Move

Reviewed-on: #1

AzureRoleAnalyzingScripts/Check-AppRoles.ps1

@@ -0,0 +1,117 @@
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory=$true)]
+    [string]$InputFile
+)
+
+# Ensure you're logged into Azure CLI
+try {
+    $null = az account show
+}
+catch {
+    Write-Host "Please log in to Azure CLI first using 'az login'"
+    exit
+}
+
+# Function to get all role definitions
+function Get-AllRoleDefinitions {
+    $roles = az role definition list |
+        ConvertFrom-Json |
+        ForEach-Object { $_ } |
+#        Where-Object { $_.roleName -eq "Website Contributor" }
+        Where-Object { $_.roleType -ne "CustomRole" -and $_.roleName -ne "Contributor" -and $_.roleName -ne "Owner" }
+    return $roles
+}
+
+# Function to check if a string matches a resource type pattern
+function Test-ResourceTypeMatch {
+    param (
+        [string]$Pattern,
+        [string]$ResourceType
+    )
+    $patternParts = $Pattern -split '/'
+    $resourceTypeParts = $ResourceType -split '/'
+
+    for ($i = 0; $i -lt $patternParts.Count; $i++) {
+        if ($i -ge $resourceTypeParts.Count -and $patternParts[$i] -ne "*") {
+            return $false
+        }
+
+        if ($patternParts[$i] -eq '*') {
+            if ($i -eq $patternParts.Count - 1) {
+                return $true
+            }
+            continue
+        }
+
+        if ($patternParts[$i] -ne $resourceTypeParts[$i]) {
+            return $false
+        }
+    }
+
+    # If the pattern is shorter than the resource type, it's only a match if the last part was a wildcard
+    return ($patternParts.Count -eq $resourceTypeParts.Count) -or ($patternParts[-1] -eq '*')
+}
+
+# Function to check if a role grants access to a resource type
+function Test-RoleAccess {
+    param (
+        $Role,
+        $ResourceType
+    )
+    $hasAccess = $false
+    foreach ($permission in $Role.permissions) {
+        # Check actions and dataActions
+        foreach ($action in ($permission.actions + $permission.dataActions)) {
+            if (Test-ResourceTypeMatch -Pattern $action -ResourceType $ResourceType) {
+                $hasAccess = $true
+                break
+            }
+        }
+        
+        # Check notActions and notDataActions
+        foreach ($notAction in ($permission.notActions + $permission.notDataActions)) {
+            if (Test-ResourceTypeMatch -Pattern $notAction -ResourceType $ResourceType) {
+                return $false  # Explicitly not allowed
+            }
+        }
+        
+        if ($hasAccess) {
+            break
+        }
+    }
+    return $hasAccess
+}
+
+# Get all role definitions
+$allRoles = Get-AllRoleDefinitions
+
+# Read the file with resource types
+try {
+    $resourceTypes = Get-Content -Path $InputFile -ErrorAction Stop
+    $resourceTypes = $resourceTypes | Sort-Object
+}
+catch {
+    Write-Host "Error reading input file: $_"
+    exit
+}
+
+# Process each resource type
+foreach ($resourceType in $resourceTypes) {
+    Write-Host "Resource Type: $resourceType"
+    $matchingRoles = @()
+
+    foreach ($role in $allRoles) {
+        if (Test-RoleAccess -Role $role -ResourceType $resourceType) {
+            $matchingRoles += $role.roleName
+        }
+    }
+
+    if ($matchingRoles.Count -gt 0) {
+        Write-Host "Roles granting access:"
+        $matchingRoles | ForEach-Object { Write-Host "  - $_" }
+    } else {
+        Write-Host "No roles found granting access to this resource type."
+    }
+    Write-Host ""
+}

