M365Permissions

1.2.2

public/get-AllEntraPermissions.ps1

                                Function get-AllEntraPermissions{

    <#

        Author               = "Jos Lieben (jos@lieben.nu)"

        CompanyName          = "Lieben Consultancy"

        Copyright            = "https://www.lieben.nu/liebensraum/commercial-use/"

        Parameters:

    #>        

    Param(

        [Switch]$skipReportGeneration

    )

    Write-LogMessage -message "Starting Entra scan..." -level 4

    New-StatisticsObject -category "GroupsAndMembers" -subject "Entities"

    Write-Progress -Id 1 -PercentComplete 0 -Activity "Scanning Entra ID" -Status "Getting users and groups" 

    $userCount = (New-GraphQuery -Uri "$($global:octo.graphUrl)/v1.0/users?`$top=1" -Method GET -ComplexFilter -nopagination)."@odata.count"

    Write-LogMessage -message "Retrieving metadata for $userCount users..."

    Write-Progress -Id 1 -PercentComplete 1 -Activity "Scanning Entra ID" -Status "Getting users and groups" 

    $allUsers = New-GraphQuery -Uri "$($global:octo.graphUrl)/v1.0/users?`$select=id,userPrincipalName,displayName" -Method GET

    Write-LogMessage -message "Got metadata for $userCount users"

    $activity = "Entra ID users"

    for ($i = 0; $i -lt $allUsers.Count; $i += 100) {

        New-ScanJob -Title $activity -Target "users_$($i)_$($userCount)" -FunctionToRun "get-EntraUsersAndGroupsBatch" -FunctionArguments @{

            "entraUsers" = ($allUsers[$i..([math]::Min($i + 99, $allUsers.Count - 1))])

        }        

    }

    Update-StatisticsObject -category "GroupsAndMembers" -subject "Entities" -Amount $allUsers.Count

    Stop-StatisticsObject -category "GroupsAndMembers" -subject "Entities"

    Start-ScanJobs -Title $activity

    Remove-Variable -name allUsers -Force -Confirm:$False

    [System.GC]::GetTotalMemory($true) | out-null

    $global:EntraPermissions = @{}

    New-StatisticsObject -category "Entra" -subject "Roles"  

    $partners = New-GraphQuery -Uri "$($global:octo.graphUrl)/beta/directory/partners" -Method GET

    foreach($partner in $partners){

        Update-StatisticsObject -category "Entra" -subject "Roles"

        $permissionSplat = @{

            targetPath = "/"

            targetType = "tenant"

            principalEntraId = $partner.partnerTenantId

            principalEntraUpn = $partner.companyName

            principalSysName = $partner.supportUrl

            principalType = $partner.companyType

            principalRole = $partner.contractType

            through = "Direct"

            tenure = "Permanent"                    

        }            

        New-EntraPermissionEntry @permissionSplat

    }

    Write-Progress -Id 1 -PercentComplete 5 -Activity "Scanning Entra ID" -Status "Retrieving role definitions"

    #get role definitions

    $roleDefinitions = New-GraphQuery -Uri "$($global:octo.graphUrl)/v1.0/directoryRoleTemplates" -Method GET

    Write-Progress -Id 1 -PercentComplete 35 -Activity "Scanning Entra ID" -Status "Retrieving flexible (PIM) assigments"

    #get eligible role assignments

    try{

        $roleEligibilities = (New-GraphQuery -Uri "$($global:octo.graphUrl)/v1.0/roleManagement/directory/roleEligibilityScheduleInstances" -Method GET -NoRetry | Where-Object {$_})

        $roleActivations = (New-GraphQuery -Uri "$($global:octo.graphUrl)/v1.0/roleManagement/directory/roleAssignmentScheduleInstances" -Method GET | Where-Object {$_.assignmentType -eq "Activated"})

    }catch{

        Write-LogMessage -level 2 -message "Failed to retrieve flexible assignments, this is fine if you don't use PIM and/or don't have P2 licensing."

        $roleEligibilities = @()

    }

    Write-Progress -Id 1 -PercentComplete 45 -Activity "Scanning Entra ID" -Status "Processing flexible (PIM) assigments"

    $count = 0

    foreach($roleEligibility in $roleEligibilities){

        $count++

        Write-Progress -Id 2 -PercentComplete $(try{$count / $roleEligibilities.Count *100}catch{1}) -Activity "Processing flexible (PIM) assignments" -Status "[$count / $($roleEligibilities.Count)]"

        $roleDefinition = $roleDefinitions | Where-Object { $_.id -eq $roleEligibility.roleDefinitionId }

        try{

            $principal = New-GraphQuery -Uri "$($global:octo.graphUrl)/v1.0/directoryObjects/$($roleEligibility.principalId)" -Method GET

        }catch{

            Write-LogMessage -level 2 -message "Failed to resolve principal $($roleEligibility.principalId) to a directory object, was it deleted?" 

