Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/canix1/PIMSCAN
Tool for creating reports on Entra ID Role Assignments
https://github.com/canix1/PIMSCAN
Last synced: 3 months ago
JSON representation
Tool for creating reports on Entra ID Role Assignments
- Host: GitHub
- URL: https://github.com/canix1/PIMSCAN
- Owner: canix1
- Created: 2024-04-10T22:26:26.000Z (7 months ago)
- Default Branch: main
- Last Pushed: 2024-04-12T11:26:26.000Z (7 months ago)
- Last Synced: 2024-04-12T14:25:59.896Z (7 months ago)
- Language: PowerShell
- Size: 6.16 MB
- Stars: 48
- Watchers: 2
- Forks: 7
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
⚔ 
⚔
A tool to create reports on Entra ID Role Assignments.
## Prerequisites
- PowerShell Module: MSAL.PS
```
Install-module MSAL.PS -Scope CurrentUser -Force -Confirm:$False
```
### Minumum Permissions with limited data
- Use the parameter **-LimitedReadOnly**, .\PIMSCAN.ps1 -TenantId [Tenant ID] -Show -verbose **-LimitedReadOnly**
- Global Reader role
- Consent for these:
- AdministrativeUnit.Read.All
- Directory.Read.All
- Group.Read.All
- PrivilegedAccess.Read.AzureAD
- PrivilegedAccess.Read.AzureADGroup
- PrivilegedAccess.Read.AzureResources
- PrivilegedAssignmentSchedule.Read.AzureADGroup
- PrivilegedEligibilitySchedule.Read.AzureADGroup
- RoleAssignmentSchedule.Read.Directory
- RoleEligibilitySchedule.Read.Directory
- RoleManagement.Read.All
- RoleManagement.Read.Directory
- RoleManagementAlert.Read.Directory
- RoleManagementPolicy.Read.Directory
- RoleManagementPolicy.Read.AzureADGroup
- User.Read
- User.Read.All
- offline_access
Run the following grant command as a Global Admin to grant a specific user the read-only scopes.
```
Install-Module Microsoft.Graph -Scope CurrentUser
connect-MgGraph -Scopes "Directory.AccessAsUser.All" -TenantId ""
$scopesOnlyRead = "AdministrativeUnit.Read.All Directory.Read.All Group.Read.All PrivilegedAccess.Read.AzureAD PrivilegedAccess.Read.AzureADGroup PrivilegedAccess.Read.AzureResources PrivilegedAssignmentSchedule.Read.AzureADGroup PrivilegedEligibilitySchedule.Read.AzureADGroup RoleAssignmentSchedule.Read.Directory RoleEligibilitySchedule.Read.Directory RoleManagement.Read.All RoleManagement.Read.Directory RoleManagementAlert.Read.Directory RoleManagementPolicy.Read.Directory RoleManagementPolicy.Read.AzureADGroup User.Read User.Read.All offline_access"
$params = @{
# Microsoft Graph Command Line Tools
ClientId = "4ad243ae-ea7f-4496-949e-4c64f1e96d71"
# Singe User Consent
ConsentType = "Principal"
# Prinicpal to allow consent for
PrincipalId = ""
# GraphAggregatorService
ResourceId = "4131d640-34dd-4690-ad11-45ddcd773304"
# List of scopes/permissions
Scope = $scopesOnlyRead
}
New-MgOauth2PermissionGrant -BodyParameter $params
```
You will not be able to collect the data in the table below with Read-Only
|Object|Attribute|Description|Required Permission|
| -------- | ------- | -------- | -------- |
|roleAssignmentScheduleRequests|justification|Supplied justification|RoleEligibilitySchedule.ReadWrite.Directory|
|roleAssignmentScheduleRequests|status|State of the request|RoleEligibilitySchedule.ReadWrite.Directory|
|roleAssignmentScheduleRequests|createdDateTime|Creation date of the request|RoleEligibilitySchedule.ReadWrite.Directory|
|roleEligibilityScheduleRequests|justification|Supplied justification|RoleEligibilitySchedule.ReadWrite.Directory|
|roleEligibilityScheduleRequests|status|State of the request|RoleEligibilitySchedule.ReadWrite.Directory|
|roleEligibilityScheduleRequests|createdDateTime|Creation date of the request|RoleEligibilitySchedule.ReadWrite.Directory|
### Full access with Write scopes for roleAssignmentScheduleRequests and roleEligibilityScheduleRequests.
- You must have or be able to consent to the following scopes for the enterprise app **Microsoft Graph Command Line Tools**
- AdministrativeUnit.Read.All
- Directory.Read.All
- Group.Read.All
- PrivilegedAccess.Read.AzureAD
- PrivilegedAccess.Read.AzureADGroup
- PrivilegedAccess.Read.AzureResources
- PrivilegedAssignmentSchedule.Read.AzureADGroup
- PrivilegedEligibilitySchedule.Read.AzureADGroup
- RoleAssignmentSchedule.Read.Directory
- RoleAssignmentSchedule.ReadWrite.Directory
- RoleEligibilitySchedule.Read.Directory
- RoleEligibilitySchedule.ReadWrite.Directory
- RoleManagement.Read.All
- RoleManagement.Read.Directory
- RoleManagementAlert.Read.Directory
- RoleManagementPolicy.Read.Directory
- RoleManagementPolicy.Read.AzureADGroup
- User.Read
- User.Read.All
- offline_access
Run the following grant command as a Global Admin to grant a specific user the read-only scopes.
```
Install-Module Microsoft.Graph -Scope CurrentUser
connect-MgGraph -Scopes "Directory.AccessAsUser.All" -TenantId ""
$scopesWrite = "AdministrativeUnit.Read.All Directory.Read.All Group.Read.All PrivilegedAccess.Read.AzureAD PrivilegedAccess.Read.AzureADGroup PrivilegedAccess.Read.AzureResources PrivilegedAssignmentSchedule.Read.AzureADGroup PrivilegedEligibilitySchedule.Read.AzureADGroup RoleAssignmentSchedule.Read.Directory RoleAssignmentSchedule.ReadWrite.Directory RoleEligibilitySchedule.Read.Directory RoleEligibilitySchedule.ReadWrite.Directory RoleManagement.Read.All RoleManagement.Read.Directory RoleManagementAlert.Read.Directory RoleManagementPolicy.Read.Directory RoleManagementPolicy.Read.AzureADGroup User.Read User.Read.All offline_access"
$params = @{
# Microsoft Graph Command Line Tools
ClientId = "4ad243ae-ea7f-4496-949e-4c64f1e96d71"
# Singe User Consent
ConsentType = "Principal"
# Prinicpal to allow consent for
PrincipalId = ""
# GraphAggregatorService
ResourceId = "4131d640-34dd-4690-ad11-45ddcd773304"
# List of scopes/permissions
Scope = $scopesWrite
}
New-MgOauth2PermissionGrant -BodyParameter $params
```
## Usage
### Read-Only Limited
```
.\PIMSCAN.ps1 -TenantId -Show -Verbose -LimitedReadOnly
```
### Get all data
```
.\PIMSCAN.ps1 -TenantId -Show -Verbose
```
Results are saved in a HTML file.
Open the Entra_ID_Role_Report_[TenantID].html if you did not used the **-Show** parameter.