AzureRoleAnalyzingScripts/Get-AzureRoles.ps1

@@ -0,0 +1,30 @@
+# NOTE:
+# Make sure you are logged into the az cli before running this
+# Command: az login
+
+# Get the JSON data from Azure CLI
+$jsonData = az role definition list | ConvertFrom-Json
+
+# Create an empty array to store the formatted strings
+$formattedRoles = @()
+
+foreach ($role in $jsonData) {
+    $roleType = if ($role.roleType -eq "BuiltInRole") { "Built-in role" } else { "Custom role" }
+    
+    $formattedRole = @"
+
+$roleType    $($role.roleName)
+Description    $($role.description)
+ID    $($role.name)
+"@
+
+    $formattedRoles += $formattedRole
+}
+
+# Join all formatted roles into a single string
+$output = $formattedRoles -join "`n"
+
+# Write the output to a text file
+$output | Out-File -FilePath "azure_roles.txt" -Encoding UTF8
+
+Write-Host "Azure roles have been written to azure_roles.txt"

AzureRoleAnalyzingScripts/clean_csv.ps1

@@ -0,0 +1,14 @@
+# Parameters
+$inputFilePath = "./QueryResult.csv"
+$outputFilePath = "./CleanResults.csv"
+
+# Read the content of the file
+$content = Get-Content -Path $inputFilePath -Raw
+
+# Remove all double quotes
+$contentWithoutQuotes = $content -replace '"', ''
+
+# Write the modified content to a new file
+$contentWithoutQuotes | Set-Content -Path $outputFilePath -NoNewline
+
+Write-Output "Quotes removed. New file saved as: $outputFilePath"

AzureRoleAnalyzingScripts/data/TestResults.csv

@@ -0,0 +1,3 @@
+Correlation id,Operation name,Status,Event category,Level,Time,Subscription,Event initiated by,Resource type,Resource group,Resource
+7fec9c56-7671-47f7-9345-ce186dd9d3c1,List Storage Account Keys,Succeeded,Administrative,Informational,2024-10-01T19:33:20.668Z,040698c2-a013-45be-b1fa-e975f46b9d63,BackupFairFax,Microsoft.Storage/storageAccounts,mvdtadt5-onpremtest,/subscriptions/040698c2-a013-45be-b1fa-e975f46b9d63/resourceGroups/mvdtadt5-onpremtest/providers/Microsoft.Storage/storageAccounts/mvdtadt5profilesstr
+7fec9c56-7671-47f7-9345-ce186dd9d3c1,List Storage Account Keys,Started,Administrative,Informational,2024-10-01T19:33:20.621Z,040698c2-a013-45be-b1fa-e975f46b9d63,BackupFairFax,Microsoft.Storage/storageAccounts,mvdtadt5-onpremtest,/subscriptions/040698c2-a013-45be-b1fa-e975f46b9d63/resourceGroups/mvdtadt5-onpremtest/providers/Microsoft.Storage/storageAccounts/mvdtadt5profilesstr

