDateTime,endDateTime" # load unique data [array] $roleAssignmentScheduleInstancesData = @() [array] $roleEligibilityScheduleInstancesData = @() [array] $roleAssignmentsData = @() if ($licenseType -eq "P2") { $roleAssignmentScheduleInstancesData = Import-Clixml -Path (Join-Path $SourceDirectory "roleAssignmentScheduleInstancesData.xml") $roleEligibilityScheduleInstancesData = Import-Clixml -Path (Join-Path $SourceDirectory "roleEligibilityScheduleInstancesData.xml") } else { $roleAssignmentsData = Import-Clixml -Path (Join-Path $SourceDirectory "roleAssignmentsData.xml") } # load data if cache empty $OrganizationData = Get-Content -Path (Join-Path $SourceDirectory "organization.json") -Raw | ConvertFrom-Json if ($LookupCache.user.Count -eq 0) { Write-Output "Loading users in lookup cache" Import-Clixml -Path (Join-Path $SourceDirectory "userData.xml") | Add-AadObjectToLookupCache -Type user -LookupCache $LookupCache } if ($LookupCache.group.Count -eq 0) { Write-Output "Loading groups in lookup cache" Import-Clixml -Path (Join-Path $SourceDirectory "groupData.xml") | Add-AadObjectToLookupCache -Type group -LookupCache $LookupCache } if ($LookupCache.administrativeUnit.Count -eq 0) { Write-Output "Loading administrative units in lookup cache" Import-Csv -Path (Join-Path $SourceDirectory "administrativeUnits.csv") | Add-AadObjectToLookupCache -Type administrativeUnit -LookupCache $LookupCache } if ($LookupCache.application.Count -eq 0) { Write-Output "Loading applications in lookup cache" Import-Clixml -Path (Join-Path $SourceDirectory "applicationData.xml") | Add-AadObjectToLookupCache -Type application -LookupCache $LookupCache } if ($LookupCache.servicePrincipal.Count -eq 0) { Write-Output "Loading service principals in lookup cache" Import-Clixml -Path (Join-Path $SourceDirectory "servicePrincipalData.xml") | Add-AadObjectToLookupCache -Type servicePrincipal -LookupCache $LookupCache } # generate the report Write-AppInsightsTrace ("{0} - Exporting RoleAssignmentReport" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache) Get-AADAssessRoleAssignmentReport -Offline -RoleAssignmentsData $roleAssignmentsData -RoleAssignmentScheduleInstancesData $roleAssignmentScheduleInstancesData -RoleEligibilityScheduleInstancesData $roleEligibilityScheduleInstancesData -OrganizationData $OrganizationData -AdministrativeUnitsData $LookupCache.administrativeUnit -UsersData $LookupCache.user -GroupsData $LookupCache.group -ApplicationsData $LookupCache.application -ServicePrincipalsData $LookupCache.servicePrincipal ` | Use-Progress -Activity 'Exporting RoleAssignmentReport' -Property id -PassThru -WriteSummary ` | Format-Csv ` | Export-Csv -Path (Join-Path $OutputDirectory "RoleAssignmentReport.csv") -NoTypeInformation -Append # clear unique data Remove-Variable roleAssignmentScheduleInstancesData, roleEligibilityScheduleInstancesData # clear cache as data is not further used by other reports $LookupCache.group.Clear() $LookupCache.administrativeUnit.Clear() } # app credential report if (!(Test-Path -Path (Join-Path $OutputDirectory "AppCredentialsReport.csv")) -or $Force) { Write-AppInsightsTrace ("{0} - Exporting AppCredentialsReport (Start Data Load)" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache) # load data in cache if empty if ($LookupCache.application.Count -eq 0) { Write-Output "Loading applications in lookup cache" Import-Clixml -Path (Join-Path $SourceDirectory "applicationData.xml") | Add-AadObjectToLookupCache -Type application -LookupCache $LookupCache } if ($LookupCache.servicePrincipal.Count -eq 0) { Write-Output "Loading service principals in lookup cache" Import-Clixml -Path (Join-Path $SourceDirectory "servicePrincipalData.xml") | Add-AadObjectToLookupCache -Type servicePrincipal -LookupCache $LookupCache } # generate the report Write-AppInsightsTrace ("{0} - Exporting AppCredentialsReport" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache) Set-Content -Path (Join-Path $OutputDirectory "AppCredentialsReport.csv") -Value 'displayName,objectType,credentialType,credentialStartDateTime,credentialEndDateTime,credentialUsage,certSubject,certIssuer,certIsSelfSigned,certSignatureAlgorithm,certKeySize,credentialHasExtendedValue' Get-AADAssessAppCredentialExpirationReport -Offline -ApplicationData $LookupCache.application -ServicePrincipalData $LookupCache.servicePrincipal ` | Use-Progress -Activity 'Exporting AppCredentialsReport' -Property displayName -PassThru -WriteSummary ` | Format-Csv ` | Export-Csv -Path (Join-Path $OutputDirectory "AppCredentialsReport.csv") -NoTypeInformation -Append # clear cache as data in bot further used by other reports $LookupCache.application.Clear() } # consent grant report if (!(Test-Path -Path (Join-Path $OutputDirectory "ConsentGrantReport.csv")) -or $Force) { Write-AppInsightsTrace ("{0} - Exporting ConsentGrantReport (Start Data Load)" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache) # load unique data [array] $AppRoleAssignmentData = Import-Clixml -Path (Join-Path $SourceDirectory "appRoleAssignmentData.xml") [array] $OAuth2PermissionGrantData = Import-Clixml -Path (Join-Path $OutputDirectory "oauth2PermissionGrantData.xml") # load data if cache empty if ($LookupCache.user.Count -eq 0) { Write-Output "Loading users in lookup cache" Import-Clixml -Path (Join-Path $SourceDirectory "userData.xml") | Add-AadObjectToLookupCache -Type user -LookupCache $LookupCache } if ($LookupCache.servicePrincipal.Count -eq 0) { Write-Output "Loading service principals in lookup cache" Import-Clixml -Path (Join-Path $SourceDirectory "servicePrincipalData.xml") | Add-AadObjectToLookupCache -Type servicePrincipal -LookupCache $LookupCache } # generate the report Write-AppInsightsTrace ("{0} - Exporting ConsentGrantReport" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache) Set-Content -Path (Join-Path $OutputDirectory "ConsentGrantReport.csv") -Value 'permission,permissionType,clientId,clientDisplayName,clientOwnerTenantId,resourceObjectId,resourceDisplayName,consentType,principalObjectId,principalDisplayName' Get-AADAssessConsentGrantReport -Offline -AppRoleAssignmentData $AppRoleAssignmentData -OAuth2PermissionGrantData $OAuth2PermissionGrantData -UserData $LookupCache.user -ServicePrincipalData $LookupCache.servicePrincipal ` | Use-Progress -Activity 'Exporting ConsentGrantReport' -Property clientDisplayName -PassThru -WriteSummary ` | Export-Csv -Path (Join-Path $OutputDirectory "ConsentGrantReport.csv") -NoTypeInformation -Append } } #endregion #region Test-AADAssessmentEmailOtp.ps1 <# .SYNOPSIS Test for a recommendation on Email OTP .PARAMETER Path Path where to look for packages with data collected .DESCRIPTION Test for a recommendation on Email OTP .EXAMPLE PS C:\> Test-AADAssessmentEmailOtp Test for email OTP from packages located in "C:\AzureADAssessment" .EXAMPLE PS C:\> Test-AADAssessmentEmailOtp -Path "C:\Temp" Test for email OTP from packages located in "C:\Temp" #> function Test-AADAssessmentEmailOtp { [CmdletBinding()] param ( # Specifies a path where extracted data resides (folder) [Parameter(Mandatory = $false)] [string] $Path = (Join-Path $env:SystemDrive 'AzureADAssessment') ) Begin { # necessary evidence $evidenceRef = @("Tenant/emailOTPMethodPolicy.json") # import evidence $evidenceRef | Import-AADAssessmentEvidence -Path $Path # Initialise result $result = [PSCustomObject]@{ "Category" = "Access Management" "Area" = "Authentication Experience" "Name" = "Email