Framework/Helpers/RoleAssignmentHelper.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
using namespace Microsoft.Azure.Commands.Resources.Models.Authorization
Set-StrictMode -Version Latest 
class RoleAssignmentHelper
{
    static [PSRoleAssignment[]] GetAzSKRoleAssignmentByScope([string] $scope, [bool] $recurse, [bool] $includeClassicAdministrators)
    {
        [PSRoleAssignment[]] $roleAssignments = @();

        try
        {
            if($includeClassicAdministrators)
            {
                $roleAssignments = Get-AzureRmRoleAssignment -Scope $scope -IncludeClassicAdministrators -ErrorAction Stop;
            }
            else
            {
                $roleAssignments = Get-AzureRmRoleAssignment -Scope $scope -ErrorAction Stop;
            }
            return $roleAssignments;        
        }
        catch
        { }

        $requestUri = [WebRequestHelper]::AzureManagementUri + $scope;
        $roleAssignments = [RoleAssignmentHelper]::GetRMRoleAssignment($requestUri, $recurse);
        if($includeClassicAdministrators)
        {
            $roleAssignments += [RoleAssignmentHelper]::GetAzSKClassicAdministrators();
        }
        return $roleAssignments;        
    }

    static [PSRoleAssignment[]] GetAzSKRoleAssignment([bool] $recurse, [bool] $includeClassicAdministrators)
    {
        [PSRoleAssignment[]] $roleAssignments = @();
        try
        {
            if($includeClassicAdministrators)
            {
                $roleAssignments = Get-AzureRmRoleAssignment -IncludeClassicAdministrators -ErrorAction Stop;
            }
            else
            {
                $roleAssignments = Get-AzureRmRoleAssignment -ErrorAction Stop;
            }
            return $roleAssignments;
        }
        catch
        { }

        $roleAssignments = [RoleAssignmentHelper]::GetAzSKRoleAssignment("", "", "", $recurse, $includeClassicAdministrators);
        
        return $roleAssignments;        
    }

    static [PSRoleAssignment[]] GetAzSKRoleAssignment([string] $resourceGroupName, [bool] $recurse, [bool] $includeClassicAdministrators)
    {
        [PSRoleAssignment[]] $roleAssignments = @();
        try
        {
            if($includeClassicAdministrators)
            {
                $roleAssignments = Get-AzureRmRoleAssignment -ResourceGroupName $resourceGroupName -IncludeClassicAdministrators -ErrorAction Stop;
            }
            else
            {
                $roleAssignments = Get-AzureRmRoleAssignment -ResourceGroupName $resourceGroupName -ErrorAction Stop;
            }
            return $roleAssignments;
        }
        catch
        { }

        $roleAssignments = [RoleAssignmentHelper]::GetAzSKRoleAssignment($resourceGroupName, "", "", $recurse, $includeClassicAdministrators);
        
        return $roleAssignments;
    }

    static [PSRoleAssignment[]] GetAzSKRoleAssignment([string] $resourceGroupName, [string] $resourceName, [string] $resourceType, [bool] $recurse, [bool] $includeClassicAdministrators)
    {
        [PSRoleAssignment[]] $roleAssignments = @();
        try
        {
            if($includeClassicAdministrators)
            {
                $roleAssignments = Get-AzureRmRoleAssignment -ResourceGroupName $resourceGroupName -ResourceName $resourceName -ResourceType $resourceType -IncludeClassicAdministrators -ErrorAction Stop;
            }
            else
            {
                $roleAssignments = Get-AzureRmRoleAssignment -ResourceGroupName $resourceGroupName -ResourceName $resourceName -ResourceType $resourceType -ErrorAction Stop;
            }

            return $roleAssignments;
        }
        catch
        { }

        $currentContext = Get-AzureRmContext -ErrorAction Stop;
        $subscriptionId = $currentContext.Subscription.Id;

        $subscriptionPath = "subscriptions/$subscriptionId";
        $resourceGroupPath = "/resourceGroups/$resourceGroupName";
        $resourceNamePath = "/providers/$resourceType/$resourceName";

        $requestUri = [WebRequestHelper]::AzureManagementUri + $subscriptionPath;

        if(-not [string]::IsNullOrEmpty($resourceGroupName))
        {
            $requestUri += $resourceGroupPath;
            if((-not [string]::IsNullOrEmpty($resourceType)) -and (-not [string]::IsNullOrEmpty($resourceName)))
            {
                $requestUri += $resourceNamePath;
            }
        }

        $roleAssignments = [RoleAssignmentHelper]::GetRMRoleAssignment($requestUri, $recurse);
        if($includeClassicAdministrators)
        {
            $roleAssignments += [RoleAssignmentHelper]::GetAzSKClassicAdministrators();
        }
        return $roleAssignments;
    }

    hidden static [PSRoleAssignment[]] GetRMRoleAssignment([string] $roleAssignmentUri, [bool] $recurse)
    {
        $recurseParam = "&`$filter=atScope()";
        $roleAssignmentPath = "/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01";
        $roleAssignmentUri += $roleAssignmentPath;

        if(-not $recurse)
        {
            $roleAssignmentUri += $recurseParam;
        }

        $webResponse = [WebRequestHelper]::InvokeGetWebRequest($roleAssignmentUri);

        [PSRoleAssignment[]] $roleAssignments = @();
        $webResponse | 
        ForEach-Object {
            $roleDefinitionId = $_.properties.roleDefinitionId.Substring($_.properties.roleDefinitionId.LastIndexOf("/") + 1);
            $roleDefinitionName = "";
            
            $roleDefinition = (Get-AzureRmRoleDefinition -Id $roleDefinitionId -ErrorAction SilentlyContinue) | Select-Object -First 1
            if($roleDefinition) 
            { 
                $roleDefinitionName = $roleDefinition.Name;
            };
            
            $roleAssignments += [PSRoleAssignment]@{
                RoleAssignmentId = $_.id;
                Scope = $_.properties.scope;
                RoleDefinitionName = $roleDefinitionName;
                RoleDefinitionId = $roleDefinitionId;    
                ObjectId = $_.properties.principalId;
            };
        }
        
        if($roleAssignments.Count -gt 0)
        {
            $objectIds = $roleAssignments | Select-Object -Property ObjectId -Unique | ForEach-Object { "$($_.ObjectId)" };
            $objectIdResponse = [RoleAssignmentHelper]::GetADObjectsByObjectIds($objectIds);
            
            $roleAssignments | ForEach-Object {
                $currentItem = $_;
                if($objectIdResponse.Count -ne 0)
                {
                    $filteredResponse = $objectIdResponse | Where-Object { $_.ObjectId -eq $currentItem.ObjectId } | Select-Object -First 1
                    if($filteredResponse)
                    {
                        $currentItem.ObjectType = $filteredResponse.objectType;
                        $currentItem.DisplayName = $filteredResponse.displayName;
                        if(($filteredResponse | Get-Member -Name "userPrincipalName"))
                        {
                            $currentItem.SignInName = $filteredResponse.userPrincipalName;
                        }
                    }
                }
                else
                {
                    if(-not [string]::IsNullOrWhiteSpace($currentItem.ObjectId))
                    {
                        $currentItem.ObjectType = "NOGRAPHACCESS"
                        $currentItem.DisplayName = "NOGRAPHACCESS"
                        $currentItem.SignInName = "NOGRAPHACCESS"
                    }
                    else
                    {
                        $currentItem.ObjectId = [Guid]::Empty.Guid                        
                    }
                }
            }
        }

        return $roleAssignments;
    }

    hidden static [PSRoleAssignment[]] GetAzSKClassicAdministrators()
    {
        $currentContext = Get-AzureRmContext -ErrorAction Stop;
        $subscriptionId = $currentContext.Subscription.Id;

        $subscriptionPath = "subscriptions/$subscriptionId";
        $requestUri = [WebRequestHelper]::AzureManagementUri + $subscriptionPath;
        $requestUri += "/providers/Microsoft.Authorization/classicAdministrators?api-version=2015-06-01";
        
        $webResponse = [WebRequestHelper]::InvokeGetWebRequest($requestUri);

        [PSRoleAssignment[]] $roleAssignments = @();
        $webResponse | 
        ForEach-Object {
            $roleAssignments += [PSRoleAssignment]@{
                SignInName = $_.properties.emailAddress;
                DisplayName = $_.properties.emailAddress;
                Scope = "/subscriptions/$subscriptionId";
                RoleDefinitionName = $_.properties.role;
                RoleDefinitionId = $_.id;    
                ObjectId = [Guid]::Empty.Guid;
                ObjectType = $_.properties.role
            };
        }

        return $roleAssignments;        
    }

    hidden static [System.Object[]] GetADObjectsByObjectIds([string[]] $objectIds)
    {
        $rmContext = Get-AzureRmContext -ErrorAction Stop;  
        $tenantId = $rmContext.Tenant.Id

        $uri = [WebRequestHelper]::GraphApiUri + "$tenantId/getObjectsByObjectIds?api-version=1.6"
        $body = "{`"objectIds`":" + ($objectIds | ConvertTo-Json ) + "}";
        $webResponse = @();
        
        try
        {
            $webResponse = [WebRequestHelper]::InvokePostWebRequest($uri, $body);
        }
        catch
        {
            #Access denied exception occurs here.
            #[EventBase]::PublishGenericException($_);
        }
        return $webResponse;
    }

    hidden static [bool] HasGraphAccess()
    {
        $hasAccess = $false;
        $rmContext = Get-AzureRmContext -ErrorAction Stop;  
        $tenantId = $rmContext.Tenant.Id
    
        $uri = [WebRequestHelper]::GraphApiUri + "$tenantId/users?`$top=1&api-version=1.6"
        $webResponse = @();
        
        try
        {
            $webResponse = [WebRequestHelper]::InvokeGetWebRequest($uri);
            $hasAccess = $true;
        }
        catch
        {
            $hasAccess = $false;
        }
        return $hasAccess;
    }
}