JulianHayward / Azure-MG-Sub-Governance-Reporting

Azure Governance Visualizer aka AzGovViz is a PowerShell script that captures Azure Governance related information such as Azure Policy, RBAC (a lot more) by polling Azure ARM, Storage and Microsoft Graph APIs.
MIT License
857 stars 308 forks source link

PIM active role assignments #232

Closed neok-g closed 6 months ago

neok-g commented 6 months ago

AzGovViz version 6.4.5.

CodeRunPlatform Azure DevOps

Describe the bug I am examining the report 'Role assignment related entries' and specially looking for active role assignments managed in PIM. They seem to be missing in this report.

First scenario is a securitygroup ACL_PG_AzureCostManagement which has 2 role assignments for roles 'Cost Management Reader' and 'Billing Reader' on scope tenant root group managed in PIM see first screenshot. These are active PIM role assignments with both a start and end date since they are managed within PIM. In second screenshot you see the output for these role assignments in the AzGovViz report. As you can see the PIM related columns are empty. For simplicity's sake I have hidden irrelevant columns.

Second scenario are some service principals that belong to managed identities created by Azure for some Azure policies with a remediation task see screenshot 3. As you can see these identities have an active role assignment with a permanent end date since they are created by Azure policy outside PIM.

Screenshots Screenshot 1 - PIM - Active PIM role assignments securitygroup image

Screenshot 2 - AzGovViz Active PIM role assignments securitygroup image

Screenshot 3 - PIM - Active role assignments service principal image

Screenshot 4 - AzGovViz Role assignments service principals image

Additional context Add any other context about the problem here.

JulianHayward commented 6 months ago

@neok-g can you check the createdBy/updatedBy columns for the role assignments in doubt? (*_roleAssignments.csv)

neok-g commented 6 months ago

@JulianHayward Thanks for your response.

There is no updatedBy column, only createdOn and createdBy.

For the first scenario (group ACL_PG_AzureCostManagement) both columns are empty.

For second scenario (serviceprincipals/ managed identities) the createdOn contains a datetime and createdBy contains ObjectType: SP APP INT

JulianHayward commented 6 months ago

hmm can you please verify for scenario1:

$roleAssignmentId = "roleAssignmentIdGoesHere" #e.g. $roleAssignmentId = "/subscriptions/f8226644-2a08-4229-9ade-5e1e93e3dca3/providers/Microsoft.Authorization/RoleAssignments/b672efac-42bd-4377-908b-d573f81657e9"
$uri = "https://management.azure.com/$($roleAssignmentId)?api-version=2022-04-01"
$res = invoke-azrestmethod -uri $uri -method GET
($res.content | convertfrom-json) | convertto-json -depth 99

scenario2 seems that it was not created by PIM (expect: ObjectType: SP APP EXT)

neok-g commented 6 months ago

@JulianHayward The output for scenario 1 (role assignment cost management reader):

image

But this API call is for a regular role assignment and it does not request any PIM details correct? And these information seems to be missing in the report.

neok-g commented 6 months ago

Could you give an update?

JulianHayward commented 6 months ago

@neok-g unfortunately, currently I am not able to repro the issue. With regards to issue217 I would not invest troubleshooting this one further but keep it in backlog as test for the migration to the ARM APIs.