OTP" "Summary" = "With email OTP, org members can collaborate with anyone in the world by simply sharing a link or sending an invitation via email. Invited users prove their identity by using a verification code sent to their email account" "Recommandation" = "Enable email OTP" "Priority" = "Passed" "Data" = @() "ID" = "AR0001" "Visibility" = "All" } # check that we have a tenant if ($script:Evidences["Tenant"].Count -eq 0) { $result.Priority = "Skipped" $result.Data = "No tenant data found" } # pick the first tenant (should be only one) $tenantName = $script:Evidences["Tenant"].Keys[0] } Process { # get the policy $policy = $script:Evidences.Tenant[$tenantName]."emailOTPMethodPolicy.json" # error out if no policy where found if (!$policy) { throw "empty OTP policy" } # Set the recommendation priority if the policy is either not enabled or doesn't allow Email OTP if ($policy.state -ne "enabled" -or $policy.allowExternalIdToUseEmailOtp -ne "enabled") { $result.Priority = "P2" } } End { $result } } #endregion #region Test-AADAssessmentPackage.ps1 <# .SYNOPSIS Test that the provided Azure AD Assessment package has the necessary content .DESCRIPTION Test that the provided Azure AD Assessment package has the necessary content .EXAMPLE PS C:\>Test-AADAssessmentPackage 'C:\AzureADAssessmentData-contoso.aad' Test that the package for contoso has the necesary content for the assessment. .INPUTS System.String #> function Test-AADAssessmentPackage { [CmdletBinding()] param ( # Path to the file where the exported events will be stored [Parameter(Mandatory = $true)] [string] $Path, # Reports should have been generated [Parameter(Mandatory = $false)] [bool] $SkippedReportOutput ) if (!(Test-Path -path $Path)) { Write-Warning "Assessment package not found" return $false } $fullPath = Convert-Path $Path $requiredEntries = @( "AAD-*/administrativeUnits.csv", "AAD-*/AppCredentialsReport.csv", "AAD-*/applications.json", "AAD-*/appRoleAssignments.csv", "AAD-*/conditionalAccessPolicies.json", "AAD-*/ConsentGrantReport.csv", "AAD-*/emailOTPMethodPolicy.json", "AAD-*/groups.csv", "AAD-*/namedLocations.json", "AAD-*/oauth2PermissionGrants.csv", "AAD-*/organization.json", "AAD-*/RoleAssignmentReport.csv", "AAD-*/roleDefinitions.csv", "AAD-*/servicePrincipals.csv", "AAD-*/servicePrincipals.json", "AAD-*/subscribedSkus.json", "AAD-*/users.csv", "AzureADAssessment.json" ) if ($SkippedReportOutput) { $requiredEntries = @( "AAD-*/administrativeUnits.csv", "AAD-*/applicationData.xml", "AAD-*/appRoleAssignmentData.xml", "AAD-*/conditionalAccessPolicies.json", "AAD-*/emailOTPMethodPolicy.json", "AAD-*/groupData.xml", "AAD-*/namedLocations.json", "AAD-*/oauth2PermissionGrantData.xml", "AAD-*/organization.json", "AAD-*/roleAssignmentScheduleInstancesData.xml", "AAD-*/roleDefinitions.csv", "AAD-*/roleEligibilityScheduleInstancesData.xml", "AAD-*/servicePrincipalData.xml", "AAD-*/subscribedSkus.json", "AAD-*/userData.xml", "AzureADAssessment.json" ) } $entries = [IO.Compression.ZipFile]::OpenRead($fullPath).Entries $effectiveEntries = $entries | Where-Object { $_.Length -gt 0} $validPackage = $true foreach($requiredEntry in $requiredEntries) { $found = $false foreach ($effectiveEntry in $effectiveEntries) { if (($effectiveEntry.FullName -replace "\\","/") -like $requiredEntry) { $found = $true } } if (!