function Connect-AzureAD2 { <# .SYNOPSIS Function for connecting to Azure AD. Reuse already existing session if possible. Supports user and app authentication. .DESCRIPTION Function for connecting to Azure AD. Reuse already existing session if possible. Supports user and app authentication. .PARAMETER tenantId Azure AD tenant domain name/id. It is optional for user auth. but mandatory for app. auth! Default is $_tenantId. .PARAMETER credential User credentials for connecting to AzureAD. .PARAMETER asYourself Switch for user authentication using current user credentials. .PARAMETER applicationId Application ID of the enterprise application. Mandatory for app. auth. .PARAMETER certificateThumbprint Thumbprint of the certificate that should be used for app. auth. Corresponding certificate has to exists in machine certificate store and user must have permissions to read its private key! .PARAMETER returnConnection Switch for returning connection info (like original Connect-AzureAD command do). How to create such certificate: $pwd = "nejakeheslo" $notAfter = (Get-Date).AddMonths(60) $thumb = (New-SelfSignedCertificate -DnsName "someDNSname" -CertStoreLocation "cert:\LocalMachine\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $notAfter).Thumbprint $pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText Export-PfxCertificate -Cert "cert:\localmachine\my\$thumb" -FilePath c:\temp\examplecert.pfx -Password $pwd udelat export public casti certifikatu (.cer) a naimportovat k vybrane aplikaci v Azure portalu .EXAMPLE Connect-AzureAD2 -asYourself Connect using current user credentials. .EXAMPLE Connect-AzureAD2 -credential (Get-Credential) Connect using user credentials. .EXAMPLE $thumbprint = Get-ChildItem Cert:\LocalMachine\My | ? subject -EQ "" | select -ExpandProperty Thumbprint Connect-AzureAD2 -ApplicationId 'cd2ae428-35f9-21b4-a527-7d3gf8f1e5cf' -CertificateThumbprint $thumbprint Connect using app. authentication (certificate). #> [CmdletBinding(DefaultParameterSetName = 'userAuth')] param ( [Parameter(ParameterSetName = "userAuth")] [System.Management.Automation.PSCredential] $credential, [Parameter(ParameterSetName = "userAuth")] [switch] $asYourself, [Parameter(ParameterSetName = "appAuth")] [Parameter(ParameterSetName = "userAuth")] [Alias("tenantDomain")] [string] $tenantId = $_tenantId, [Parameter(Mandatory = $true, ParameterSetName = "appAuth")] [string] $applicationId, [Parameter(Mandatory = $true, ParameterSetName = "appAuth")] [string] $certificateThumbprint, [switch] $returnConnection ) if (!(Get-Command Connect-AzureAD -ea SilentlyContinue)) { throw "Module AzureAD is missing" } if ([Microsoft.Open.Azure.AD.CommonLibrary.AzureSession]::AccessTokens) { $token = [Microsoft.Open.Azure.AD.CommonLibrary.AzureSession]::AccessTokens Write-Verbose "Connected to tenant: $($token.AccessToken.TenantId) with user: $($token.AccessToken.UserId)" } else { if ($applicationId) { # app auth if (!$tenantId) { throw "tenantId parameter is undefined" } # check certificate foreach ($store in ('CurrentUser', 'LocalMachine')) { $cert = Get-Item "Cert:\$store\My\$certificateThumbprint" -ErrorAction SilentlyContinue if ($cert) { if (!$cert.HasPrivateKey) { throw "Certificate $certificateThumbprint doesn't contain private key!" } try { $rsaCert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert) } catch { throw "Account $env:USERNAME doesn't have right to read private key of certificate $certificateThumbprint (use Add-CertificatePermission to fix it)!" } break } } if (!$cert) { throw "Certificate $certificateThumbprint isn't located in $env:USERNAME nor $env:COMPUTERNAME Personal store" } $param = @{ ErrorAction = "Stop" TenantId = $tenantId ApplicationId = $applicationId CertificateThumbprint = $certificateThumbprint } if ($returnConnection) { Connect-AzureAD @param } else { $null = Connect-AzureAD @param } } else { # user auth $param = @{ errorAction = "Stop" } if ($credential) { $param.credential = $credential } if ($tenantId) { $param.TenantId = $tenantId } if ($asYourself) { $upn = whoami -upn if ($upn) { $param.AccountId = $upn } else { Write-Error "Unable to obtain your UPN. Run again without 'asYourself' switch" return } } if ($returnConnection) { Connect-AzureAD @param } else { $null = Connect-AzureAD @param } } } } #Requires -Modules Pnp.PowerShell function Connect-PnPOnline2 { <# .SYNOPSIS Proxy function for Connect-PnPOnline with some enhancements like: automatic MFA auth if MFA detected, skipping authentication if already authenticated etc. .DESCRIPTION Proxy function for Connect-PnPOnline with some enhancements like: automatic MFA auth if MFA detected, skipping authentication if already authenticated etc. .PARAMETER credential Credential object you want to use to authenticate to Sharepoint Online .PARAMETER appAuth Switch for using application authentication instead of the user one. .PARAMETER asMFAUser Switch for using user with MFA enabled authentication (i.e. interactive auth) .PARAMETER url Your sharepoint online url ("") .EXAMPLE Connect-PnPOnline2 Connect to Sharepoint Online using user interactive authentication. .EXAMPLE Connect-PnPOnline2 -asMFAUser Connect to Sharepoint Online using (MFA-enabled) user interactive authentication. .EXAMPLE Connect-PnPOnline2 -appAuth Connect to Sharepoint Online using application interactive authentication. .EXAMPLE Connect-PnPOnline2 -appAuth -credential $cred Connect to Sharepoint Online using application non-interactive authentication. .EXAMPLE Connect-PnPOnline2 -credential $cred Connect to Sharepoint Online using (non-MFA enabled!) user non-interactive authentication. .NOTES Requires Pnp.PowerShell module. #> [CmdletBinding()] param ( [System.Management.Automation.PSCredential] $credential, [switch] $appAuth, [switch] $asMFAUser, [ValidateNotNullOrEmpty()] [string] $url = $_SPOConnectionUri ) if (!