Extract Report – Azure AD Privileged Identity Management – Part 2

As promised in the last post https://techwizard.cloud/2019/10/08/extract-report-azure-ad-privileged-identity-management-part-1/,

I am back with PowerShell Spell to extract the report of admins from Azure AD Privileged Identity Management.

As this can be done thru Graph API only so things that we require are :

Lets start with Registering the APP in Azure AD, go to https://portal.azure.com

Azure Active Directory –> APP Registration

 

Click New Registration –> APP Name example PowerShell-Graph

Redirect URL –> https://localhost

Note client ID of the Application, go to API permission and provide user.read /Directory.AccessAsUser.All

Directory.AccessAsUser.All  means Access directory as the signed-in user

 

Now go to Certificates and Secrets to generate client secret.(note it)

Install both modules if it does not exist on your machine.

Your account should also be member of one of the below roles.

  • Privileged Role Administrator
  • Global Administrator
  • Security Administrator
  • Security Reader

Ones above prerequisites are completed, you can now download the script from below link.

https://gallery.technet.microsoft.com/scriptcenter/Extract-Report-Azure-AD-06dca69f

 

Change to PIMReportAdmin and run PIMReportAdmins.ps1 

 

Enter Name of the APP that you have registered in AzureAD: 

Enter Name of the Tenant:

Enter Client ID of the APP that you have registered in AzureAD: 

Please enter Client secret for the APP: ********************************

Enter account to connect to msonile module: 

Please enter msol account password: ***********

Enter SMTP Server: 

Enter From Address: 

Enter Address for Report and Errors:

First time it will generate the access token, every next run will just refresh this token so you can schedule it to run daily as well.

Report will be generated and get store inside the report folder.

PowerShell
<#     
    .NOTES 
    =========================================================================== 
    Created with:     ISE 
    Created on:       10/10/2019 1:46 PM 
    Created by:       Vikas Sukhija 
    Organization:     http://techcloud.wizard 
    Filename:         PIMReportAdmins.ps1 
    =========================================================================== 
    .DESCRIPTION 
    This script will extract the Report of Admins in PIM 
    Requirements: 
    Graph Module  
    MSonline module 
#> 
param ( 
  [string]$AppName = $(Read-Host "Enter Name of the APP that you have registered in AzureAD"), 
  [string]$Tenant = $(Read-Host "Enter Name of the Tenant"), 
  [string]$clientId = $(Read-Host "Enter Client ID of the APP that you have registered in AzureAD"), 
  $ClientSecret = $(Read-Host -assecurestring "Please enter Client secret for the APP"), 
  [string]$msolaccount = $(Read-Host "Enter account to connect to msonile module"), 
  $msolpassword = $(Read-Host -assecurestring "Please enter msol account password"), 
  [string]$smtpserver = $(Read-Host "Enter SMTP Server"), 
  [string]$from = $(Read-Host "Enter From Address"), 
  [string]$erroremail = $(Read-Host "Enter Address for Report and Errors") 
) 
 
function Write-Log 
{ 
  [CmdletBinding()] 
  param 
  ( 
    [Parameter(Mandatory = $true,ParameterSetName = 'Create')] 
    [array]$Name, 
    [Parameter(Mandatory = $true,ParameterSetName = 'Create')] 
    [string]$Ext, 
    [Parameter(Mandatory = $true,ParameterSetName = 'Create')] 
    [string]$folder, 
     
    [Parameter(ParameterSetName = 'Create',Position = 0)][switch]$Create, 
     
    [Parameter(Mandatory = $true,ParameterSetName = 'Message')] 
    [String]$Message, 
    [Parameter(Mandatory = $true,ParameterSetName = 'Message')] 
    [String]$path, 
    [Parameter(Mandatory = $false,ParameterSetName = 'Message')] 
    [ValidateSet('Information','Warning','Error')] 
    [string]$Severity = 'Information', 
     