$found) { Write-Warning "Required entry '$requiredEntry' not found or empty" $validPackage = $false } } # retrun package vaility return $validPackage } #endregion #endregion ## Set Strict Mode for Module. https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/set-strictmode Set-StrictMode -Version 3.0 ## Display Warning on old PowerShell versions. https://docs.microsoft.com/en-us/powershell/scripting/install/PowerShell-Support-Lifecycle#powershell-end-of-support-dates # ToDo: Only Windows PowerShell can currently satify device compliance CA requirement. Look at adding Windows Broker (WAM) support to support device compliance on PowerShell 7. # if ($PSVersionTable.PSVersion -lt [version]'7.0') { # Write-Warning 'It is recommended to use this module with the latest version of PowerShell which can be downloaded here: https://aka.ms/install-powershell' # } ## Initialize Module Configuration $script:ModuleConfigDefault = Import-Config -Path (Join-Path $PSScriptRoot 'config.json') $script:ModuleConfig = $script:ModuleConfigDefault.psobject.Copy() Import-Config | Set-Config if ($PSBoundParameters.ContainsKey('ModuleConfiguration')) { Set-Config $ModuleConfiguration } #Export-Config # Load zip dll on Windows PowerShell if ($PSVersionTable.PSEdition -eq 'Desktop') { Add-Type -AssemblyName System.IO.Compression.FileSystem -ErrorAction Stop } ## Initialize Module Variables $script:ConnectState = @{ ClientApplication = $null CloudEnvironment = 'Global' MsGraphToken = $null } $script:MsGraphSession = New-Object Microsoft.PowerShell.Commands.WebRequestSession $script:MsGraphSession.Headers.Add('ConsistencyLevel', 'eventual') $script:MsGraphSession.UserAgent += ' AzureADAssessment' #$script:MsGraphSession.UserAgent += '{0}/{1}' -f $MyInvocation.MyCommand.Module.Name,$MyInvocation.MyCommand.Module.Version # $script:MsGraphSession.Proxy = New-Object System.Net.WebProxy -Property @{ # Address = localhost # UseDefaultCredentials = $true # } [string[]] $script:MsGraphScopes = @( 'Organization.Read.All' 'RoleManagement.Read.Directory' 'Application.Read.All' 'User.Read.All' 'Group.Read.All' 'Policy.Read.All' 'Directory.Read.All' 'SecurityEvents.Read.All' 'UserAuthenticationMethod.Read.All' 'AuditLog.Read.All' 'Reports.Read.All' ) $script:mapMgEnvironmentToAzureCloudInstance = @{ 'Global' = 'AzurePublic' 'China' = 'AzureChina' 'Germany' = 'AzureGermany' 'USGov' = 'AzureUsGovernment' 'USGovDoD' = 'AzureUsGovernment' } $script:mapMgEnvironmentToAzureEnvironment = @{ 'Global' = 'AzureCloud' 'China' = 'AzureChinaCloud' 'Germany' = 'AzureGermanyCloud' 'USGov' = 'AzureUSGovernment' 'USGovDoD' = 'AzureUsGovernment' } $script:mapMgEnvironmentToAadRedirectUri = @{ 'Global' = 'https://login.microsoftonline.com/common/oauth2/nativeclient' 'China' = 'https://login.partner.microsoftonline.cn/common/oauth2/nativeclient' 'Germany' = 'https://login.microsoftonline.com/common/oauth2/nativeclient' 'USGov' = 'https://login.microsoftonline.us/common/oauth2/nativeclient' 'USGovDoD' = 'https://login.microsoftonline.us/common/oauth2/nativeclient' } $script:mapMgEnvironmentToMgEndpoint = @{ 'Global' = 'https://graph.microsoft.com/' 'China' = 'https://microsoftgraph.chinacloudapi.cn/' 'Germany' = 'https://graph.microsoft.de/' 'USGov' = 'https://graph.microsoft.us/' 'USGovDoD' = 'https://dod-graph.microsoft.us/' } ## Initialize Application Insights for Anonymous Telemetry $script:AppInsightsRuntimeState = [PSCustomObject]@{ OperationStack = New-Object System.Collections.Generic.Stack[PSCustomObject] SessionId = New-Guid } if (!$script:ModuleConfig.'ai.disabled') { $script:AppInsightsState = [PSCustomObject]@{ UserId = New-Guid } Import-Config -Path 'AppInsightsState.json' | Set-Config -OutConfig ([ref]$script:AppInsightsState) Export-Config -Path 'AppInsightsState.json' -InputObject $script:AppInsightsState -IgnoreDefaultValues $null } ## HashArray with already read evidence $script:Evidences = @{ 'Tenant' = @{} # tenant files 'AADC' = @{} # aadconnect files indexed by server name 'ADFS' = @{} # ADFS files indexed by server name 'AADAP' = @{} # AAD Proxy Agent files indexed by server name } #Future #Get PIM data #Get