Check-AutomationRunAsAccountRoleAssignments.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158

<#PSScriptInfo
 
.VERSION 1.0.1
 
.GUID c383bb81-c95e-4845-bc95-428db6a36ba5
 
.AUTHOR Automation Team
 
.COMPANYNAME
 
.COPYRIGHT
 
.TAGS AzureAutomation
 
.LICENSEURI
 
.PROJECTURI
 
.ICONURI
 
.EXTERNALMODULEDEPENDENCIES
 
.REQUIREDSCRIPTS
 
.EXTERNALSCRIPTDEPENDENCIES
 
.RELEASENOTES
 
 
.PRIVATEDATA
 
#>
 



<#
 
.DESCRIPTION
 If your Azure Automation accounts contain a RunAs account, it will by default have the built-in Contributor role assigned to it. You can use this script
 to check the role assignments of your Azure Automation RunAs accounts, and determine whether their role assignment is the default one, or whether it has
 been changed to a different role definition.
#>
 

<#
.SYNOPSIS
 Use this script to check the permissions of your Azure Automation RunAs accounts.
 
.PREREQUISITES
 To run this script, your Powershell console has to be connected to Azure. Use Login-AzureRmAccount to log in.
    
.USAGE
 PS C:\MyScriptFolder>$mySubs = "00000000-0000-0000-0000-000000000000", "11111111-1111-1111-1111-111111111111", "22222222-2222-2222-2222-222222222222"
 PS C:\MyScriptFolder>.\Check-AutomationRunAsAccountRoleAssignments.ps1 `
            -SubscriptionIds $mySubs
 
.PARAMETERS
    -SubscriptionIds
        This is an array of subscriptions whose role assignments you want to change. The array can contain one or more subscriptions.
 
.NOTES
    LASTEDIT: June 26, 2019
#>
 
Param (
    [Parameter(Mandatory = $true)]
    [String[]] $SubscriptionIds,

    [Parameter(Mandatory = $false)]
    [bool] $UseAzModules = $false
)

function GetRunAsAccountAADApplicationId([string] $resourceGroupName, [string] $automationAccountName) 
{  
    $connectionAssetName = "AzureRunAsConnection"

    $runasAccountConnection = Get-AzureRmAutomationConnection `
        -Name $connectionAssetName `
        -ResourceGroupName $resourceGroupName `
        -AutomationAccountName $automationAccountName `
        -ErrorAction SilentlyContinue

    $runasAccountAADAplicationId = $null
    if ($runasAccountConnection) 
    {
        [GUID]$runasAccountAADAplicationId=$runasAccountConnection.FieldDefinitionValues['ApplicationId']
        Write-Host ("A RunAs account is present, and its ApplicationId is: " + $runasAccountAADAplicationId)
    }

    return $runasAccountAADAplicationId;
}

function GetRunAsAccountRoleAssignments ([string] $subscriptionId)
{
    Select-AzureRmSubscription -SubscriptionId $subscriptionId
    $automationAccounts = Get-AzureRmAutomationAccount

    if (!$automationAccounts) 
    {
        Write-Host ("No automation account found in subscription " + $subscriptionId) -ForegroundColor Yellow
        Return
    } 

    Write-Host ("Looking up role assignments of all automation accounts in subscription " + $subscriptionId) 

    foreach( $automationAccount in $automationAccounts)
    {
        Write-Host ("Looking up role assignment for automation account: " + $automationAccount.AutomationAccountName)
        $runasAccountAADAplicationId = GetRunAsAccountAADApplicationId `
            -resourceGroupName $AutomationAccount.ResourceGroupName `
            -automationAccountName $AutomationAccount.AutomationAccountName
        if ($runasAccountAADAplicationId) 
        { 
            $subscriptionScope = "/subscriptions/" + $SubscriptionId
            if ($ReplaceCustomRoleAssignment -eq $true)
            {
                $currentRoleAssignments = Get-AzureRMRoleAssignment `
                    -ServicePrincipalName $runasAccountAADAplicationId `
                    -Scope $subscriptionScope `
                    -ErrorAction Stop
            }
            else
            {
                $currentRoleAssignments = Get-AzureRMRoleAssignment `
                    -ServicePrincipalName $runasAccountAADAplicationId `
                    -RoleDefinitionName "Contributor" `
                    -Scope $subscriptionScope `
                    -ErrorAction Stop
            }

            Write-Host ("The following role assignments exist in automation account: " + $automationAccount.AutomationAccountName)
            $currentRoleAssignments

        } else {
            Write-Host  ("No RunAs account was found for automation account: " + $AutomationAccount.AutomationAccountName + ".") -ForegroundColor Yellow
            Write-Host
        }       
    }
}


# Main code starts here


if ($SubscriptionIds.Count -lt 1)
{
    Write-Host "No subscription IDs were provided. Please provide at least 1 subscription ID." -ForegroundColor Yellow
    exit -1
}

# Make new role assignments for automation accounts in all provided subscriptions
foreach ($subscriptionId in $SubscriptionIds)
{
    GetRunAsAccountRoleAssignments -subscriptionId $subscriptionId
}


# Main code ends here