$url) { throw "Url parameter is not defined. It should contain your sharepoint URL (for example" } if ($appAuth -and $asMFAUser) { Write-Warning "asMFAUser switch cannot be used with appAuth. Ignoring asMFAUser." $asMFAUser = $false } if ($credential -and $asMFAUser) { Write-Warning "When logging using MFA-enabled user, credentials cannot be passed i.e. it has to be interactive login" $credential = $null } try { Write-Verbose "Already connected to Sharepoint" $null = Get-PnPConnection -ea Stop } catch { Write-Verbose "Connecting to Sharepoint" if ($credential -and !$appAuth) { try { Connect-PnPOnline -Url $url -Credentials $credential -ea Stop } catch { if ($_ -match "you must use multi-factor authentication to access") { Write-Error "Account $($credential.UserName) has MFA enabled, therefore interactive logon is needed" Connect-PnPOnline -Url $url -Interactive -ForceAuthentication } else { throw $_ } } } elseif ($credential -and $appAuth) { Connect-PnPOnline -Url $url -ClientId $credential.UserName -ClientSecret $credential.GetNetworkCredential().password } else { # credential is missing if ($asMFAUser) { Connect-PnPOnline -Url $url -Interactive -ForceAuthentication } elseif ($appAuth) { $credential = Get-Credential -Message "Using App auth. Enter ClientId and ClientSecret." Connect-PnPOnline -Url $url -ClientId $credential.UserName -ClientSecret $credential.GetNetworkCredential().password } else { Connect-PnPOnline -Url $url } } } } #Requires -Modules AzureAD,Az.Accounts,Pnp.PowerShell,MSAL.PS function Get-AzureADAccountOccurrence { <# .SYNOPSIS Function for getting AzureAD account occurrences through various parts of Azure. Only Azure based objects are scanned (not dir-synced ones). .DESCRIPTION Function for getting AzureAD account occurrences through various parts of AzureAD. Only Azure based objects are scanned (not dir-synced ones). You can search occurrences of 'user', 'group', 'servicePrincipal', 'device' objects. These Azure parts are searched by default: 'IAM', 'GroupMembership', 'DirectoryRoleMembership', 'UserConsent', 'Manager', 'Owner', 'SharepointSiteOwner', 'Users&GroupsRoleAssignment' .PARAMETER userPrincipalName UPN of the user you want to search occurrences for. .PARAMETER objectId ObjectId of the 'user', 'group', 'servicePrincipal' or 'device' you want to search occurrences for. .PARAMETER data Array of Azure parts you want to search in. By default: 'IAM' - IAM assignments of the root, subscriptions, management groups, resource groups, resources where searched account is assigned 'GroupMembership' - groups where searched account is a member 'DirectoryRoleMembership' - directory roles where searched account is a member 'UserConsent' - user granted consents 'Manager' - accounts where searched user is manager 'Owner' - accounts where searched user is owner 'SharepointSiteOwner' - sharepoint sites where searched account is owner 'Users&GroupsRoleAssignment' - applications Users and groups tab where searched account is assigned 'DevOps' - occurrences in DevOps organizations Based on the object type you are searching occurrences for, this can be automatically trimmed. Because for example device cannot be manager etc. .EXAMPLE Get-AzureADAccountOccurrence -objectId 1234-1234-1234 Search for all occurrences of the account with id 1234-1234-1234. .EXAMPLE Get-AzureADAccountOccurrence -objectId 1234-1234-1234 -data UserConsent, Manager Search just for user perm. consents which searched account has given and accounts where searched account is manager of. .EXAMPLE Get-AzureADAccountOccurrence -userPrincipalName Search for all occurrences of the account with UPN .NOTES In case of 'data' parameter edit, don't forget to modify _getAllowedSearchType and Remove-AzureADAccountOccurrence functions too #> [CmdletBinding()] param ( [ValidateNotNullOrEmpty()] [ValidateScript( { If ($_ -notmatch "@") { throw "Username isn't UPN" } else { $true } })] [string[]] $userPrincipalName, [string[]] $objectId, [ValidateSet('IAM', 'GroupMembership', 'DirectoryRoleMembership', 'UserConsent', 'Manager', 'Owner', 'SharepointSiteOwner', 'Users&GroupsRoleAssignment', 'DevOps')] [ValidateNotNullOrEmpty()] [string[]] $data = @('IAM', 'GroupMembership', 'DirectoryRoleMembership', 'UserConsent', 'Manager', 'Owner', 'SharepointSiteOwner', 'Users&GroupsRoleAssignment', 'DevOps') ) if (!$userPrincipalName -and !$objectId) { throw "You haven't specified userPrincipalname nor objectId parameter" } #region connect # connect to AzureAD Write-Verbose "Connecting to Azure for use with cmdlets from the AzureAD PowerShell modules" $null = Connect-AzureAD2 -asYourself -ea Stop Write-Verbose "Connecting to Azure for use with cmdlets from the Az PowerShell modules" $null = Connect-AzAccount2 -ea Stop # connect Graph API Write-Verbose "Creating Graph API auth header" $header = New-GraphAPIAuthHeader -reuseExistingAzureADSession -ea Stop # connect sharepoint online if ($data -contains 'SharepointSiteOwner') { Write-Verbose "Connecting to Sharepoint" Connect-PnPOnline2 -asMFAUser -ea Stop } #endregion connect # translate UPN to ObjectId if ($userPrincipalName) { $userPrincipalName | % { $UPN = $_ $AADUserobj = Get-AzureADUser -Filter "userprincipalname eq '$UPN'" if (!