Secure Score #Add Master CmdLet and make it in parallel Export-ModuleMember -Function @('Complete-AADAssessmentReports','Connect-AADAssessment','Disconnect-AADAssessment','Expand-AADAssessAADConnectConfig','Export-AADAssessmentPortableModule','Get-AADAssessAppAssignmentReport','Get-AADAssessAppCredentialExpirationReport','Export-AADAssessConditionalAccessData','Get-AADAssessConsentGrantReport','Get-AADAssessNotificationEmailsReport','Get-AADAssessRoleAssignmentReport','Get-AADAssessUserReport','Invoke-AADAssessmentDataCollection','Invoke-AADAssessmentHybridDataCollection','Get-AADAssessADFSEndpoints','Export-AADAssessADFSAdminLog','Export-AADAssessADFSConfiguration','Get-AADAssessAppProxyConnectorLog','Get-AADAssessPasswordWritebackAgentLog','Get-MsGraphResults','New-AADAssessmentRecommendations','Export-AADAssessmentRecommendations','Test-AADAssessmentEmailOtp','Export-AADAssessmentReportData','Test-AADAssessmentPackage') -Cmdlet @() -Variable @() -Alias @() # SIG # Begin signature block # MIIoLQYJKoZIhvcNAQcCoIIoHjCCKBoCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAdMG3eGJGpTcF0 # /sa4kaR8h2suiRk7vZ/8NtnHa2mjO6CCDXYwggX0MIID3KADAgECAhMzAAADTrU8 # esGEb+srAAAAAANOMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjMwMzE2MTg0MzI5WhcNMjQwMzE0MTg0MzI5WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDdCKiNI6IBFWuvJUmf6WdOJqZmIwYs5G7AJD5UbcL6tsC+EBPDbr36pFGo1bsU # p53nRyFYnncoMg8FK0d8jLlw0lgexDDr7gicf2zOBFWqfv/nSLwzJFNP5W03DF/1 # 1oZ12rSFqGlm+O46cRjTDFBpMRCZZGddZlRBjivby0eI1VgTD1TvAdfBYQe82fhm # WQkYR/lWmAK+vW/1+bO7jHaxXTNCxLIBW07F8PBjUcwFxxyfbe2mHB4h1L4U0Ofa # +HX/aREQ7SqYZz59sXM2ySOfvYyIjnqSO80NGBaz5DvzIG88J0+BNhOu2jl6Dfcq # jYQs1H/PMSQIK6E7lXDXSpXzAgMBAAGjggFzMIIBbzAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUnMc7Zn/ukKBsBiWkwdNfsN5pdwAw # RQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEW # MBQGA1UEBRMNMjMwMDEyKzUwMDUxNjAfBgNVHSMEGDAWgBRIbmTlUAXTgqoXNzci # tW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3JsMGEG # CCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQu # Y29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3J0 # MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAD21v9pHoLdBSNlFAjmk # mx4XxOZAPsVxxXbDyQv1+kGDe9XpgBnT1lXnx7JDpFMKBwAyIwdInmvhK9pGBa31 # TyeL3p7R2s0L8SABPPRJHAEk4NHpBXxHjm4TKjezAbSqqbgsy10Y7KApy+9UrKa2 # kGmsuASsk95PVm5vem7OmTs42vm0BJUU+JPQLg8Y/sdj3TtSfLYYZAaJwTAIgi7d # hzn5hatLo7Dhz+4T+MrFd+6LUa2U3zr97QwzDthx+RP9/RZnur4inzSQsG5DCVIM # pA1l2NWEA3KAca0tI2l6hQNYsaKL1kefdfHCrPxEry8onJjyGGv9YKoLv6AOO7Oh # JEmbQlz/xksYG2N/JSOJ+QqYpGTEuYFYVWain7He6jgb41JbpOGKDdE/b+V2q/gX # UgFe2gdwTpCDsvh8SMRoq1/BNXcr7iTAU38Vgr83iVtPYmFhZOVM0ULp/kKTVoir # IpP2KCxT4OekOctt8grYnhJ16QMjmMv5o53hjNFXOxigkQWYzUO+6w50g0FAeFa8 # 5ugCCB6lXEk21FFB1FdIHpjSQf+LP/W2OV/HfhC3uTPgKbRtXo83TZYEudooyZ/A # Vu08sibZ3MkGOJORLERNwKm2G7oqdOv4Qj8Z0JrGgMzj46NFKAxkLSpE5oHQYP1H # tPx1lPfD7iNSbJsP6LiUHXH1MIIHejCCBWKgAwIBAgIKYQ6Q0gAAAAAAAzANBgkq # hkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 # IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEwOTA5WjB+MQswCQYDVQQG # EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG # A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQg # Q29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC # CgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+laUKq4BjgaBEm6f8MMHt03 # a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc6Whe0t+bU7IKLMOv2akr # rnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4Ddato88tt8zpcoRb0Rrrg # OGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+lD3v++MrWhAfTVYoonpy # 4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nkkDstrjNYxbc+/jLTswM9 # sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6A4aN91/w0FK/jJSHvMAh # dCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmdX4jiJV3TIUs+UsS1Vz8k # A/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL5zmhD+kjSbwYuER8ReTB # w3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zdsGbiwZeBe+3W7UvnSSmn # Eyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3T8HhhUSJxAlMxdSlQy90 # lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS4NaIjAsCAwEAAaOCAe0w # ggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRIbmTlUAXTgqoXNzcitW2o # ynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD # VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBDuRQFTuHqp8cx0SOJNDBa # BgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny # bC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3JsMF4GCCsG # AQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29t # L3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3J0MIGfBgNV # HSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEFBQcCARYzaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1hcnljcHMuaHRtMEAGCCsG # AQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkAYwB5AF8AcwB0AGEAdABl # AG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn8oalmOBUeRou09h0ZyKb # C5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7v0epo/Np22O/IjWll11l # hJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0bpdS1HXeUOeLpZMlEPXh6 # I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/KmtYSWMfCWluWpiW5IP0 # wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvyCInWH8MyGOLwxS3OW560 # STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBpmLJZiWhub6e3dMNABQam # ASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJihsMdYzaXht/a8/jyFqGa # J+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYbBL7fQccOKO7eZS/sl/ah # XJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbSoqKfenoi+kiVH6v7RyOA # 9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sLgOppO6/8MO0ETI7f33Vt # Y5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtXcVZOSEXAQsmbdlsKgEhr # /Xmfwb1tbWrJUnMTDXpQzTGCGg0wghoJAgEBMIGVMH4xCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNp # Z25pbmcgUENBIDIwMTECEzMAAANOtTx6wYRv6ysAAAAAA04wDQYJYIZIAWUDBAIB # BQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEO # MAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEINb5DYJjW8Gs9A3RbEX55Pn2 # WqKaqK0kDDB0/BpChMmWMEIGCisGAQQBgjcCAQwxNDAyoBSAEgBNAGkAYwByAG8A # cwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEB # BQAEggEABucXtLNZR5lUk7B+2QXH82Kl93FiiyCQlXI5y7HhslEVbkXXw/JooanX # jPM7WsKP0N/9oRS7nkuJFQ9oWXzonXc8l6uKrIs2BN4b4UshDGPHnJgGZWjwqfrC # U4U6geeGHrXEO6NWB+McNWS4SE19nC2c8w3JA1984CKG2Wt/TIArENOFIub+Y8XM # Uuo8gu/gWbiDpQzZx2XVfi2rRagU+Hf7PTVo+MTYUi2cwPfSYq9GnzpoUY2IiYo3 # 6MVLIWjyAYjoDCxBT+SLkGthN12QuZscyYcHxcyMtfKOPtTizewLk9SUGSMsItlG # VVU9WFWqSgN26u3kwlAKry5lObvQHaGCF5cwgheTBgorBgEEAYI3AwMBMYIXgzCC # F38GCSqGSIb3DQEHAqCCF3AwghdsAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFSBgsq # hkiG9w0BCRABBKCCAUEEggE9MIIBOQIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFl # AwQCAQUABCA+6Vk8Io/MpV0wJWoKd9HqIDgc0Dj7wI6DbmOv8I2p8gIGZNTJE41C # GBMyMDIzMDgxODExNTQ1MS4wNTdaMASAAgH0oIHRpIHOMIHLMQswCQYDVQQGEwJV # UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE # ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1l # cmljYSBPcGVyYXRpb25zMScwJQYDVQQLEx5uU2hpZWxkIFRTUyBFU046N0YwMC0w # NUUwLUQ5NDcxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2Wg # ghHtMIIHIDCCBQigAwIBAgITMwAAAdWpAs/Fp8npWgABAAAB1TANBgkqhkiG9w0B # AQsFADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE # BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYD # VQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDAeFw0yMzA1MjUxOTEy # MzBaFw0yNDAyMDExOTEyMzBaMIHLMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz # aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv # cnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25z # MScwJQYDVQQLEx5uU2hpZWxkIFRTUyBFU046N0YwMC0wNUUwLUQ5NDcxJTAjBgNV # BAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2UwggIiMA0GCSqGSIb3DQEB # AQUAA4ICDwAwggIKAoICAQDFfak57Oph9vuxtloABiLc6enT+yKH619b+OhGdkyh # gNzkX80KUGI/jEqOVMV4Sqt/UPFFidx2t7v2SETj2tAzuVKtDfq2HBpu80vZ0vyQ # DydVt4MDL4tJSKqgYofCxDIBrWzJJjgBolKdOJx1ut2TyOc+UOm7e92tVPHpjdg+ # Omf31TLUf/oouyAOJ/Inn2ih3ASP0QYm+AFQjhYDNDu8uzMdwHF5QdwsscNa9PVS # GedLdDLo9jL6DoPF4NYo06lvvEQuSJ9ImwZfBGLy/8hpE7RD4ewvJKmM1+t6eQuE # sTXjrGM2WjkW18SgUZ8n+VpL2uk6AhDkCa355I531p0Jkqpoon7dHuLUdZSQO40q # mVIQ6qQCanvImTqmNgE/rPJ0rgr0hMPI/uR1T/iaL0mEq4bqak+3sa8I+FAYOI/P # C7V+zEek+sdyWtaX+ndbGlv/RJb5mQaGn8NunbkfvHD1Qt5D0rmtMOekYMq7QjYq # E3FEP/wAY4TDuJxstjsa2HXi2yUDEg4MJL6/JvsQXToOZ+IxR6KT5t5fB5FpZYBp # VLMma3pm5z6VXvkXrYs33NXJqVWLwiswa7NUFV87Es2sou9Idw3yAZmHIYWgOQ+D # IY1nY3aG5DODiwN1rJyEb+mbWDagrdVxcncr6UKKO49eoNTXEW+scUf6GwXG0KEy # mQIDAQABo4IBSTCCAUUwHQYDVR0OBBYEFK/QXKNO35bBMOz3R5giX7Ala2OaMB8G # A1UdIwQYMBaAFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMF8GA1UdHwRYMFYwVKBSoFCG # Tmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY3Jvc29mdCUy # MFRpbWUtU3RhbXAlMjBQQ0ElMjAyMDEwKDEpLmNybDBsBggrBgEFBQcBAQRgMF4w # XAYIKwYBBQUHMAKGUGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2Vy # dHMvTWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBDQSUyMDIwMTAoMSkuY3J0MAwG # A1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwDgYDVR0PAQH/BAQD # AgeAMA0GCSqGSIb3DQEBCwUAA4ICAQBmRddqvQuyjRpx0HGxvOqffFrbgFAg0j82 # v0v7R+/8a70S2V4t7yKYKSsQGI6pvt1A8JGmuZyjmIXmw23AkI5bZkxvSgws8rrB # tJw9vakEckcWFQb7JG6b618x0s9Q3DL0dRq46QZRnm7U6234lecvjstAow30dP0T # nIacPWKpPc3QgB+WDnglN2fdT1ruQ6WIVBenmpjpG9ypRANKUx5NRcpdJAQW2FqE # HTS3Ntb+0tCqIkNHJ5aFsF6ehRovWZp0MYIz9bpJHix0VrjdLVMOpe7wv62t90E3 # UrE2KmVwpQ5wsMD6YUscoCsSRQZrA5AbwTOCZJpeG2z3vDo/huvPK8TeTJ2Ltu/I # tXgxIlIOQp/tbHAiN8Xptw/JmIZg9edQ/FiDaIIwG5YHsfm2u7TwOFyd6OqLw18Z # 5j/IvDPzlkwWJxk6RHJF5dS4s3fnyLw3DHBe5Dav6KYB4n8x/cEmD/R44/8gS5Pf # uG1srjLdyyGtyh0KiRDSmjw+fa7i1VPoemidDWNZ7ksNadMad4ZoDvgkqOV4A6a+ # N8HIc/P6g0irrezLWUgbKXSN8iH9RP+WJFx5fBHE4AFxrbAUQ2Zn5jDmHAI3wYcQ # DnnEYP51A75WFwPsvBrfrb1+6a1fuTEH1AYdOOMy8fX8xKo0E0Ys+7bxIvFPsUpS # zfFjBolmhzCCB3EwggVZoAMCAQICEzMAAAAVxedrngKbSZkAAAAAABUwDQYJKoZI # hvcNAQELBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAw # DgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24x # MjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAy # MDEwMB4XDTIxMDkzMDE4MjIyNVoXDTMwMDkzMDE4MzIyNVowfDELMAkGA1UEBhMC # VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNV # BAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRp # bWUtU3RhbXAgUENBIDIwMTAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC # AQDk4aZM57RyIQt5osvXJHm9DtWC0/3unAcH0qlsTnXIyjVX9gF/bErg4r25Phdg # M/9cT8dm95VTcVrifkpa/rg2Z4VGIwy1jRPPdzLAEBjoYH1qUoNEt6aORmsHFPPF # dvWGUNzBRMhxXFExN6AKOG6N7dcP2CZTfDlhAnrEqv1yaa8dq6z2Nr41JmTamDu6 # GnszrYBbfowQHJ1S/rboYiXcag/PXfT+jlPP1uyFVk3v3byNpOORj7I5LFGc6XBp # Dco2LXCOMcg1KL3jtIckw+DJj361VI/c+gVVmG1oO5pGve2krnopN6zL64NF50Zu # yjLVwIYwXE8s4mKyzbnijYjklqwBSru+cakXW2dg3viSkR4dPf0gz3N9QZpGdc3E # XzTdEonW/aUgfX782Z5F37ZyL9t9X4C626p+Nuw2TPYrbqgSUei/BQOj0XOmTTd0 # lBw0gg/wEPK3Rxjtp+iZfD9M269ewvPV2HM9Q07BMzlMjgK8QmguEOqEUUbi0b1q # GFphAXPKZ6Je1yh2AuIzGHLXpyDwwvoSCtdjbwzJNmSLW6CmgyFdXzB0kZSU2LlQ # +QuJYfM2BjUYhEfb3BvR/bLUHMVr9lxSUV0S2yW6r1AFemzFER1y7435UsSFF5PA # PBXbGjfHCBUYP3irRbb1Hode2o+eFnJpxq57t7c+auIurQIDAQABo4IB3TCCAdkw # EgYJKwYBBAGCNxUBBAUCAwEAATAjBgkrBgEEAYI3FQIEFgQUKqdS/mTEmr6CkTxG # NSnPEP8vBO4wHQYDVR0OBBYEFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMFwGA1UdIARV # MFMwUQYMKwYBBAGCN0yDfQEBMEEwPwYIKwYBBQUHAgEWM2h0dHA6Ly93d3cubWlj # cm9zb2Z0LmNvbS9wa2lvcHMvRG9jcy9SZXBvc2l0b3J5Lmh0bTATBgNVHSUEDDAK # BggrBgEFBQcDCDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMC # AYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvX # zpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20v # cGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYI # KwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDANBgkqhkiG # 9w0BAQsFAAOCAgEAnVV9/Cqt4SwfZwExJFvhnnJL/Klv6lwUtj5OR2R4sQaTlz0x # M7U518JxNj/aZGx80HU5bbsPMeTCj/ts0aGUGCLu6WZnOlNN3Zi6th542DYunKmC # VgADsAW+iehp4LoJ7nvfam++Kctu2D9IdQHZGN5tggz1bSNU5HhTdSRXud2f8449 # xvNo32X2pFaq95W2KFUn0CS9QKC/GbYSEhFdPSfgQJY4rPf5KYnDvBewVIVCs/wM # nosZiefwC2qBwoEZQhlSdYo2wh3DYXMuLGt7bj8sCXgU6ZGyqVvfSaN0DLzskYDS # PeZKPmY7T7uG+jIa2Zb0j/aRAfbOxnT99kxybxCrdTDFNLB62FD+CljdQDzHVG2d # Y3RILLFORy3BFARxv2T5JL5zbcqOCb2zAVdJVGTZc9d/HltEAY5aGZFrDZ+kKNxn # GSgkujhLmm77IVRrakURR6nxt67I6IleT53S0Ex2tVdUCbFpAUR+fKFhbHP+Crvs # QWY9af3LwUFJfn6Tvsv4O+S3Fb+0zj6lMVGEvL8CwYKiexcdFYmNcP7ntdAoGokL # jzbaukz5m/8K6TT4JDVnK+ANuOaMmdbhIurwJ0I9JZTmdHRbatGePu1+oDEzfbzL # 6Xu/OHBE0ZDxyKs6ijoIYn/ZcGNTTY3ugm2lBRDBcQZqELQdVTNYs6FwZvKhggNQ # MIICOAIBATCB+aGB0aSBzjCByzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hp # bmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jw # b3JhdGlvbjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEn # MCUGA1UECxMeblNoaWVsZCBUU1MgRVNOOjdGMDAtMDVFMC1EOTQ3MSUwIwYDVQQD # ExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNloiMKAQEwBwYFKw4DAhoDFQBO # Ei+S/ZVFe6w1Id31m6Kge26lNKCBgzCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1w # IFBDQSAyMDEwMA0GCSqGSIb3DQEBCwUAAgUA6InTHTAiGA8yMDIzMDgxODExMjMw # OVoYDzIwMjMwODE5MTEyMzA5WjB3MD0GCisGAQQBhFkKBAExLzAtMAoCBQDoidMd # AgEAMAoCAQACAgVMAgH/MAcCAQACAhMdMAoCBQDoiySdAgEAMDYGCisGAQQBhFkK # BAIxKDAmMAwGCisGAQQBhFkKAwKgCjAIAgEAAgMHoSChCjAIAgEAAgMBhqAwDQYJ # KoZIhvcNAQELBQADggEBAJlhKIwpGyWnx7nJWITEkSJ8DP9+n4cs6ChbocD1o6Vy # AZvGPW7S3Jk656qQu0w5ov1B3kj3yvsW3jb/KVHiVzY0uk+/qlKwCa+4Jv13TXbe # wCnfc33T+W8+qQ6WgGHcV2UWFVi4sdRa3zXwMdYW8tGVXZg6coJCMorVUoN19D2f # /m+qtQK8Yq9rPKG/k80Nk9BFsd9mN+24734Pagz/sUlSzlJp+SoXklYDUZLwfwmk # DU3gqpoyp6/9eVAZOeGJOK7AnOnJYQ35r1AWaK+QnULPkoZaCKezbkK8WKzrj9sG # I2lCC8GXvam6+w7SSGMiiWI6pMN2D+TBnsg1bSc7U4YxggQNMIIECQIBATCBkzB8 # MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk # bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1N # aWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMAITMwAAAdWpAs/Fp8npWgABAAAB # 1TANBglghkgBZQMEAgEFAKCCAUowGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEE # MC8GCSqGSIb3DQEJBDEiBCA3GVf2bHmf7V/eeoy4fdSUREV2oI+Wyt9ABGcMOjt0 # zzCB+gYLKoZIhvcNAQkQAi8xgeowgecwgeQwgb0EINm/I4YM166JMM7EKIcYvlcb # r2CHjKC0LUOmpZIbBsH/MIGYMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgT # Cldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29m # dCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENB # IDIwMTACEzMAAAHVqQLPxafJ6VoAAQAAAdUwIgQgY+cW+Tkc39setf4x1LT97BB1 # UwG31PkChYre7uIemY0wDQYJKoZIhvcNAQELBQAEggIAUgwsSFuRFAvZUwi7tmEg # jFz9ByD2jd/JpKhxHKCnmlfhqvEqIpVSMmsPTdl3ArRaG2bdFUOZ5NSLbag4E21k # +XQInIHm0Sk7aaZh8vMeAM37A4intHpv2Karl1BRbj7Bp7qCJWW4VyGvg2QFYze/ # QE7wCEdOphBKnSVo/zJpnv3o+/tW9E1ZO5nuhiBO1H3ysKnJuyYIughPG7fkphl7 # iX8AWQPSklEKUyZv0/pQxe3ADwznGj3RN0a7Mw/zqaCQ45H2W8rzooxsiQtQX1A+ # pPuFG0OIowBl+tTkfrpZsy6P85HmCASKucdg1SMzOtAWNOtunWMJgVCW3ZPp32m4 # iMpYwkQXrA4seK/oJbmyTVVMMiOdcE4IOpWOqTjs6pJjbMb7F2OPHJnpQyLsNX82 # rBUFQvlqqDNFq7oDL6KSp2pRJWxWMBU3bcgrwz6mCZk4uKZxeI2TmfPcMyq0kYk8 # HtMq0tldbJ7kycowhquzYeK+r35SX9dMyR7u2iwWF324+3QXbWmKuTft5WlF576x # cQnId908mtgDutfUZVFGYzGTyrjKlS6BMHUzlX1d+JkQqySqKbuDs0WjMGtBjwyy # HLflYnZenQhl7yCFHhnTV1qDhYew3pX3Yv+ZZ15MTppzBF9r2X+XyaIiTlsBgP1s # 9xMVqf/XMY24WlQduX0vso0= # SIG # End signature block |