AzGovViz v6_major_20220930_2

[JulianHayward]

Changes since last PR

Changes (2022-Sep-30 / Major)

• Fix issue #135
  • Embedded GitHub Actions OIDC (Open ID Connect) specific functionality to reconnect and get new token (AzAPICall)
  • New parameter -GitHubActionsOIDC which is only to be used for GitHub Actions /.github/workflows/AzGovViz_OIDC.yml
  • Updated /.github/workflows/AzGovViz_OIDC.yml to use the new parameter -GitHubActionsOIDC
• Fix issue #136
  • Handle return for Storage Accounts located in managed Resource Groups
    🌸 Call for contribution: Please review the list of known managed Resource Groups and contribute if you can, thanks!
• Added missing variable NoStorageAccountAccessAnalysis in .azuredevops/pipelines/AzGovViz.variables.yml
• Use AzAPICall PowerShell module version 1.1.30

Changes (2022-Sep-28 / Major)

• New feature 'Storage Account Access Analysis' - provides insights on Storage Accounts with focus on anonymous access (containers/blobs and 'Static website' feature). Data is provided in the HTML TenantSummary (Subscriptions, Resources & Defender) and as CSV export
  • New parameter -NoStorageAccountAccessAnalysis - do not execute the feature
  • New parameter -StorageAccountAccessAnalysisSubscriptionTags - define the Subscription tags that should be added to the CSV output
  • New parameter -StorageAccountAccessAnalysisStorageAccountTags - define the Storage Account (resource) tags that should be added to the CSV output
  • Updated .azuredevops/pipelines/AzGovViz.variables.yml accordingly
• Rename 'ALZ EverGreen' feature to 'Azure Landing Zones (ALZ) Policy Version Checker'
  • Replaced parameter -NoALZEverGreen with -NoALZPolicyVersionChecker
• Use AzAPICall PowerShell module version 1.1.24
• Optimizations

Changes (2022-Sep-17 / Major)

• Fix Azure DevOps Pipeline correct addressing of NoDefinitionInsights variable in YAML
• Fix issue #132
• Add Contribution Guide

Changes (2022-Sep-12 / Major)

• New feature 'ALZ EverGreen' - Azure Landing Zones EverGreen for Policy and Set definitions. AzGovViz will clone the ALZ GitHub repository and collect the ALZ policy and set definitions history. The ALZ data will be compared with the data from your tenant so that you can get lifecycle management recommendations for ALZ policy and set definitions that already exist in your tenant plus a list of ALZ policy and set definitions that do not exist in your tenant. The ALZ EverGreen results will be displayed in the TenantSummary and a CSV export *_ALZEverGreen.csv will be provided. Thanks! ALZ Team

  • New parameter -NoALZEverGreen - Do not execute the ALZ EverGreen feature

• Update: Per default DefinitionInsights will be written to a separate HTML file. This will improve the html file handling (browser memory usage /response time / user experience).

  • Note: Please update your Azure DevOps and GitHub YAML files with the latest versions if you are using the webApp publishing feature
  • New parameter -NoDefinitionInsightsDedicatedHTML (DefinitionInsights will NOT be written to a separate HTML file *_DefinitionInsights.html)

• Add Resource fluctuation detailed (*_ResourceFluctuationDetailed.csv) CSV output (add/remove, scope details, resource details)

• Fix consumption reporting for large tenants with more than 3k subscriptions (Management Group abc has too many subscriptions , exceeding CCM API Current Limit 3000)

• Fix CSV export *_PolicySetDefinitions.csv - Builtin Policy definitions contained in PolicySet definitions will only show the GUID instead of the full ID as for large PolicySet definitions the field size limit in Excel may be exceeded (column: PoliciesUsed4CSV)

• BuiltIn definitions collection - add 'Static' Policy definitions (part of DefinitionInsights and *_PolicyDefinitions.csv)

• Fix HierarchyMap image quality (now .png (aka 'peng')). Thanks! Brooks Vaughn

• Use AzAPICall PowerShell module version 1.1.23

• Optimizations Changes (2022-Aug-17 / Major)

• Update: IMPORTANT Fix for custom Role definitions / missing DataActions and NotDataActions

  • Update API reference roleDefinitions use API version 2018-07-01 (API version 2022-04-01 not available in sovereign clouds)

• BugFix

Changes (2022-Aug-03 / Major)

• IMPORTANT Fix for custom Role definitions / missing DataActions and NotDataActions
  • Update API reference roleDefinitions use API version 2022-04-01
• BugFix

Changes (2022-Jul-31 / Major)

• Update on feature 'PIM (Privileged Identity Management) eligible Role assignments'
  • Integrate with RoleAssignmentsAll (HTML, CSV)
    
  • New parameter -NoPIMEligibilityIntegrationRoleAssignmentsAll - Prevent integration of PIM eligible assignments with RoleAssignmentsAll (HTML, CSV)
• Fix: PIM 'Assigned' and 'Activated' Role assignments now also reflect inheritance for lower scopes
• Bugfixes & optimizations

Changes (2022-Jul-28 / Major)

• Update on feature 'PIM (Privileged Identity Management) eligible Role assignments'
  • new parameter -PIMEligibilityIgnoreScope - By default will only report for PIM Elibility for the scope (ManagementGroupId) that was provided. If you use the new switch parameter then PIM Eligibility for all onboarded scopes (Management Groups and Subscriptions) will be reported.
  • Add CSV output
  • Add inheritance information
• Use AzAPICall PowerShell module version 1.1.21
• Bugfixes

Changes (2022-Jul-26 / Major)

• New feature 'PIM (Privileged Identity Management) eligible Role assignments' (TenantSummary)
  ⛔ Breaking Change! requires API permissions update!
  • Get a full report of all PIM eligible Role assignments for Management Groups and Subscriptions, including resolved User members of AAD Groups that have assigned eligibility
  • Spoiler: Next iteration will include ScopeInsights, showing entire eligible Role assignments on Subscriptions including from upper Management Group scopes
  • 💡 Note: this feature requires to execute as Service Principal with Application API permission PrivilegedAccess.Read.AzureResources
• Use AzAPICall PowerShell module version 1.1.19
• Bugfixes

[dominicallen]

merging following @jocontr review.