https://github.com/jsa2/aadrolecheck

https://github.com/jsa2/aadrolecheck

Last synced: about 1 year ago
JSON representation

• Host: GitHub
• URL: https://github.com/jsa2/aadrolecheck
• Owner: jsa2
• Created: 2021-08-06T06:35:45.000Z (almost 5 years ago)
• Default Branch: main
• Last Pushed: 2021-08-06T06:40:12.000Z (almost 5 years ago)
• Last Synced: 2025-01-21T07:27:22.622Z (over 1 year ago)
• Language: PowerShell
• Size: 2.93 KB
• Stars: 2
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: readme.md

Awesome Lists containing this project

README

          
# Simple function to check changes in role assigments of Azure AD 

Simple function to show difference between previous and current role assignments

-  PS Output will show the difference when comparing the objects with sideIndicator indicating the difference

```PowerShell

Compare-Object -ReferenceObject $existing -DifferenceObject $mbrs;

```

```

InputObject                                                                                                   SideIndicator

-----------                                                                                                   -------------

@{ObjectId=c0ba0d53-274c-4f52-ae0a-d50950383fda; DisplayName=https://Recovery-breakglass.dewi.red; userType=} =>

```

## Prerequisites

Connect-AzureAD with appropriate account and roles 

https://docs.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0#directory-roles  

## Function

```Powershell

Connect-AzureAD

# Get the roles you want to be used in the function 

Get-AzureADDirectoryRole

#Roles below for Global admins and Security Reader 

$roles = "862e258d-ffac-40fd-aa9d-7b2a990c3070,09dc17e0-996d-4b81-ac46-1925550d6ddc" -split ","

#Function will check change in role. If role file does not exist, or import of the file fails, it will overwrite with new file

function RoleChecker ($roleId) {

  $mbrs = Get-AzureADDirectoryRoleMember -ObjectId $role | select -Property ObjectId, DisplayName, userType

 try {

write-host "trying to read existing roles" -ForegroundColor Green

$existing = import-csv "$roleId.csv"

$diff = Compare-Object -ReferenceObject $existing -DifferenceObject $mbrs;

Write-Host "check diff" $mbrs.count, "vs" $existing.count -ForegroundColor Yellow

if ($diff -and $mbrs ) {

    write-host "updating file for id $role"

    if ($mbrs) { $mbrs | Export-Csv "./$role.csv" -NoTypeInformation -Force}

    $diff

}

 } catch  {

     write-host "no existing file creating file"

     if ($mbrs) { $mbrs | Export-Csv "./$role.csv" -NoTypeInformation -Force}

    

 }

}

foreach ($role in $roles) {

    Write-Host $role

  RoleChecker -roleId $role

}

```