    [Parameter(ParameterSetName = 'Message',Position = 0)][Switch]$MSG 
  ) 
  switch ($PsCmdlet.ParameterSetName) { 
    "Create" 
    { 
      $log = @() 
      $date1 = Get-Date -Format d 
      $date1 = $date1.ToString().Replace("/""-") 
      $time = Get-Date -Format t 
     
      $time = $time.ToString().Replace(":""-") 
      $time = $time.ToString().Replace(" """) 
     
      foreach ($n in $Name) 
      {$log += (Get-Location).Path + "\" + $folder + "\" + $n + "_" + $date1 + "_" + $time + "_.$Ext"} 
      return $log 
    } 
    "Message" 
    { 
      $date = Get-Date 
      $concatmessage = "|$date" + "|   |" + $Message +"|  |" + "$Severity|" 
      switch($Severity){ 
        "Information"{Write-Host -Object $concatmessage -ForegroundColor Green} 
        "Warning"{Write-Host -Object $concatmessage -ForegroundColor Yellow} 
        "Error"{Write-Host -Object $concatmessage -ForegroundColor Red} 
      } 
       
      Add-Content -Path $path -Value $concatmessage 
    } 
  } 
} #Function Write-Log 
function Start-ProgressBar 
{ 
  [CmdletBinding()] 
  param 
  ( 
    [Parameter(Mandatory = $true)] 
    $Title, 
    [Parameter(Mandatory = $true)] 
    [int]$Timer 
  ) 
     
  For ($i = 1; $i -le $Timer$i++) 
  { 
    Start-Sleep -Seconds 1; 
    Write-Progress -Activity $Title -Status "$i" -PercentComplete ($i /100 * 100) 
  } 
} 
 
function LaunchMSOL { 
        param 
        ( 
            $UserCredential 
        ) 
        import-module msonline 
        Write-Host "Enter MS Online Credentials" -ForegroundColor Green 
        Connect-MsolService -Credential $UserCredential 
    } 
     
    Function RemoveMSOL { 
         
        Write-host "Close Powershell Window - No disconnect available" -ForegroundColor yellow 
    } 
#################Check if logs folder is created#### 
$logpath  = (Get-Location).path + "\logs"  
$testlogpath = Test-Path -Path $logpath 
if($testlogpath -eq $false) 
{ 
  Start-ProgressBar -Title "Creating logs folder" -Timer 10 
  New-Item -Path (Get-Location).path -Name Logs -Type directory 
} 
$Reportpath  = (Get-Location).path + "\Report"  
$testlogpath = Test-Path -Path $Reportpath 
if($testlogpath -eq $false) 
{ 
  Start-ProgressBar -Title "Creating Report folder" -Timer 10 
  New-Item -Path (Get-Location).path -Name Report -Type directory 
} 
####################Load variables and log########## 
$log = Write-Log -Name "PIMAdminReport-Log" -folder "logs" -Ext "log" 
$Report1 = Write-Log -Name "PIMADMIN-Report" -folder "Report" -Ext "csv" 
 
$Resource = "privilegedRoleAssignments" 
$graphApiVersion = "beta" 
$uri = "https://graph.microsoft.com/$graphApiVersion/$($resource)" 
$collection = @() 
 
####################################################### 
 
Write-log -Message "Start .........Script" -path $log 
try{ 
  $Credential1 = New-Object System.Management.Automation.PSCredential -ArgumentList $clientId$ClientSecret 
  $Credential2 = New-Object System.Management.Automation.PSCredential -ArgumentList $msolaccount$msolpassword 
  Write-log -Message "loading credentials" -path $log 
  } 
  catch{ 
      $_.Exception 
    Write-log -Message "exception has occured loading credentials" -path $log 
    Send-MailMessage -SmtpServer $smtpserver -From $from -To $erroremail -Subject "Error loading credentials PIMADMINs Report" -Body $($_.Exception.Message) 
    exit; 
  } 
 
try 
  { 
     Import-Module -name 'PSMSGraph' 
     LaunchMSOL -UserCredential  $Credential2 
     Write-log -Message "loading Graph and MSOL" -path $log 
  } 
  catch 
  { 
    $_.Exception 
    Write-log -Message "exception has Loading graph and MSOL" -path $log -Severity Error 
    Send-MailMessage -SmtpServer $smtpserver -From $from -To $erroremail -Subject "Error exception has Loading graph and MSOL PIMADMINs Report" -Body $($_.Exception.Message) 
    exit; 
  } 
 
