Keep a tab on access settings of your Azure subscriptions

If you’re responsible for managing access to your organization’s Azure subscriptions — it’s likely that you’ve made other people co-administrators of the subscriptions. If you’re taking advantage of the finer-grained access management capabilities of the new Azure portal (aka Azure RBAC) — you would have granted access to users and AD groups, to scopes within the subscriptions — resource groups or even individual resources (VMs, Websites, Databases).

This post will show you how you can keep a tab on access settings of your Azure subscriptions:

  • Monitor changes to the access settings by reviewing who granted what kind of access to whom on your subscriptions over the past 90 days
  • Generate a list of all access assignments to understand who all currently has access on your subscriptions
  • Given a user, understand what access she has on your subscriptions via direct assignments as well as assignments made to groups that she’s in

Azure Resource Manager

The new service management API layer of Azure (called the Azure Resource Manager) logs all changes to access in Azure using the Events service. These events include changes to the traditional service administrator and co-administrator roles too. We will query the ARM events service to create the Access Change History report. Further, the authorization resource provider of Azure Resource Manager provides APIs using which we can query the current state of access settings for the subscriptions and its resources. We will query the authorization resource provider to create the Access Settings report – for all subscriptions as well as the ones applicable to a specific user.

Install ARMPowerShell

I recently published this post about ARMPowerShell – it is a PowerShell script module that I wrote, to query Azure Resource Manager APIs. Install this to get the PowerShell commands that generate the access reports:

  • Download and unzip the archive: https://github.com/dushyantgill/AzureResourceManagerPowerShell/archive/master.zip
  • Fireup PowerShell. Make sure you’ve set execution policy to RemoteSigned, if not, run: Set-ExecutionPolicy RemoteSigned -Scope Process.
  • Run the Install-ARMModule.ps1 script from the location where you unzipped the archive. This script will do a couple of things: download the Azure AD Auth Library (ADAL) nugget, create a new module folder for ARM under user’ Documents\WindowsPowerShell\Modules with the PSD1 and PSM1 files.
  • Run Connect-ARM and sign-in with your Azure account

Who all has access to my subscriptions?

Run the Get-ARMAccessAssignments command to get all access settings of your Azure subscriptions (all role assignments to all the subscriptions to which you have reader access). It will emit role assignment objects with the following properties.

  • DirectoryName: the name of the Azure Active Directory to which the subscription is homed. e.g. ‘aaddemo.com’
  • SubscriptionName: the name of the Azure subscription. e.g. ‘Development’
  • SubscriptionId: the identifier of the Azure subscription e.g. ‘e91d47c4-76f3-4271-a796-21b4ecfe3624′
  • RoleId: the identifier of the RBAC role that has been assigned to the user, group or service principal. e.g. ