Skip to content

Improved Domain Info Scripts: Now with RBAC Details and Error Fix #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Improved Domain Info Scripts: Now with RBAC Details and Error Fix #51

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f1947f5
Update Get-AzDomainInfo.ps1
xybytes Apr 5, 2025
2bf682b
Add role and group memberships
xybytes Apr 6, 2025
ca3a266
Update Get-AzureADDomainInfo.ps1
xybytes Apr 6, 2025
7ad87e4
RBAC Users&Groups
xybytes Apr 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
108 changes: 107 additions & 1 deletion Az/Get-AzDomainInfo.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,16 @@ Function Get-AzDomainInfo
HelpMessage="Dump list of Groups.")]
[ValidateSet("Y","N")]
[String]$Groups = "Y",

[parameter(Mandatory=$false,
HelpMessage="Dump list of RBAC of Users")]
[ValidateSet("Y","N")]
[String]$RBACUsers = "Y",

[parameter(Mandatory=$false,
HelpMessage="Dump list of RBAC of Groups")]
[ValidateSet("Y","N")]
[String]$RBACGroups = "Y",

[parameter(Mandatory=$false,
HelpMessage="Dump list of Storage Accounts.")]
Expand Down Expand Up @@ -126,6 +136,7 @@ Function Get-AzDomainInfo
[String]$LoginBypass = "N"
)


if ($LoginBypass -eq "N"){
# Check to see if we're logged in with Az
$LoginStatus = Get-AzContext
Expand Down Expand Up @@ -212,7 +223,98 @@ Function Get-AzDomainInfo
Write-Verbose "`tDomain Group Users were enumerated for $groupCount groups."
}

If ($RBACUsers -eq "Y") {
Write-Verbose "Getting RBAC for Users..."

# Check Output Path
if(Test-Path $folder"\RBAC"){}
else{New-Item -ItemType Directory $folder"\RBAC" | Out-Null}


# Define the user object
$adusers = Get-AzADUser

# Initialize an array to hold the role assignment information
$roleAssignmentsInfo = @()

foreach ($aduser in $adusers) {

# Ensure the ObjectId is valid (non-null)
if ($aduser.Id) {

# Retrieve role assignments for the user using their ObjectId
$roleAssignments = Get-AzRoleAssignment -PrincipalId $aduser.Id

# Loop through each role assignment to fetch the role definition name
foreach ($roleAssignment in $roleAssignments) {

# Ensure the RoleDefinitionId exists
if ($roleAssignment.RoleDefinitionId) {
$roleDef = Get-AzRoleDefinition -Id $roleAssignment.RoleDefinitionId

# Create a custom object
$roleAssignmentsInfo += [PSCustomObject]@{
UserPrincipalName = $aduser.UserPrincipalName
RoleAssignmentName = $roleDef.Name
Scope = $roleAssignment.Scope
}
}
}
}
}

# Print the results in a table format
$roleAssignmentsInfo | Export-Csv -NoTypeInformation -LiteralPath $folder"\RBAC\RBAC_Users.CSV"

Write-Verbose "`t$($roleAssignmentsInfo.Count) role were enumerated for users"
}

If ($RBACGroups -eq "Y") {
Write-Verbose "Getting RBAC for Groups..."

# Check Output Path
if(Test-Path $folder"\RBAC"){}
else{New-Item -ItemType Directory $folder"\RBAC" | Out-Null}

# Get all Azure AD groups
$adgroups = Get-AzADGroup

# Initialize an array to hold the role assignment information
$roleAssignmentsInfo = @()

foreach ($adgroup in $adgroups) {

# Ensure the Id is valid (non-null/empty)
if ($adgroup.Id) {

# Retrieve role assignments for the group using their Id
$roleAssignments = Get-AzRoleAssignment -PrincipalId $adgroup.Id

# Loop through each role assignment to fetch the role definition name
foreach ($roleAssignment in $roleAssignments) {

# Ensure the RoleDefinitionId exists
if ($roleAssignment.RoleDefinitionId) {
$roleDef = Get-AzRoleDefinition -Id $roleAssignment.RoleDefinitionId

# Create a custom object
$roleAssignmentsInfo += [PSCustomObject]@{
PrincipalName = $adgroup.DisplayName
PrincipalType = "Group"
RoleAssignmentName = $roleDef.Name
Scope = $roleAssignment.Scope
}
}
}
}
}

# Print the results in a table format
$roleAssignmentsInfo | Export-Csv -NoTypeInformation -LiteralPath $folder"\RBAC\RBAC_Groups.CSV"

Write-Verbose "`t$($roleAssignmentsInfo.Count) role were enumerated for groups"
}

# Get Storage Account name(s)
if($StorageAccounts -eq "Y"){

Expand Down Expand Up @@ -256,7 +358,11 @@ Function Get-AzDomainInfo

# URL for listing publicly available files
$uriList = "https://"+(-join ($StorageAccountName,'.blob.core.windows.net/',$_.Name))+"/?restype=container&comp=list"
$FileList = (Invoke-WebRequest -uri $uriList -Method Get -Verbose:$False).Content
try {
$FileList = (Invoke-WebRequest -Uri $uriList -Method Get -Verbose:$False).Content
} catch {
# No Action
}

# Microsoft includes these characters in the response, Thanks...
[xml]$xmlFileList = $FileList -replace ''
Expand Down
125 changes: 118 additions & 7 deletions AzureAD/Get-AzureADDomainInfo.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,6 @@ Function Get-AzureADDomainInfo
VERBOSE: Getting Domain Service Principals...
VERBOSE: 500 service principals were enumerated.
VERBOSE: All done with AzureAD tasks.

