Move

AzureRoleAnalyzingScripts/Check-AppRoles.ps1

@@ -0,0 +1,117 @@
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory=$true)]
+    [string]$InputFile
+)
+
+# Ensure you're logged into Azure CLI
+try {
+    $null = az account show
+}
+catch {
+    Write-Host "Please log in to Azure CLI first using 'az login'"
+    exit
+}
+
+# Function to get all role definitions
+function Get-AllRoleDefinitions {
+    $roles = az role definition list |
+        ConvertFrom-Json |
+        ForEach-Object { $_ } |
+#        Where-Object { $_.roleName -eq "Website Contributor" }
+        Where-Object { $_.roleType -ne "CustomRole" -and $_.roleName -ne "Contributor" -and $_.roleName -ne "Owner" }
+    return $roles
+}
+
+# Function to check if a string matches a resource type pattern
+function Test-ResourceTypeMatch {
+    param (
+        [string]$Pattern,
+        [string]$ResourceType
+    )
+    $patternParts = $Pattern -split '/'
+    $resourceTypeParts = $ResourceType -split '/'
+
+    for ($i = 0; $i -lt $patternParts.Count; $i++) {
+        if ($i -ge $resourceTypeParts.Count -and $patternParts[$i] -ne "*") {
+            return $false
+        }
+
+        if ($patternParts[$i] -eq '*') {
+            if ($i -eq $patternParts.Count - 1) {
+                return $true
+            }
+            continue
+        }
+
+        if ($patternParts[$i] -ne $resourceTypeParts[$i]) {
+            return $false
+        }
+    }
+
+    # If the pattern is shorter than the resource type, it's only a match if the last part was a wildcard
+    return ($patternParts.Count -eq $resourceTypeParts.Count) -or ($patternParts[-1] -eq '*')
+}
+
+# Function to check if a role grants access to a resource type
+function Test-RoleAccess {
+    param (
+        $Role,
+        $ResourceType
+    )
+    $hasAccess = $false
+    foreach ($permission in $Role.permissions) {
+        # Check actions and dataActions
+        foreach ($action in ($permission.actions + $permission.dataActions)) {
+            if (Test-ResourceTypeMatch -Pattern $action -ResourceType $ResourceType) {
+                $hasAccess = $true
+                break
+            }
+        }
+        
+        # Check notActions and notDataActions
+        foreach ($notAction in ($permission.notActions + $permission.notDataActions)) {
+            if (Test-ResourceTypeMatch -Pattern $notAction -ResourceType $ResourceType) {
+                return $false  # Explicitly not allowed
+            }
+        }
+        
+        if ($hasAccess) {
+            break
+        }
+    }
+    return $hasAccess
+}
+
+# Get all role definitions
+$allRoles = Get-AllRoleDefinitions
+
+# Read the file with resource types
+try {
+    $resourceTypes = Get-Content -Path $InputFile -ErrorAction Stop
+    $resourceTypes = $resourceTypes | Sort-Object
+}
+catch {
+    Write-Host "Error reading input file: $_"
+    exit
+}
+
+# Process each resource type
+foreach ($resourceType in $resourceTypes) {
+    Write-Host "Resource Type: $resourceType"
+    $matchingRoles = @()
+
+    foreach ($role in $allRoles) {
+        if (Test-RoleAccess -Role $role -ResourceType $resourceType) {
+            $matchingRoles += $role.roleName
+        }
+    }
+
+    if ($matchingRoles.Count -gt 0) {
+        Write-Host "Roles granting access:"
+        $matchingRoles | ForEach-Object { Write-Host "  - $_" }
+    } else {
+        Write-Host "No roles found granting access to this resource type."
+    }
+    Write-Host ""
+}