$AADUserobj) { Write-Error "Account $UPN was not found in AAD" } else { Write-Verbose "Translating $UPN to $($AADUserobj.ObjectId) ObjectId" $objectId += $AADUserobj.ObjectId } } } #region helper functions # function for deciding what kind of data make sense to search through when you have object of specific kind function _getAllowedSearchType { param ($searchedData) switch ($searchedData) { 'IAM' { $allowedObjType = 'user', 'group', 'servicePrincipal' } 'GroupMembership' { $allowedObjType = 'user', 'group', 'servicePrincipal', 'device' } 'DirectoryRoleMembership' { $allowedObjType = 'user', 'group', 'servicePrincipal' } 'UserConsent' { $allowedObjType = 'user' } 'Manager' { $allowedObjType = 'user' } 'Owner' { $allowedObjType = 'user', 'servicePrincipal' } 'SharepointSiteOwner' { $allowedObjType = 'user', 'group', 'servicePrincipal', 'device' } 'Users&GroupsRoleAssignment' { $allowedObjType = 'user', 'group' } 'DevOps' { $allowedObjType = 'user', 'group' } default { throw "Undefined data to search $searchedData (edit _getAllowedSearchType function)" } } if ($objectType -in $allowedObjType) { return $true } else { Write-Warning "Skipping '$searchedData' data search because object of type $objectType cannot be there" return $false } } # function for translating DevOps membership hrefs to actual groups function _getMembership { param ([string[]] $membershipHref, [string] $organizationName) $membershipHref | % { Invoke-WebRequest -Uri $_ -Method get -ContentType "application/json" -Headers $header | select -exp content | ConvertFrom-Json | select -exp value | select -exp containerDescriptor | % { $groupOrg = $devOpsOrganization | ? { $_.OrganizationName -eq $organizationName } $group = $groupOrg.groups | ? descriptor -EQ $_ if ($group) { $group } else { Write-Error "Group with descriptor $_ wasn't found" [PSCustomObject]@{ ContainerDescriptor = $_ } } } } } #endregion helper functions #region pre-cache data if ('IAM' -in $data) { Write-Warning "Caching AzureAD Role Assignments. This can take several minutes!" $azureADRoleAssignments = Get-AzureADRoleAssignments } if ('SharepointSiteOwner' -in $data) { Write-Warning "Caching Sharepoint sites ownership. This can take several minutes!" $sharepointSiteOwner = Get-SharepointSiteOwner } if ('DevOps' -in $data) { Write-Warning "Caching DevOps organizations." $devOpsOrganization = Get-AzureDevOpsOrganizationOverview #TODO poresit strankovani! Write-Warning "Caching DevOps organizations groups." $header = New-AzureDevOpsAuthHeader $devOpsOrganization | % { $organizationName = $_.OrganizationName Write-Verbose "Getting groups for DevOps organization $organizationName" $groups = $null # in case of error this wouldn't be nulled try { $groups = Invoke-WebRequest -Uri "$organizationName/_apis/graph/groups?api-version=7.1-preview.1" -Method get -ContentType "application/json" -Headers $header -ea Stop | select -exp content | ConvertFrom-Json | select -exp value } catch { if ($_ -match "is not authorized to access this resource|UnauthorizedRequestException") { Write-Warning "You don't have rights to get groups data for DevOps organization $organizationName." } else { Write-Error $_ } } $_ | Add-Member -MemberType NoteProperty -Name Groups -Value $groups } #TODO poresit strankovani! Write-Warning "Caching DevOps organizations users." $header = New-AzureDevOpsAuthHeader $devOpsOrganization | % { $organizationName = $_.OrganizationName Write-Verbose "Getting users for DevOps organization $organizationName" $users = $null # in case of error this wouldn't be nulled try { $users = Invoke-WebRequest -Uri "$organizationName/_apis/graph/users?api-version=7.1-preview.1" -Method get -ContentType "application/json" -Headers $header -ea Stop | select -exp content | ConvertFrom-Json | select -exp value } catch { if ($_ -match "is not authorized to access this resource|UnauthorizedRequestException") { Write-Warning "You don't have rights to get users data for DevOps organization $organizationName." } else { Write-Error $_ } } $_ | Add-Member -MemberType NoteProperty -Name Users -Value $users } } #endregion pre-cache data # object types that are allowed for searching $allowedObjectType = 'user', 'group', 'servicePrincipal', 'device' foreach ($id in $objectId) { $AADAccountObj = Get-AzureADObjectByObjectId -ObjectId $id if (!$AADAccountObj) { Write-Error "Account $id was not found in AAD" } # progress variables $i = 0 $progressActivity = "Account '$($AADAccountObj.DisplayName)' ($id) occurrences" $objectType = $AADAccountObj.ObjectType if ($objectType -notin $allowedObjectType) { Write-Warning "Skipping '$($AADAccountObj.DisplayName)' ($id) because it is disallowed object type ($objectType)" continue } else { Write-Warning "Processing '$($AADAccountObj.DisplayName)' ($id)" } # define base object $result = [PSCustomObject]@{ UPN = $AADAccountObj.UserPrincipalName DisplayName = $AADAccountObj.DisplayName ObjectType = $objectType ObjectId = $id IAM = @() MemberOfDirectoryRole = @() MemberOfGroup = @() Manager = @() PermissionConsent = @() Owner = @() SharepointSiteOwner = @() AppUsersAndGroupsRoleAssignment = @() DevOpsOrganizationOwner = @() DevOpsMemberOf = @() } #region get AAD account occurrences #region IAM if ('IAM' -in $data -and (_getAllowedSearchType 'IAM')) { Write-Verbose "Getting IAM assignments" Write-Progress -Activity $progressActivity -Status "Getting IAM assignments" -PercentComplete (($i++ / $data.Count) * 100) $azureADRoleAssignments | ? objectId -EQ $id | % { $result.IAM += $_ } } #endregion IAM #region DirectoryRoleMembership if ('DirectoryRoleMembership' -in $data -and (_getAllowedSearchType 'DirectoryRoleMembership')) { Write-Verbose "Getting Directory Role Membership assignments" Write-Progress -Activity $progressActivity -Status "Getting Directory Role Membership assignments" -PercentComplete (($i++ / $data.Count) * 100) Get-AzureADMSRoleAssignment -Filter "principalId eq '$id'" | % { $_ | Add-Member -Name RoleName -MemberType NoteProperty -Value (Get-AzureADMSRoleDefinition -Id $_.roleDefinitionId | select -ExpandProperty DisplayName) $result.MemberOfDirectoryRole += $_ } } #endregion DirectoryRoleMembership #region Group membership if ('GroupMembership' -in $data -and (_getAllowedSearchType 'GroupMembership')) { Write-Verbose "Getting Group memberships (just Cloud based groups are evaluated!)" Write-Progress -Activity $progressActivity -Status "Getting Group memberships" -PercentComplete (($i++ / $data.Count) * 100) Invoke-GraphAPIRequest -uri "$id/transitiveMemberOf" -header $header -ErrorAction SilentlyContinue | ? onPremisesSyncEnabled -NE $true | % { if ($_.'@odata.type' -eq '#microsoft.graph.directoryRole') { # directory roles are added in different IF, moreover this query doesn't return custom roles } elseif ($_.'@odata.context') { # not a member } else { $result.MemberOfGroup += $_ } } } #endregion Group membership #region user perm consents if ('UserConsent' -in $data -and (_getAllowedSearchType 'UserConsent')) { Write-Verbose "Getting permission consents" Write-Progress -Activity $progressActivity -Status "Getting permission consents" -PercentComplete (($i++ / $data.Count) * 100) Get-AzureADUserOAuth2PermissionGrant -ObjectId $id -All:$true | % { $result.PermissionConsent += $_ | select *, @{name = 'AppName'; expression = { (Get-AzureADServicePrincipal -ObjectId $_.ClientId).DisplayName } }, @{name = 'ResourceDisplayName'; expression = { (Get-AzureADServicePrincipal -ObjectId $_.ResourceId).DisplayName } } } } #endregion user perm consents #region is manager if ('Manager' -in $data -and (_getAllowedSearchType 'Manager')) { Write-Verbose "Getting Direct report" Write-Verbose "Just Cloud based objects are outputted" Write-Progress -Activity $progressActivity -Status "Getting Direct Report (managedBy)" -PercentComplete (($i++ / $data.Count) * 100) Get-AzureADUserDirectReport -ObjectId $id | ? DirSyncEnabled -NE 'True' | % { $result.Manager += $_ } } #endregion is manager #region is owner # group, ent. app, app reg. and device ownership if ('Owner' -in $data -and (_getAllowedSearchType 'Owner')) { Write-Verbose "Getting application, group etc ownership" Write-Progress -Activity $progressActivity -Status "Getting group, app and device ownership" -PercentComplete (($i++ / $data.Count) * 100) switch ($objectType) { 'user' { Get-AzureADUserOwnedObject -ObjectId $id | % { $result.Owner += $_ } Write-Verbose "Getting device(s) ownership" Get-AzureADUserOwnedDevice -ObjectId $id | % { $result.Owner += $_ } } 'servicePrincipal' { Get-AzureADServicePrincipalOwnedObject -ObjectId $id | % { $result.Owner += $_ } } default { throw "Undefined condition for $objectType objectType when searching for 'Owner'" } } } #sharepoint sites owner if ('SharepointSiteOwner' -in $data -and (_getAllowedSearchType 'SharepointSiteOwner')) { Write-Verbose "Getting Sharepoint sites ownership" Write-Progress -Activity $progressActivity -Status "Getting Sharepoint sites ownership" -PercentComplete (($i++ / $data.Count) * 100) $sharepointSiteOwner | ? Owner -Contains $UPN | % { $result.SharepointSiteOwner += $_ } } #endregion is owner #region App Users and groups role assignments if ('Users&GroupsRoleAssignment' -in $data -and (_getAllowedSearchType 'Users&GroupsRoleAssignment')) { Write-Verbose "Getting applications 'Users and groups' role assignments" Write-Progress -Activity $progressActivity -Status "Getting applications 'Users and groups' role assignments" -PercentComplete (($i++ / $data.Count) * 100) function GetRoleName { param ($objectId, $roleId) if ($roleId -eq '00000000-0000-0000-0000-000000000000') { return 'default' } else { Get-AzureADServicePrincipal -ObjectId $objectId | select -ExpandProperty AppRoles | ? id -EQ $roleId | select -ExpandProperty DisplayName } } switch ($objectType) { 'user' { # filter out assignments based on group membership Get-AzureADUserAppRoleAssignment -ObjectId $id -All:$true | ? PrincipalDisplayName -EQ $AADAccountObj.DisplayName | select *, @{name = 'AppRoleDisplayName'; expression = { GetRoleName -objectId $_.ResourceId -roleId $_.Id } } | % { $result.AppUsersAndGroupsRoleAssignment += $_ } } 'group' { Get-AzureADGroupAppRoleAssignment -ObjectId $id -All:$true | select *, @{name = 'AppRoleDisplayName'; expression = { GetRoleName -objectId $_.ResourceId -roleId $_.Id } } | % { $result.AppUsersAndGroupsRoleAssignment += $_ } } default { throw "Undefined condition for $objectType objectType when searching for 'Users&GroupsRoleAssignment'" } } } #endregion App Users and groups role assignments #region devops # if ('DevOps' -in $data -and (_getAllowedSearchType 'DevOps')) { Write-Verbose "Getting DevOps occurrences" Write-Progress -Activity $progressActivity -Status "Getting DevOps occurrences" -PercentComplete (($i++ / $data.Count) * 100) $header = New-AzureDevOpsAuthHeader # auth. token has just minutes lifetime! $devOpsOrganization | % { $organization = $_ $organizationName = $organization.OrganizationName $organizationOwner = $organization.Owner if ($organizationOwner -eq $AADAccountObj.UserPrincipalName -or $organizationOwner -eq $AADAccountObj.DisplayName) { $result.DevOpsOrganizationOwner += $organization } if ($objectType -eq 'user') { $userInOrg = $organization.users | ? originId -EQ $AADAccountObj.ObjectId if ($userInOrg) { # user is used in this DevOps organization $memberOf = _getMembership $userInOrg._links.memberships.href $organizationName $result.DevOpsMemberOf += [PSCustomObject]@{ OrganizationName = $organizationName MemberOf = $memberOf Descriptor = $userInOrg.descriptor } } else { # try to find it as an orphaned guest (has special principalname) $orphanGuestUserInOrg = $organization.users | ? { $_.displayName -EQ $AADAccountObj.displayName -and $_.directoryAlias -Match "#EXT#$" -and $_.principalName -Match "OIDCONFLICT_UpnReuse_" } if ($orphanGuestUserInOrg) { Write-Warning "$($AADAccountObj.displayName) guest user is used in DevOps organization '$organizationName' but it is orphaned record (guest user was assigned to this organization than deleted and than invited again with the same UPN" } } } elseif ($objectType -eq 'group') { $groupInOrg = $organization.groups | ? originId -EQ $AADAccountObj.ObjectId if ($groupInOrg) { # group is used in this DevOps organization $memberOf = _getMembership $groupInOrg._links.memberships.href $organizationName $result.DevOpsMemberOf += [PSCustomObject]@{ OrganizationName = $organizationName MemberOf = $memberOf Descriptor = $groupInOrg.descriptor } } } else { throw "Undefined object type $objectType" } # # uzivatele vcetne clenstvi ve skupinach # Invoke-WebRequest -Uri "$UPN&queryMembership=Direct&api-version=7.1-preview.1" -Method get -ContentType "application/json" -Headers $header | select -exp content | ConvertFrom-Json | select -exp value # # skupiny a urovne pristupu (ale jen to nejake orezane, jen 3 skupiny) # Invoke-WebRequest -Uri "" -Method get -ContentType "application/json" -Headers $h | select -exp content | ConvertFrom-Json # # ziskani podrobnych user dat vcetne lastlogin atd dle zadaneho ID uzivatele (ale projectEntitlements zase neukazuje vse) # Invoke-WebRequest -Uri "" -Method get -ContentType "application/json" -Headers $h | select -exp content | ConvertFrom-Json } } #endregion devops #endregion get AAD account occurrences Write-Progress -Completed -Activity $progressActivity $result } } #Requires -Modules Az.Accounts function Connect-AzAccount2 { <# .SYNOPSIS Function for connecting to Azure using Connect-AzAccount command (Az.Accounts module). .DESCRIPTION Function for connecting to Azure using Connect-AzAccount command (Az.Accounts module). In case there is already existing connection, stop. .PARAMETER credential Credentials (User or App) for connecting to Azure. For App credentials tenantId must be set too! .PARAMETER servicePrincipal Switch for using App/Service Principal authentication instead of User auth. .PARAMETER tenantId Azure tenant ID. Mandatory when App authentication is used . .EXAMPLE Connect-AzAccount2 Authenticate to Azure interactively using user credentials. Doesn't work for accounts with MFA! .EXAMPLE $credential = get-credential Connect-AzAccount2 -credential $credential Authenticate to Azure using given user credentials. Doesn't work for accounts with MFA! .EXAMPLE $credential = get-credential Connect-AzAccount2 -servicePrincipal -credential $credential -tenantId 1234-1234-1234 Authenticate to Azure using given app credentials (service principal). .NOTES Requires module Az.Accounts. #> [CmdletBinding()] param ( [System.Management.Automation.PSCredential] $credential, [switch] $servicePrincipal, [string] $tenantId = $_tenantId ) if (Get-AzContext) { Write-Verbose "Already connected to Azure" return } else { if ($servicePrincipal -and !$tenantId) { throw "When servicePrincipal auth is used tenantId has to be set" } $param = @{} if ($servicePrincipal) { $param.servicePrincipal = $true } if ($tenantId) { $param.tenantId = $tenantId } if ($credential) { $param.credential = $credential } Connect-AzAccount @param } } function Get-AzureDevOpsOrganizationOverview { <# .SYNOPSIS Function for getting list of all Azure DevOps organizations that uses your AzureAD directory. .DESCRIPTION Function for getting list of all Azure DevOps organizations that uses your AzureAD directory. It is the same data as downloaded csv from<organizationName>/_settings/organizationAad. Function uses MSAL to authenticate (requires MSAL.PS module). .PARAMETER tenantId (optional) ID of your Azure tenant. Of omitted, tenantId from MSAL auth. ticket will be used. .EXAMPLE Get-AzureDevOpsOrganizationOverview Returns all DevOps organizations in your Azure tenant. .NOTES PowerShell module AzSK.ADO > ContextHelper.ps1 > GetCurrentContext #> [CmdletBinding()] param ( [string] $tenantId = $_tenantId ) $header = New-AzureDevOpsAuthHeader -ErrorAction Stop if (!