##############Check if token is present else prompt################ 
$Accesstokenpath  = (Get-Location).path + "\AccessToken.XML"  
$testaccesstpath = test-path -Path $Accesstokenpath 
if($testaccesstpath -eq $false){ 
$GraphAppParams = @{ 
    Name = $appname 
    ClientCredential = $Credential1 
    RedirectUri = 'https://localhost/' 
    Tenant = $tenant 
} 
$GraphApp = New-GraphApplication @GraphAppParams 
$AuthCode = $GraphApp | Get-GraphOauthAuthorizationCode  
$GraphAccessToken = $AuthCode | Get-GraphOauthAccessToken -Resource 'https://graph.microsoft.com' 
$GraphAccessToken | Export-GraphOAuthAccessToken -Path $Accesstokenpath 
 
} #############Access token generated############ 
 
  try{ 
    $GraphAccessToken =  Import-GraphOAuthAccessToken -Path $Accesstokenpath 
    $GraphAccessToken | Update-GraphOAuthAccessToken -Force #refresh token 
    $graphdata = Invoke-GraphRequest -AccessToken $GraphAccessToken -Uri $uri -Method GET 
    $fetchallpimadmins = ConvertFrom-Json $graphdata.Result.Content 
    $getallPIMadmins = $fetchallpimadmins.value 
    $getallPIMadmins | ForEach-Object{ 
      $mcoll = "" | Select UserPrincipalName, RoleID,isElevated 
      $userid = $_.userid 
      $roleid = $_.RoleID 
      $msoluserid = Get-MsolUser -ObjectId $userid | Select UserPrincipalName 
      $msolroleid = Get-MsolRole -ObjectId $roleid | Select Name 
      $mcoll.UserPrincipalName = $msoluserid.UserPrincipalName 
      $mcoll.RoleID = $msolroleid.Name 
      $mcoll.isElevated = $_.isElevated 
      $mcoll 
      $collection+=$mcoll 
    }  
    $collection | Export-Csv $Report1 -NoTypeInformation  
    $GraphAccessToken | Export-GraphOAuthAccessToken -Path $Accesstokenpath #export the token again 
    Send-MailMessage -SmtpServer $smtpserver -From $from -To $erroremail -Subject "PIM Report - Elevated Admins" -Attachments $Report1 
  } 
   
  catch{ 
    $_.Exception 
    Write-log -Message "exception occured generating the PIM Report" -path $log -Severity Error 
    Send-MailMessage -SmtpServer $smtpserver -From $from -To $erroremail -Subject "Error exception occured generating the PIM Report" -Body $($_.Exception.Message) 
  } 
 
##############################Recycle Logs########################## 
Write-Log -Message "Recycle Logs" -path $log -Severity Information 
$path1 = (Get-Location).path + "\report" 
$path2 = (Get-Location).path + "\logs"  
 
$limit = (Get-Date).AddDays(-60) #for report recycling 
Get-ChildItem -Path $path1 | 
Where-Object {$_.CreationTime -lt $limit| 
Remove-Item -recurse -Force 
 
Get-ChildItem -Path $path2 | 
Where-Object {$_.CreationTime -lt $limit| 
Remove-Item -recurse -Force 
 
Write-Log -Message "Script Finished" -path $log -Severity Information 
Send-MailMessage -SmtpServer $SmtpServer -From $From -To $erroremail -Subject "Transcript Log - PIMADMINs Report" -Body "Transcript Log - PIMADMINs Report" -Attachments $log 
###############################################################################

Thanks for reading and downloading

Tech Wizard

http://techwizard.cloud

PowerShell Cheat Book

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s