-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathPrivilegedEAM.yaml
152 lines (151 loc) · 8.38 KB
/
PrivilegedEAM.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
- Name: All privileged objects
Category: General
Query: |
$EntraOpsData = Get-EntraOpsPrivilegedEAM -RbacSystem ("EntraID", "IdentityGovernance","ResourceApps")
- Name: All privileged objects with Control Plane permissions
Category: Classification
Query: |
$EntraOpsData | Where-Object { $_.RoleAssignments.Classification.AdminTierLevelName -contains "ControlPlane" }
- Name: All privileged objects with permissions with related permissions to "Conditional Access"
Category: Classification
Query: |
$EntraOpsData | Where-Object { $_.RoleAssignments.Classification.Service -contains "Conditional Access" }
- Name: All Entra ID Custom Roles with role actions which has been classified as "Control Plane"
Category: Classification
Query: |
$EntraOpsData | Where-Object { $_.RoleAssignments.Classification.Service -contains "Conditional Access" }
- Name: Administrative Units with assigned privileged objects
Category: Privileged Scope
Query: |
$EntraIdRoles | Select-Object -ExpandProperty AssignedAdministrativeUnits `
| Select-Object -Unique displayName | Sort-Object displayName
- Name: External users with privileged role assignments
Category: Privileged User
Query: |
$EntraOpsData | Where-Object { $_.ObjectSubType -eq "Guest"}
- Name: Hybrid identities with privileges (excl. Directory Synchronization Service Account)
Category: Privileged User
Query: |
$EntraIdRoles | Where-Object { $_.OnPremSynchronized -eq $true `
-and $_.RoleAssignments.RoleDefinitionName -notcontains "Directory Synchronization Accounts" }
- Name: Identity Governance role assignment on catalog with privileged objects outside from classification of the administrator
Category: Privileged Scope
Query: |
$ElmCatalogAssignments = $EntraOpsData | where-object {$_.RoleSystem -eq "IdentityGovernance"} `
| Select-Object -ExpandProperty RoleAssignments `
| Where-Object {$_.Classification.TaggedBy -contains "AssignedCatalogObjects"}
foreach($ElmCatalogAssignment in $ElmCatalogAssignments){
$PrincipalClassification = $EntraOpsData | Where-Object {$_.ObjectId -eq $ElmCatalogAssignment.ObjectId} `
| Where-Object {$_.RoleSystem -ne "IdentityGovernance"} `
| Select-Object -ExpandProperty RoleAssignments `
| Select-Object -ExpandProperty Classification `
| Select-Object -Unique AdminTierLevelName, Service `
| Sort-Object -Property AdminTierLevelName, Service
if ($null -eq $PrincipalClassification) {
Write-Warning "No Principal Classification found for $($ElmCatalogAssignment.ObjectId)"
$PrincipalClassification = @(
[PSCustomObject]@{
AdminTierLevelName = "User Access"
Service = "No Classification"
}
)
}
$ElmCatalogClassification = $ElmCatalogAssignment | Select-Object -ExpandProperty Classification `
| Where-Object {$_.TaggedBy -eq "AssignedCatalogObjects"} `
| Select-Object -Unique AdminTierLevelName, Service `
| Sort-Object -Property AdminTierLevelName, Service
$Differences = Compare-Object -ReferenceObject ($ElmCatalogClassification) `
-DifferenceObject ($PrincipalClassification) -Property AdminTierLevelName, Service `
| Where-Object {$_.SideIndicator -eq "<="} | Select-Object * -ExcludeProperty SideIndicator
if ($null -ne $Differences) {
try {
$Principal = Get-EntraOpsEntraObject -AadObjectId $ElmCatalogAssignment.ObjectId
}
catch {
$Principal = [PSCustomObject]@{
ObjectDisplayName = "Unknown"
ObjectType = "Unknown"
}
}
}
if ($Differences) {
$Differences | ForEach-Object {
[PSCustomObject]@{
"PrincipalName" = $Principal.ObjectDisplayName
"PrincipalType" = $Principal.ObjectType