$tenantId) { $tenantId = $msalToken.tenantId Write-Verbose "Set TenantId to $tenantId (retrieved from MSAL token)" } # URL retrieved thanks to developer mod at page<organizationName>/_settings/organizationAad Invoke-WebRequest -Uri "$tenantId" -Method get -ContentType "application/json" -Headers $header | select -ExpandProperty content | ConvertFrom-Csv | select @{name = 'OrganizationName'; expression = { $_.'Organization Name' } }, @{name = 'OrganizationId'; expression = { $_.'Organization Id' } }, Url, Owner, @{name = 'ExceptionType'; expression = { $_.'Exception Type' } }, @{name = 'ErrorMessage'; expression = { $_.'Error Message' } } -ExcludeProperty 'Organization Name', 'Organization Id', 'Exception Type', 'Error Message' } #Requires -Modules Az.Accounts,Az.Resources function Get-AzureADRoleAssignments { <# .SYNOPSIS Returns RBAC role assignments (IAM tab for root, subscriptions, management groups, resource groups, resources) from all or just selected Azure subscription(s). It is possible to filter just roles assigned to user, group or service principal. .DESCRIPTION Returns RBAC role assignments (IAM tab for root, subscriptions, management groups, resource groups, resources) from all or just selected Azure subscription(s). It is possible to filter just roles assigned to user, group or service principal. From security perspective these roles are important: Owner Contributor User Access Administrator Virtual Machine Contributor Virtual Machine Administrator Avere Contributor When given to managed identity and scope is whole resource group or subscription (because of lateral movement)! .PARAMETER subscriptionId ID of subscription you want to get role assignments for. .PARAMETER selectCurrentSubscription Switch for getting data just for currently set subscription. .PARAMETER userPrincipalName UPN of the User whose assignments you want to get. .PARAMETER objectId ObjectId of the User, Group or Service Principal whose assignments you want to get. .EXAMPLE Get-AzureADRoleAssignments Returns RBAC role assignments for all subscriptions. .EXAMPLE Get-AzureADRoleAssignments -subscriptionId 1234-1234-1234-1234 Returns RBAC role assignments for subscription with ID 1234-1234-1234-1234. .EXAMPLE Get-AzureADRoleAssignments -selectCurrentSubscription Returns RBAC role assignments just for current subscription. .EXAMPLE Get-AzureADRoleAssignments -selectCurrentSubscription -userPrincipalName Returns RBAC role assignments of the user just for current subscription. .NOTES Required Azure permissions: - Global reader - Security Reader assigned at 'Tenant Root Group' #> [CmdletBinding(DefaultParameterSetName = 'Default')] [Alias("Get-AzureADRBACRoleAssignments", "Get-AzureADIAMRoleAssignments")] param ( [Parameter(ParameterSetName = "subscriptionId")] [string] $subscriptionId, [Parameter(ParameterSetName = "currentSubscription")] [Switch] $selectCurrentSubscription, [string] $userPrincipalName, [string] $objectId ) if ($objectId -and $userPrincipalName) { throw "You cannot use parameters objectId and userPrincipalName at the same time" } Connect-AzAccount2 -ErrorAction Stop # get Current Context $CurrentContext = Get-AzContext # get Azure Subscriptions if ($selectCurrentSubscription) { Write-Verbose "Only running for current subscription $($CurrentContext.Subscription.Name)" $Subscriptions = Get-AzSubscription -SubscriptionId $CurrentContext.Subscription.Id -TenantId $CurrentContext.Tenant.Id } elseif ($subscriptionId) { Write-Verbose "Only running for selected subscription $subscriptionId" $Subscriptions = Get-AzSubscription -SubscriptionId $subscriptionId -TenantId $CurrentContext.Tenant.Id } else { Write-Verbose "Running for all subscriptions in tenant" $Subscriptions = Get-AzSubscription -TenantId $CurrentContext.Tenant.Id } function _scopeType { param ([string] $scope) if ($scope -match "^/$") { return 'root' } elseif ($scope -match "^/subscriptions/[^/]+$") { return 'subscription' } elseif ($scope -match "^/subscriptions/[^/]+/resourceGroups/[^/]+$") { return "resourceGroup" } elseif ($scope -match "^/subscriptions/[^/]+/resourceGroups/[^/]+/.+$") { return 'resource' } elseif ($scope -match "^/providers/Microsoft.Management/managementGroups/.+") { return 'managementGroup' } else { throw 'undefined type' } } Write-Verbose "Getting Role Definitions..." $roleDefinition = Get-AzRoleDefinition foreach ($Subscription in $Subscriptions) { Write-Verbose "Changing to Subscription $($Subscription.Name)" $Context = Set-AzContext -TenantId $Subscription.TenantId -SubscriptionId $Subscription.Id -Force # getting information about Role Assignments for chosen subscription Write-Verbose "Getting information about Role Assignments..." try { $param = @{ ErrorAction = 'Stop' } if ($objectId) { $param.objectId = $objectId } elseif ($userPrincipalName) { # -ExpandPrincipalGroups for also assignments based on group membership $param.SignInName = $userPrincipalName } Get-AzRoleAssignment @param | Select-Object RoleDefinitionName, DisplayName, SignInName, ObjectType, ObjectId, @{n = 'AssignmentScope'; e = { $_.Scope } }, @{n = "SubscriptionId"; e = { $Subscription.SubscriptionId } }, @{n = 'ScopeType'; e = { _scopeType $_.scope } }, @{n = 'CustomRole'; e = { ($roleDefinition | ? { $_.Name -eq $_.RoleDefinitionName }).IsCustom } }, @{n = "SubscriptionName"; e = { $Subscription.Name } } } catch { if ($_ -match "The current subscription type is not permitted to perform operations on any provider namespace. Please use a different subscription") { Write-Warning "At subscription $($Subscription.Name) there is no resource provider registered" } else { Write-Error $_ } } } } function New-GraphAPIAuthHeader { <# .SYNOPSIS Function for generating header that can be used for authentication of Graph API requests. .DESCRIPTION Function for generating header that can be used for authentication of Graph API requests. Credentials can be given or existing AzureAD session can be reused to obtain auth. header. .PARAMETER credential Credentials for Graph API authentication (AppID + AppSecret) that will be used to obtain auth. header. .PARAMETER reuseExistingAzureADSession Switch for using existing AzureAD session (created via Connect-AzureAD) to obtain auth. header. .PARAMETER TenantDomainName Name of your Azure