AzureRoleAnalyzingScripts/output/item.txt

@@ -0,0 +1 @@
+Microsoft.Web/sites/config

AzureRoleAnalyzingScripts/output/msvoc-backend_results.txt

@@ -0,0 +1,135 @@
+Application: msvoc-backend
+------------------------
+  Resource Type: Microsoft.Insights/dataCollectionEndpoints
+    - Create or update data collection endpoint
+  Resource Type: Microsoft.Web/sites/host
+    - List Web Apps Functions Host Keys
+  Resource Type: Microsoft.Automation/automationAccounts/runbooks
+    - Create or Update an Azure Automation Runbook
+  Resource Type: Microsoft.Automation/automationAccounts/configurations
+    - Puts an Azure Automation DSC's content
+  Resource Type: Microsoft.Compute/virtualMachines
+    - 'auditIfNotExists' Policy action.
+    - 'audit' Policy action.
+    - Create or Update Virtual Machine
+    - Start Virtual Machine
+    - Get Virtual Machine
+  Resource Type: Microsoft.Web/sites
+    - 'auditIfNotExists' Policy action.
+    - Update website
+    - 'deployIfNotExists' Policy action.
+    - 'audit' Policy action.
+  Resource Type: Microsoft.ServiceBus/namespaces
+    - 'auditIfNotExists' Policy action.
+    - Create Or Update Namespace 
+    - 'audit' Policy action.
+  Resource Type: Microsoft.DesktopVirtualization/applicationGroups
+    - Write applicationgroups
+  Resource Type: Microsoft.Storage/storageAccounts
+    - 'deployIfNotExists' Policy action.
+    - Update Storage Account Create
+    - 'auditIfNotExists' Policy action.
+    - 'audit' Policy action.
+    - List Storage Account Keys
+    - Get Storage Account(s) List
+  Resource Type: Microsoft.AppConfiguration/configurationStores
+    - 'audit' Policy action.
+    - 'auditIfNotExists' Policy action.
+    - Create or Update Configuration Store
+    - Get Configuration Store or List Configuration Stores
+    - Delete Configuration Store
+    - Delete role assignment
+  Resource Type: Microsoft.Automation/automationAccounts
+    - Create or Update an Azure Automation account
+    - Gets the Keys for the automation account
+  Resource Type: Microsoft.KeyVault/vaults
+    - 'auditIfNotExists' Policy action.
+    - Update Key Vault
+    - 'deployIfNotExists' Policy action.
+    - 'audit' Policy action.
+    - Delete Key Vault
+    - Delete role assignment
+  Resource Type: Microsoft.Automation/automationAccounts/jobSchedules
+    - Create an Azure Automation job schedule
+  Resource Type: Microsoft.Automation/automationAccounts/schedules
+    - Create or Update an Azure Automation schedule asset
+  Resource Type: Microsoft.Automation/automationAccounts/compilationjobs
+    - Puts an Azure Automation DSC's Compilation
+  Resource Type: Microsoft.Web/serverfarms
+    - Update hosting plan
+  Resource Type: Microsoft.Insights/components
+    - Update insights component
+  Resource Type: Microsoft.Automation/automationAccounts/modules
+    - Create or Update an Azure Automation Powershell module
+  Resource Type: Microsoft.Web/sites/config
+    - Update web sites config
+  Resource Type: Microsoft.DesktopVirtualization/hostPools
+    - Write hostpools
+    - listRegistrationTokens
+  Resource Type: Microsoft.OperationalInsights/workspaces
+    - Create Workspace
+  Resource Type: Microsoft.DesktopVirtualization/workspaces
+    - Write workspaces
+  Resource Type: Microsoft.ManagedIdentity/userAssignedIdentities
+    - Update User Assigned Identity Create
+  Resource Type: Microsoft.Authorization/roleAssignments
+    - Create role assignment
+  Resource Type: Microsoft.Automation/automationAccounts/credentials
+    - Create or Update an Azure Automation credential asset
+  Resource Type: Microsoft.Automation/automationAccounts/variables
+    - Create or Update an Azure Automation variable asset
+    - Delete an Azure Automation variable asset
+  Resource Type: Microsoft.Compute/virtualMachines/extensions
+    - Get Virtual Machine Extension
+    - Create or Update Virtual Machine Extension
+  Resource Type: Microsoft.OperationalInsights/workspaces/dataSources
+    - Upsert Data Source
+  Resource Type: Microsoft.AppConfiguration/configurationStores/keyValues
+    - Write Key-Value
+  Resource Type: Microsoft.Insights/diagnosticSettings
+    - Create or update resource diagnostic setting
+  Resource Type: Microsoft.DesktopVirtualization/applicationGroups/desktops
+    - Desktops Write applicationgroups
+  Resource Type: Microsoft.ServiceBus/namespaces/queues
+    - Create or Update Queue
+  Resource Type: Microsoft.Storage/storageAccounts/blobServices/containers
+    - Put blob container
+  Resource Type: Microsoft.Storage/storageAccounts/fileServices/shares
+    - Put File Share
+  Resource Type: Microsoft.Storage/storageAccounts/blobServices
+    - Put blob service properties
+  Resource Type: Microsoft.Resources/subscriptions/resourcegroups
+    - Update resource group
+    - Delete data collection endpoint
+    - Delete resource group
+    - Delete Workspace
+    - Delete workspaces
+    - Delete applicationgroups
+    - Delete insights component
+    - Delete data collection rule
+    - Delete Smart Detector alert rule
+    - Delete Storage Account
+    - Delete role assignment
+    - Delete an Azure Automation account
+    - Delete User Assigned Identity
+    - Delete website
+    - Delete hostpools
+    - Delete Namespace
+    - Delete hosting plan
+    - Delete Configuration Store
+  Resource Type: Microsoft.Compute/disks
+    - Delete Disk
+  Resource Type: Microsoft.Network/networkInterfaces
+    - Delete Network Interface
+  Resource Type: Microsoft.KeyVault/locations/deletedVaults
+    - Purge Soft Deleted Key Vault
+  Resource Type: Microsoft.AppConfiguration/locations/deletedConfigurationStores
+    - Purge Deleted Configuration Store
+
+Total rows in CSV: 128634
+Rows processed: 16157
+Rows skipped (Started status, ignored operations, or non-matching application): 112477
+Ignored operations: Resume Databases, UpdateWebSite
+Filtered by application: msvoc-backend
+
+Results have been saved to: msvoc-backend_results.txt