            $principal = $Null

            continue  

        }

        Update-StatisticsObject -category "Entra" -subject "Roles"

        $permissionSplat = @{

            targetPath = $roleEligibility.directoryScopeId

            principalEntraId = $principal.id

            principalEntraUpn = $principal.userPrincipalName

            principalSysName = $principal.displayName

            principalType = $principal."@odata.type"

            principalRole = $roleDefinition.displayName

            tenure = "Eligible"    

            startDateTime = $roleEligibility.startDateTime

            endDateTime = $roleEligibility.endDateTime                 

        }            

        New-EntraPermissionEntry @permissionSplat

        Write-Progress -Id 2 -Completed -Activity "Processing flexible (PIM) assignments"

    }

    Write-Progress -Id 1 -PercentComplete 10 -Activity "Scanning Entra ID" -Status "Retrieving fixed assigments"

    #get fixed assignments

    $roleAssignments = New-GraphQuery -Uri "$($global:octo.graphUrl)/beta/roleManagement/directory/roleAssignments?`$expand=principal" -Method GET

    Write-Progress -Id 1 -PercentComplete 20 -Activity "Scanning Entra ID" -Status "Processing fixed assigments"

    foreach($roleAssignment in $roleAssignments){

        if($roleActivations -and $roleActivations.roleAssignmentOriginId -contains $roleAssignment.id){

            Write-LogMessage -level 5 -message "Ignoring $($roleAssignment.id) because it is Eligible as well"

            continue

        }        

        $roleDefinition = $roleDefinitions | Where-Object { $_.id -eq $roleAssignment.roleDefinitionId }

        Update-StatisticsObject -category "Entra" -subject "Roles"

        $permissionSplat = @{

            targetPath = $roleAssignment.directoryScopeId

            principalEntraId = $roleAssignment.principal.id

            principalEntraUpn = $roleAssignment.principal.userPrincipalName

            principalSysName = $roleAssignment.principal.displayName

            principalType = $roleAssignment.principal."@odata.type"

            principalRole = $roleDefinition.displayName

            tenure = "Permanent"                    

        }            

        New-EntraPermissionEntry @permissionSplat

    }

    Remove-Variable roleDefinitions -Force -Confirm:$False

    Remove-Variable roleAssignments -Force -Confirm:$False

    Remove-Variable roleEligibilities -Force -Confirm:$False

    Write-Progress -Id 1 -PercentComplete 50 -Activity "Scanning Entra ID" -Status "Getting Service Principals"

    $servicePrincipals = New-GraphQuery -Uri "$($global:octo.graphUrl)/v1.0/servicePrincipals?`$expand=appRoleAssignments" -Method GET

    foreach($servicePrincipal in $servicePrincipals){

        Update-StatisticsObject -category "Entra" -subject "Roles"

        #skip disabled SPN's

        if($servicePrincipal.accountEnabled -eq $false -or $servicePrincipal.appRoleAssignments.Count -eq 0){

            continue

        }

        foreach($appRole in @($servicePrincipal.appRoleAssignments)){

            #skip disabled roles

            if($appRole.deletedDateTime){

                continue

            }

            $appRoleMeta = $Null;$appRoleMeta = @($servicePrincipals.appRoles | Where-Object { $_.id -eq $appRole.appRoleId })[0]

            if($False -eq $appRoleMeta.isEnabled){

                continue

            }

            $permissionSplat = @{

                targetPath = "/$($appRole.resourceDisplayName)"

                targetType = "API"

                targetId = $appRole.resourceId

                principalEntraId = $servicePrincipal.id

                principalSysName = $servicePrincipal.displayName

                principalType = $servicePrincipal.servicePrincipalType

                principalRole = $appRoleMeta.value

                tenure = "Permanent"             

            }   

            New-EntraPermissionEntry @permissionSplat

        }

    }

    Remove-Variable servicePrincipals -Force -Confirm:$False

    Stop-statisticsObject -category "Entra" -subject "Roles"

    $permissionRows = foreach($row in $global:EntraPermissions.Keys){

        foreach($permission in $global:EntraPermissions.$row){

            [PSCustomObject]@{

                "targetPath" = $row

                "targetType" = $permission.targetType

                "targetId" = $permission.targetId

                "principalEntraId" = $permission.principalEntraId

                "principalSysId" = $permission.principalSysId

                "principalSysName" = $permission.principalSysName

                "principalType" = $permission.principalType

                "principalRole" = $permission.principalRole

                "through" = $permission.through

                "parentId" = $permission.parentId

                "accessType" = $permission.accessType

                "tenure" = $permission.tenure

                "startDateTime" = $permission.startDateTime

                "endDateTime" = $permission.endDateTime

                "createdDateTime" = $permission.createdDateTime

                "modifiedDateTime" = $permission.modifiedDateTime

            }

        }

    }

    Add-ToReportQueue -permissions $permissionRows -category "Entra"

    Remove-Variable -Name EntraPermissions -Scope Global -Force -Confirm:$False

    if(!$skipReportGeneration){

        Write-LogMessage -message "Generating report..." -level 4

        Write-Report

    }else{

        Reset-ReportQueue

    }

    Write-Progress -Id 1 -Completed -Activity "Scanning Entra ID"

}