2 min read Azure AD

Audit Azure AD Privileged Identity Management Role Settings

Audit Azure AD Privileged Identity Management Role Settings
Audit Azure AD Privileged Identity Management Role Settings

Azure AD Privileged Identity Management (PIM) is a feature of Azure AD that helps you manage, control, and monitor access to important resources in your organization. With PIM, you can enable just-in-time access for users, set up approval workflows for access requests, and monitor active access to ensure that it is being used by your organization's policies. This can help you reduce the risk of security breaches and ensure that your critical resources are only accessed by authorized users.


A few days ago, I published a script that lists all the Azure AD roles and from there, you can see that we have a lot of built-in Azure AD roles.

- List all Azure Active Directory Roles using PowerShell (kaidojarvemets.com)

If you have completed all the Azure AD Privileged Identity Management roles configuration, it would be beneficial to verify if the settings align with your organization's policies and if anything has been missed. I have created a PowerShell script that can generate a CSV file. This includes Role ID, Role Name, Permanent Assignment status, Maximum Grant Period in Minutes, MFA Required status, Approval status, and the users who can approve access requests. This script can help you ensure that your settings are properly configured and help you identify any potential gaps.

PS! This script is still based on the AzureADPreview PowerShell Module.

Audit-AzureADPIMRoleSettings.ps1 PowerShell Script

This script reads all the Azure AD roles from my GitHub account and then uses the Get-AzureADMSPrivilegedRoleSetting cmdlet to get role settings. You can always combine Microsoft Graph and AzureADPreview modules together too.

#Install AzureADPreview PowerShell Module
Install-module AzureADPreview -Force -Verbose

#Connect Azure AD
Connect-AzureAD

#Audit file location. It creates a CSV file
$AuditFileLocation = "C:\AADAudit.csv"
#Get Azure AD Tenant ID
$AzureADTenantDID = (Get-AzureADTenantDetail).ObjectId

#Azure AD Role names and IDs on my GitHub account
$URL = "https://raw.githubusercontent.com/Kaidja/AzureActiveDirectory/main/AzureADRoles.json"
#Convert Azure AD Roles from JSON
$AADGitHubRoles = (Invoke-WebRequest -Uri $URL -UseBasicParsing).Content | ConvertFrom-Json

#Process the AD roles and gather the data for each role
foreach($AADRole in $AADGitHubRoles){

    Write-Output -InputObject "---- Processing $($AADRole.DisplayName)"
    
    #Define the query filter
    $Filter = "ResourceId eq '$($AzureADTenantDID)' and RoleDefinitionId eq '$($AADRole.ID)'"
    $PIMADRoleSettings = Get-AzureADMSPrivilegedRoleSetting -ProviderId 'aadRoles' -Filter $Filter
    
    #Get the PIM role settings
    $ExpirationRule = $PIMADRoleSettings.UserMemberSettings[0].Setting | ConvertFrom-Json
    $MfaRule = $PIMADRoleSettings.UserMemberSettings[1].Setting | ConvertFrom-Json
    $JustificationRule = $PIMADRoleSettings.UserMemberSettings[2].Setting | ConvertFrom-Json
    $TicketingRule = $PIMADRoleSettings.UserMemberSettings[3].Setting | ConvertFrom-Json
    $ApprovalRule = $PIMADRoleSettings.UserMemberSettings[4].Setting | ConvertFrom-Json

    #Build object for each role
    $PIMProperties = $null
    $PIMProperties = [ORDERED]@{
        RoleID = $AADRole.Id
        RoleName = $AADRole.DisplayName
        PermanentAssignment = $ExpirationRule.permanentAssignment
        MaximumGrantPeriodInMinutes = $ExpirationRule.maximumGrantPeriodInMinutes
        MfaRequired = $MfaRule.mfaRequired
        Required = $JustificationRule.required
        TicketingRequired = $TicketingRule.ticketingRequired
    }

    #Add Approvals, if exist
    $i = 1
    foreach($Approval in $ApprovalRule.Approvers){
        
        $PIMProperties += @{
            "Approval $i" = $Approval.DisplayName
        }

        $i++
    }

    $Object = New-Object -TypeName PSObject -Property $PIMProperties
    #Convert to CSV
    $Object | ConvertTo-Csv -OutVariable ExportData -NoTypeInformation -Delimiter ";" | Out-Null
    #Export Role settings to a CSV file
    $ExportData[1..($ExportData.count - 1)] | ForEach-Object { Add-Content -Value $PSItem -Path $AuditFileLocation }

}
Audit Azure Active Directory Privileged Identity Role Settings

Summary

Are you looking for expert help with implementing Azure AD Privileged Identity Management and ensuring the security of your Azure AD environment? I can assist with conducting security assessments and implementing Azure AD Privileged Identity Management to help protect your critical resources and reduce the risk of security breaches. Contact me to learn more and get started.

Published by:

Kaido Järvemets

You might also like...

Mar
26

Retrieve Azure AD Sign-In Logs with Microsoft.Graph PowerShell Module

2 min read
Feb
28

List Eligible Azure Active Directory PIM Assignments

3 min read
Feb
10

Maximizing Efficiency with Configuration Manager Automation: Creating Device Collections Based on Device Model

2 min read
Feb
10

Configuration Manager Automation: A Guide to Exporting and Importing Queries using PowerShell

1 min read
Feb
04

Azure Automation Hybrid Runbook Worker: A Game Changer for IT Operations

3 min read

Member discussion