#>

[CmdletBinding()]
Expand Down Expand Up @@ -87,14 +86,126 @@ Function Get-AzureADDomainInfo
if ($Users -eq "Y"){
# Get/Write Users for each domain
Write-Verbose "Getting Domain Users..."
# Base user info
$azureADUsers = Get-AzureADUser -All 1
$azureADUsers | select DisplayName,UserPrincipalName,ObjectId,ObjectType,AccountEnabled,AgeGroup,City,CompanyName,ConsentProvidedForMinor,Country,CreationType,Department,DirSyncEnabled,FacsimileTelephoneNumber,GivenName,IsCompromised,ImmutableId,JobTitle,LastDirSyncTime,LegalAgeGroupClassification,Mail,MailNickName,Mobile,OnPremisesSecurityIdentifier,PasswordPolicies,PasswordProfile,PhysicalDeliveryOfficeName,PostalCode,PreferredLanguage,RefreshTokensValidFromDateTime,ShowInAddressList,SipProxyAddress,State,StreetAddress,Surname,TelephoneNumber,UsageLocation,UserState,UserStateChangedOn,UserType | Export-Csv -NoTypeInformation -LiteralPath $folder"\AzureAD\AzureAD_Users.CSV"
$azureADUserscount = $azureADUsers.count
Write-Verbose "`t$azureADUserscount Domain Users were found."

# List Users
$azureADUsers = Get-AzureADUser -All $true

}
# List Directory Roles
$entraIDRoles = Get-AzureADDirectoryRole

# Initialize an empty map to store user roles
$userRolesMap = @{}
# Loop through each role in the Azure AD roles set
foreach ($role in $entraIDRoles) {

# Retrieve the members associated with each role
$members = Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId

# Loop through each member associated with the role
foreach ($member in $members) {

# If the user is not already in the map, initialize an empty list
if (-not $userRolesMap.ContainsKey($member.ObjectId)) {
$userRolesMap[$member.ObjectId] = @()
}

# Add the role name to the user's list of roles
$userRolesMap[$member.ObjectId] += $role.DisplayName
}
}

# Retrieve all Azure AD groups
$azureADGroups = Get-AzureADGroup -All $true

# Initialize an empty map to store group memberships for users
$userGroupsMap = @{}

# Loop through each group in the Azure AD groups
foreach ($group in $azureADGroups) {
# Retrieve the members of each grou
$members = Get-AzureADGroupMember -ObjectId $group.ObjectId

# Loop through each member of the group
foreach ($member in $members) {

# If the user is not already in the map, initialize an empty list
if (-not $userGroupsMap.ContainsKey($member.ObjectId)) {
$userGroupsMap[$member.ObjectId] = @()
}

# Add the group name to the user's list of groups
$userGroupsMap[$member.ObjectId] += $group.DisplayName
}
}

# Create an output object for each Azure AD user with their roles and groups
$exportUsers = $azureADUsers | ForEach-Object {

# Retrieve the roles assigned to the user and join them into a single string
$AzureADroles = $userRolesMap[$_.ObjectId] -join "; "

# Retrieve the groups the user belongs to and join them into a single string
$AzureADgroups = if ($userGroupsMap.ContainsKey($_.ObjectId) -and $userGroupsMap[$_.ObjectId]) {
$userGroupsMap[$_.ObjectId] -join "; "
} else {
""
}

# Create a custom object to store the user's details and export them
[PSCustomObject]@{
DisplayName = $_.DisplayName
UserPrincipalName = $_.UserPrincipalName
ObjectId = $_.ObjectId
DirectoryRoles = $AzureADroles
ADGroups = $AzureADgroups
ObjectType = $_.ObjectType
AccountEnabled = $_.AccountEnabled
AgeGroup = $_.AgeGroup
City = $_.City
CompanyName = $_.CompanyName
ConsentProvidedForMinor = $_.ConsentProvidedForMinor
Country = $_.Country
CreationType = $_.CreationType
Department = $_.Department
DirSyncEnabled = $_.DirSyncEnabled
FacsimileTelephoneNumber = $_.FacsimileTelephoneNumber
GivenName = $_.GivenName
Surname = $_.Surname
IsCompromised = $_.IsCompromised
ImmutableId = $_.ImmutableId
JobTitle = $_.JobTitle
LastDirSyncTime = $_.LastDirSyncTime
LegalAgeGroupClassification = $_.LegalAgeGroupClassification
Mail = $_.Mail
MailNickName = $_.MailNickName
Mobile = $_.Mobile
OnPremisesSecurityIdentifier = $_.OnPremisesSecurityIdentifier
PasswordPolicies = $_.PasswordPolicies
PasswordProfile = $_.PasswordProfile
PhysicalDeliveryOfficeName = $_.PhysicalDeliveryOfficeName
PostalCode = $_.PostalCode
PreferredLanguage = $_.PreferredLanguage
RefreshTokensValidFromDateTime = $_.RefreshTokensValidFromDateTime
ShowInAddressList = $_.ShowInAddressList
SipProxyAddress = $_.SipProxyAddress
State = $_.State
StreetAddress = $_.StreetAddress
TelephoneNumber = $_.TelephoneNumber
UsageLocation = $_.UsageLocation
UserState = $_.UserState
UserStateChangedOn = $_.UserStateChangedOn
UserType = $_.UserType

}
}

# Export to CSV
$exportUsers | Export-Csv -NoTypeInformation -LiteralPath "$folder\AzureAD\AzureAD_Users.CSV"

$azureADUserscount = $azureADUsers.Count
Write-Verbose "`t$azureADUserscount Domain Users were found."
}

if ($Groups -eq "Y"){
# Get/Write Groups
Write-Verbose "Getting Domain Groups..."
Expand Down