AzureRoleAnalyzingScripts/output/msvoc-backend_results.txt.raw

@@ -0,0 +1,40 @@
+Microsoft.Insights/dataCollectionEndpoints
+Microsoft.Web/sites/host
+Microsoft.Automation/automationAccounts/runbooks
+Microsoft.Automation/automationAccounts/configurations
+Microsoft.Compute/virtualMachines
+Microsoft.Web/sites
+Microsoft.ServiceBus/namespaces
+Microsoft.DesktopVirtualization/applicationGroups
+Microsoft.Storage/storageAccounts
+Microsoft.AppConfiguration/configurationStores
+Microsoft.Automation/automationAccounts
+Microsoft.KeyVault/vaults
+Microsoft.Automation/automationAccounts/jobSchedules
+Microsoft.Automation/automationAccounts/schedules
+Microsoft.Automation/automationAccounts/compilationjobs
+Microsoft.Web/serverfarms
+Microsoft.Insights/components
+Microsoft.Automation/automationAccounts/modules
+Microsoft.Web/sites/config
+Microsoft.DesktopVirtualization/hostPools
+Microsoft.OperationalInsights/workspaces
+Microsoft.DesktopVirtualization/workspaces
+Microsoft.ManagedIdentity/userAssignedIdentities
+Microsoft.Authorization/roleAssignments
+Microsoft.Automation/automationAccounts/credentials
+Microsoft.Automation/automationAccounts/variables
+Microsoft.Compute/virtualMachines/extensions
+Microsoft.OperationalInsights/workspaces/dataSources
+Microsoft.AppConfiguration/configurationStores/keyValues
+Microsoft.Insights/diagnosticSettings
+Microsoft.DesktopVirtualization/applicationGroups/desktops
+Microsoft.ServiceBus/namespaces/queues
+Microsoft.Storage/storageAccounts/blobServices/containers
+Microsoft.Storage/storageAccounts/fileServices/shares
+Microsoft.Storage/storageAccounts/blobServices
+Microsoft.Resources/subscriptions/resourcegroups
+Microsoft.Compute/disks
+Microsoft.Network/networkInterfaces
+Microsoft.KeyVault/locations/deletedVaults
+Microsoft.AppConfiguration/locations/deletedConfigurationStores