tenant. .PARAMETER showDialogType Modify behavior of auth. dialog window. Possible values are: auto, always, never. Default is 'never'. .EXAMPLE $header = New-GraphAPIAuthHeader -credential $cred $URI = '' $managedDevices = (Invoke-RestMethod -Headers $header -Uri $URI -Method Get).value .EXAMPLE (there is existing AzureAD session already (made via Connect-AzureAD)) $header = New-GraphAPIAuthHeader -reuseExistingAzureADSession $URI = '' $managedDevices = (Invoke-RestMethod -Headers $header -Uri $URI -Method Get).value .NOTES #> [CmdletBinding()] [Alias("New-IntuneAuthHeader", "Get-IntuneAuthHeader")] param ( [Parameter(ParameterSetName = "authenticate")] [System.Management.Automation.PSCredential] $credential, [Parameter(ParameterSetName = "reuseSession")] [switch] $reuseExistingAzureADSession, [ValidateNotNullOrEmpty()] $tenantDomainName = $_tenantDomain, [ValidateSet('auto', 'always', 'never')] [string] $showDialogType = 'never' ) if (!$credential -and !$reuseExistingAzureADSession) { $credential = (Get-Credential -Message "Enter AppID as UserName and AppSecret as Password") } if (!$credential -and !$reuseExistingAzureADSession) { throw "Credentials for creating Graph API authentication header is missing" } if (!$tenantDomainName -and !$reuseExistingAzureADSession) { throw "TenantDomainName is missing" } Write-Verbose "Getting token" if ($reuseExistingAzureADSession) { # get auth. token using the existing session created by the AzureAD PowerShell module try { # test if connection already exists $c = Get-AzureADCurrentSessionInfo -ea Stop } catch { throw "There is no active session to AzureAD. Omit reuseExistingAzureADSession parameter or call this function after Connect-AzureAD." } try { $ErrorActionPreference = "Stop" $context = [Microsoft.Open.Azure.AD.CommonLibrary.AzureRmProfileProvider]::Instance.Profile.Context $authenticationFactory = [Microsoft.Open.Azure.AD.CommonLibrary.AzureSession]::AuthenticationFactory $msGraphEndpointResourceId = "MsGraphEndpointResourceId" $msGraphEndpoint = $context.Environment.Endpoints[$msGraphEndpointResourceId] $auth = $authenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Open.Azure.AD.CommonLibrary.ShowDialog]::$showDialogType, $null, $msGraphEndpointResourceId) $token = $auth.AuthorizeRequest($msGraphEndpointResourceId) return @{ Authorization = $token } } catch { throw "Unable to obtain auth. token:`n`n$($_.exception.message)`n`n$($_.invocationInfo.PositionMessage)`n`nTry change of showDialogType parameter?" } } else { # authenticate to obtain the token $body = @{ Grant_Type = "client_credentials" Scope = "" Client_Id = $credential.username Client_Secret = $credential.GetNetworkCredential().password } $connectGraph = Invoke-RestMethod -Uri "$tenantDomainName/oauth2/v2.0/token" -Method POST -Body $body $token = $connectGraph.access_token if ($token) { return @{ Authorization = "Bearer $($token)" } } else { throw "Unable to obtain token" } } } #Requires -Modules Pnp.PowerShell function Get-SharepointSiteOwner { <# .SYNOPSIS Get all Sharepoint sites and their owners. For O365 group sites, group owners will be outputted instead of the site one. .DESCRIPTION Get all Sharepoint sites and their owners. For O365 group sites, group owners will be outputted instead of the site one. .EXAMPLE Connect-PnPOnline -Url "" -Tenant '' -Credentials (Get-Credential) Get-SharepointSiteOwner Authenticate using user credentials and get all sites and their owners. .EXAMPLE Connect-PnPOnline -Url "" -Tenant '' -ClientId 6c5c98c7-e05a-4a0f-bcfa-0cfc65aa1f28 -Thumbprint 34CFAA860E5FB8C44335A38A097C1E41EEA206AA Get-SharepointSiteOwner Authenticate using service principal (certificate) and get all sites and their owners. .EXAMPLE Connect-PnPOnline -Url "" -Tenant '' -ClientId cd2ae428-35f9-41b4-a527-71f2f8f1e5cf -CertificatePath 'c:\appCert.pfx' -CertificatePassword (Read-Host -AsSecureString) Get-SharepointSiteOwner Authenticate using service principal (certificate) and get all sites and their owners. .NOTES Requires permissions: Sites.ReadWrite.All, Group.Read.All, User.Read.All #> [CmdletBinding()] param () try { $null = Get-PnPConnection -ea Stop } catch { throw "You must call the Connect-PnPOnline cmdlet before calling any other cmdlets." } #Get All Site collections - Exclude: Search Center, Mysite Host, App Catalog, Content Type Hub, eDiscovery and Bot Sites $SitesCollection = Get-PnPTenantSite | where Template -NotIn ("SRCHCEN#0", "SPSMSITEHOST#0", "APPCATALOG#0", "POINTPUBLISHINGHUB#0", "EDISC#0", "STS#-1") ForEach ($site in $sitesCollection) { $owner = $null if ($site.Template -like 'GROUP*') { #Get Group Owners try { $owner = Get-PnPMicrosoft365GroupOwners -Identity ($site.GroupId) -ErrorAction Stop | select -ExpandProperty Email } catch { if ($_ -match "does not exist or one of its queried reference-property objects are not present") { # group doesn't have any owner } elseif ($_ -match "Group not found") { $owner = "<<source group is missing>>" Write-Error $_ } else { Write-Error $_ } } } else { #Get Site Owner $owner = $site.Owner } [PSCustomObject]@{ Site = $site.Url Owner = $owner Title = $site.Title } } } #Requires -Modules MSAL.PS function New-AzureDevOpsAuthHeader { <# .SYNOPSIS Function for getting authentication header for web requests against Azure DevOps. .DESCRIPTION Function for getting authentication header for web requests against Azure DevOps. Function uses MSAL to authenticate (requires MSAL.PS module). .EXAMPLE $header = New-AzureDevOpsAuthHeader Invoke-WebRequest -Uri $uri -Headers $header .NOTES