AzureADAssessmentPreview

2.0.760420

Export-AADAssessConditionalAccessData.ps1

                                <#

 .Synopsis

  Produces the Azure AD Conditional Access reports required by the Azure AD assesment

 .Description

  This cmdlet reads the conditional access from the target Azure AD Tenant and produces the output files

  in a target directory

 .PARAMETER OutputDirectory

    Full path of the directory where the output files will be generated.

.EXAMPLE

   .\Export-AADAssessConditionalAccessData -OutputDirectory "c:\temp\contoso"

#>

function Export-AADAssessConditionalAccessData {

    [CmdletBinding()]

    param (

        [Parameter(Mandatory = $true)]

        [string]

        $OutputDirectory

    )

    Start-AppInsightsRequest $MyInvocation.MyCommand.Name

    try {

        [int] $Id = 0

        if (!(Get-Variable stackProgressId -ErrorAction SilentlyContinue)) { New-Variable -Name stackProgressId -Scope Script -Value (New-Object System.Collections.Generic.Stack[int]) }

        while ($stackProgressId.Contains($Id)) { $Id += 1 }

        [hashtable] $paramWriteProgress = @{

            Id = $Id

        }

        if ($stackProgressId.Count -gt 0) { $paramWriteProgress['ParentId'] = $stackProgressId.Peek() }

        $stackProgressId.Push($Id)

        Write-Progress -Activity "Reading Azure AD Conditional Access Policies" -CurrentOperation "Reading policies and named locations" @paramWriteProgress

        [array]$policies = Get-MsGraphResults "identity/conditionalAccess/policies"

        [array]$namedLocations = Get-MsGraphResults "identity/conditionalAccess/namedLocations"

        Write-Progress -Activity "Reading Azure AD Conditional Access Policies" -CurrentOperation "Consolidating object references" @paramWriteProgress

        $userIds = [array](Get-ObjectPropertyValue $policies 'conditions' 'users' 'includeUsers') + (Get-ObjectPropertyValue $policies 'conditions' 'users' 'excludeUsers') | Sort-Object | Get-Unique | Where-Object { $_ -notin 'All', 'GuestsOrExternalUsers' }

        $groupIds = [array](Get-ObjectPropertyValue $policies 'conditions' 'users' 'includeGroups') + (Get-ObjectPropertyValue $policies 'conditions' 'users' 'excludeGroups') | Sort-Object | Get-Unique

        $appIds = [array](Get-ObjectPropertyValue $policies 'conditions' 'applications' 'includeApplications') + (Get-ObjectPropertyValue $policies 'conditions' 'applications' 'excludeApplications') | Sort-Object | Get-Unique | Where-Object { $_ -notin 'All', 'None', 'Office365' }

        Write-Progress -Activity "Reading Azure AD Conditional Access Policies" -CurrentOperation "Querying referenced objects" @paramWriteProgress

        $referencedUsers = Get-MsGraphResults 'users?$select=id,userPrincipalName,displayName' -UniqueId $userIds

        $referencedGroups = Get-MsGraphResults 'groups?$select=id,displayName' -UniqueId $groupIds

        $referencedApps = Get-MsGraphResults 'servicePrincipals?$select=id,appId,displayName' -Filter "appId eq '{0}'" -UniqueId $appIds

        Write-Progress -Activity "Reading Azure AD Conditional Access Policies" -CurrentOperation "Saving Reports" @paramWriteProgress

        ConvertTo-Json $policies -Depth 10 | Out-File "$OutputDirectory\CAPolicies.json" -Force

        ConvertTo-Json $namedLocations -Depth 10 | Out-File "$OutputDirectory\NamedLocations.json" -Force

        $referencedUsers | Sort-Object id | ConvertTo-Json -Depth 10 | Out-File "$OutputDirectory\CARefUsers.json" -Force

        $referencedGroups | Sort-Object id | ConvertTo-Json -Depth 10 | Out-File "$OutputDirectory\CARefGroups.json" -Force

        $referencedApps | Sort-Object appId | ConvertTo-Json -Depth 10 | Out-File "$OutputDirectory\CARefApps.json" -Force

        [void] $script:stackProgressId.Pop()

    }

    catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException $_.Exception }; throw }

    finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? }

}