AzureRoleAnalyzingScripts/parse_logs.ps1

@@ -0,0 +1,95 @@
+param(
+    [string]$CsvPath = "path_to_your_csv_file.csv",
+    [int]$RowLimit = -1,  # -1 means process all rows
+    [string]$ApplicationName = ""
+)
+
+# Function to import CSV data with optional row limit
+function Import-LimitedCsv {
+    param(
+        [string]$Path,
+        [int]$Limit = -1
+    )
+
+    $csv = Import-Csv -Path $Path
+    if ($Limit -gt 0) {
+        return $csv | Select-Object -First $Limit
+    }
+    return $csv
+}
+
+function Write-OutputBoth {
+    param(
+        [string]$Message,
+        [System.IO.StreamWriter]$Writer
+    )
+    Write-Host $Message
+    $Writer.WriteLine($Message)
+}
+
+$outputFileName = if ($ApplicationName) {
+    "$($ApplicationName.Replace(' ', '_').ToLower())_results.txt"
+} else {
+    "all_applications_results.txt"
+}
+
+$outputDir = "output"
+if (-not (Test-Path -Path $outputDir)) {
+    New-Item -ItemType Directory -Force -Path $outputDir
+}
+
+$outputFilePath = Join-Path $outputDir $outputFileName
+
+# Import the CSV file with optional row limit
+$csvData = Import-LimitedCsv -Path $CsvPath -Limit $RowLimit
+
+# Define operations to ignore
+$ignoredOperations = @("Resume Databases", "UpdateWebSite")
+
+# Filter out items with "Started" status and group by "Event initiated by"
+$groupedData = $csvData | 
+    Where-Object { $_."Status" -ne "Started" -and $_."Operation name" -notin $ignoredOperations } |
+    Group-Object -Property "Event initiated by"
+
+if ($ApplicationName) {
+    $groupedData = $groupedData | Where-Object { $_.Name -eq $ApplicationName }
+}
+
+$writer = [System.IO.StreamWriter]::new("$OutputFilePath.raw")
+
+try {
+    # Process each group
+    foreach ($group in $groupedData) {
+        Write-Host "Application: $($group.Name)"
+        Write-Host "------------------------"
+
+        $resourceTypes = $group.Group | 
+            Select-Object "Resource type", "Operation name" -Unique |
+            Group-Object -Property "Resource type"
+
+        foreach ($resourceType in $resourceTypes) {
+            Write-OutputBoth "$($resourceType.Name)" $writer
+        }
+        Write-Host ""
+    }
+
+    $totalRows = $csvData.Count
+    $processedRows = ($csvData | Where-Object { $_."Status" -ne "Started" -and $_."Operation name" -notin $ignoredOperations}).Count
+    if ($ApplicationName) {
+        $processedRows = ($groupedData | Where-Object { $_.Name -eq $ApplicationName }).Group.Count
+    }
+    $skippedRows = $totalRows - $processedRows
+
+    Write-Host "Total rows in CSV: $totalRows"
+    Write-Host "Rows processed: $processedRows"
+    Write-Host "Rows skipped (Started status, ignored operations, or non-matching application): $skippedRows"
+    Write-Host "Ignored operations: $($ignoredOperations -join ', ')"
+    if ($ApplicationName) {
+        Write-Host "Filtered by application: $ApplicationName"
+    }
+    Write-Host ""
+    Write-Host "Results have been saved to: $outputFileName"
+}
+finally {
+    $writer.Close()
+}

AzureRoleAnalyzingScripts/required_roles.txt

@@ -0,0 +1,14 @@
+Minimal set of Azure roles required:
+-----------------------------------
+Role Name: Disk Encryption Set Operator for Managed Disks
+Description: Provides permissions to read, write or delete disk encryption sets which are used for encrypting managed disks with customer managed keys
+ID: 136d308c-0937-4a49-9bd7-edfb42adbffc
+
+Role Name: Managed Identity Contributor
+Description: Create, Read, Update, and Delete User Assigned Identity
+ID: e40ec5ca-96e0-45a2-b4ff-59039f2c2b59
+
+Role Name: Desktop Virtualization Power On Contributor
+Description: Provide permission to the Azure Virtual Desktop Resource Provider to start virtual machines.
+ID: 489581de-a3bd-480d-9518-53dea7416b33
+