PowerShell module AzSK.ADO > ContextHelper.ps1 > GetCurrentContext #> [CmdletBinding()] param () # TODO oAuth auth # $msalToken = Get-MsalToken -TenantId $TenantID -ClientId $ClientID -UserCredential $Credential -Scopes ([String]::Concat($($ApplicationIdUri), '/user_impersonation')) -ErrorAction Stop $clientId = "872cd9fa-d31f-45e0-9eab-6e460a02d1f1" # Visual Studio $adoResourceId = "499b84ac-1321-427f-aa17-267ca6975798" # Azure DevOps app ID $msalToken = Get-MsalToken -Scopes "$adoResourceId/.default" -ClientId $clientId if ($msalToken.accessToken) { $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f "", $msalToken.accessToken))) return @{Authorization = "Basic $base64AuthInfo" } } else { throw "Unable to obtain DevOps MSAL token" } } function Invoke-GraphAPIRequest { <# .SYNOPSIS Function for creating request against Microsoft Graph API. .DESCRIPTION Function for creating request against Microsoft Graph API. It supports paging (needed in Azure). .PARAMETER uri Request URI.$expand=appRoleAssignedTo$select=id,appId,servicePrincipalType,displayName$filter=(servicePrincipalType%20eq%20%27ManagedIdentity%27)$filter=contains(serialNumber,'$encoded')`$filter=NOT(state eq 'compliant')`$select=id&`$filter=complianceState eq 'compliant'`$select=id,userPrincipalName,displayName,mail,otherMails,proxyAddresses&`$filter=proxyAddresses/any(c:c eq 'smtp:$technicalNotificationMail') or otherMails/any(c:c eq 'smtp:$technicalNotificationMail') .PARAMETER credential Credentials used for creating authentication header for request. .PARAMETER header Authentication header for request. .PARAMETER method Default is GET. .PARAMETER waitTime Number of seconds before new try in case of 'Too Many Requests' error. Default is 5 seconds. .EXAMPLE $header = New-GraphAPIAuthHeader -credential $intuneCredential $aadDevice = Invoke-GraphAPIRequest -Uri "" -header $header .EXAMPLE $aadDevice = Invoke-GraphAPIRequest -Uri "" -credential $intuneCredential .NOTES #> [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [string] $uri, [Parameter(Mandatory = $true, ParameterSetName = "credential")] [System.Management.Automation.PSCredential] $credential, [Parameter(Mandatory = $true, ParameterSetName = "header")] $header, [ValidateSet('GET', 'POST', 'DELETE', 'UPDATE')] [string] $method = "GET", [ValidateRange(1, 999)] [int] $waitTime = 5 ) Write-Verbose "uri $uri" if ($credential) { $header = New-GraphAPIAuthHeader -credential $credential } try { $response = Invoke-RestMethod -Uri $uri -Headers $header -Method $method -ErrorAction Stop } catch { switch ($_) { { $_ -like "*(429) Too Many Requests*" } { Write-Warning "(429) Too Many Requests. Waiting $waitTime seconds to avoid further throttling and try again" Start-Sleep $waitTime Invoke-GraphAPIRequest -uri $uri -header $header -method $method } { $_ -like "*(400) Bad Request*" } { throw "(400) Bad Request. There has to be some syntax/logic mistake in this request ($uri)" } { $_ -like "*(401) Unauthorized*" } { throw "(401) Unauthorized Request (new auth header has to be created?)" } { $_ -like "*Forbidden*" } { throw "Forbidden access. Use account with correct API permissions for this request ($uri)" } default { throw $_ } } } if ($response.Value) { $response.Value } else { $response } # understand if top parameter is used in the URI try { $prevErrorActionPreference = $ErrorActionPreference $ErrorActionPreference = "Stop" $topValue = ([regex]"top=(\d+)").Matches($uri).captures.groups[1].value } catch { Write-Verbose "uri ($uri) doesn't contain TOP" } finally { $ErrorActionPreference = $prevErrorActionPreference } if (!$topValue -or ($topValue -and $topValue -gt 100)) { # there can be more results to return, check that # need to loop the requests because only 100 results are returned each time $nextLink = $response.'@odata.nextLink' while ($nextLink) { Write-Verbose "Next uri $nextLink" try { $response = Invoke-RestMethod -Uri $NextLink -Headers $header -Method $method -ErrorAction Stop } catch { switch ($_) { { $_ -like "*(429) Too Many Requests*" } { Write-Warning "(429) Too Many Requests. Waiting $waitTime seconds to avoid further throttling and try again" Start-Sleep $waitTime Invoke-GraphAPIRequest -uri $NextLink -header $header -method $method } { $_ -like "*(400) Bad Request*" } { throw "(400) Bad Request. There has to be some syntax/logic mistake in this request ($uri)" } { $_ -like "*(401) Unauthorized*" } { throw "(401) Unauthorized Request (new auth header has to be created?)" } { $_ -like "*Forbidden*" } { throw "Forbidden access. Use account with correct API permissions for this request ($uri)" } default { throw $_ } } } if ($response.Value) { $response.Value } else { $response } $nextLink = $response.'@odata.nextLink' } } else { # to avoid 'Too Many Requests' error when working with Graph API (/auditLogs/signIns) and using top parameter Write-Verbose "There is no need to check if more results can be returned. I.e. if parameter 'top' is used in the URI it is lower than 100 (so all results will be returned in the first request anyway)" } } Export-ModuleMember -function Connect-AzAccount2, Connect-AzureAD2, Connect-PnPOnline2, Get-AzureADAccountOccurrence, Get-AzureADAppConsentRequest, Get-AzureADRoleAssignments, Get-AzureDevOpsOrganizationOverview, Get-SharepointSiteOwner, Invoke-GraphAPIRequest, New-AzureDevOpsAuthHeader, New-GraphAPIAuthHeader, Open-AzureADAdminConsentPage Export-ModuleMember -alias Get-AzureADIAMRoleAssignments, Get-AzureADRBACRoleAssignments, Get-IntuneAuthHeader, New-IntuneAuthHeader |