"RoleAssignmentId" = $ElmCatalogAssignment.RoleAssignmentId
"RoleAssignmentScopeId" = $ElmCatalogAssignment.RoleAssignmentScopeId
"RoleAssignmentScopeName" = $ElmCatalogAssignment.RoleAssignmentScopeName
"AdminTierLevelName" = $_.AdminTierLevelName
"Service" = $_.Service
}
}
}
}
- Name: Privileged objects (e.g., groups or service principals) with privileges and delegations by ownership
Category: Privileged Scope
Query: |
$EntraOpsData | Where-Object { $_.Owners -ne $null}
- Name: Privileged objects without restricted management by assigning role-assignable group membership, Entra ID role or RMAU membership
Category: Privileged Scope
Query: |
$EntraOpsData `
| Where-Object {$_.RestrictedManagementByRAG -ne $True `
-and $_.RestrictedManagementByAadRole -ne $True `
-and $_.RestrictedManagementByRMAU -ne $True `
-and $_.ObjectType -ne "serviceprincipal"}
- Name: Role Assignments by using eligible membership in "PIM for Groups" or nested group membership
Category: PIM
Query: |
$EntraOpsData | Select-Object -ExpandProperty RoleAssignments `
| Where-Object {$_.RoleAssignmentSubType -eq "Eligible member" -or $_.RoleAssignmentSubType -like "*Nested*"} `
| sort-object RoleAssignmentSubType `
| ft RoleAssignmentId, RoleAssignmentScopeName, RoleSystem, RoleAssignmentType, RoleAssignmentSubType, PIMAssignmentType, Transitive*
- Name: Permanent Role Assignments in Azure RBAC with High Privileged Roles on Tenant Root or Management Group without Restricted Management
Category: Azure RBAC
Query: |
$AzPrivilegedRolesQuery = 'AuthorizationResources
| where type =~ "microsoft.authorization/roleassignments"
| extend ObjectType = tostring(properties["principalType"])
| extend ObjectId = tostring(properties["principalId"])
| extend roleDefinitionId = tolower(tostring(properties["roleDefinitionId"]))
| extend Scope = tolower(tostring(properties["scope"]))
| mv-expand parse_json(Scope)
| join kind=inner ( AuthorizationResources
| where type =~ "microsoft.authorization/roledefinitions"
| extend roleDefinitionId = tolower(id)
| extend Scope = tolower(properties.assignableScopes)
| extend RoleName = (properties.roleName)
| where RoleName in ("Owner",
"Access Review Operator Service Role",
"Contributor",
"Role Based Access Control Administrator",
"User Access Administrator")
) on roleDefinitionId
| where Scope in (
"/"
)
or Scope startswith (
"/providers/microsoft.management/managementgroups/"
)
| project ObjectId, ObjectType, RoleName, Scope'
$AzPrivilegedRoles = Invoke-EntraOpsAzGraphQuery -KqlQuery $AzPrivilegedRolesQuery
$AzPrivilegedPrincipals = $AzPrivilegedRoles | Select-Object -unique ObjectId
$UnprotectedAzureAdmins = foreach ($AzPrivilegedPrincipal in $AzPrivilegedPrincipals) {
$UnprotectedAzureAdmin = Get-EntraOpsPrivilegedEntraObject -AadObjectId $AzPrivilegedPrincipal.ObjectId `
| Where-Object {$_.RestrictedManagementByRMAU -ne $True -and $_.ObjectType -ne "serviceprincipal" `
-and $_.RestrictedManagementByAadRole -ne $True `
-and $_.RestrictedManagementByRAG -ne $True
}
if($UnprotectedAzureAdmin) {
$RoleAssignments = $AzPrivilegedRoles | Where-Object {$_.ObjectId -eq $AzPrivilegedPrincipal.ObjectId} | Select-Object RoleName, Scope
$UnprotectedAzureAdmin | Add-Member -MemberType NoteProperty -Name "RoleAssignments" -Value $RoleAssignments -Force
$UnprotectedAzureAdmin
}
}
$UnprotectedAzureAdmins
- Name: Role Assignments of privileges without using PIM capabilities (excluded service principals)
Category: PIM
Query: |
$EntraOpsData | select-Object -ExpandProperty RoleAssignments `
| Where-Object {$_.ObjectType -ne "serviceprincipal" -and $_.PIMAssignmentType -ne "Eligible"}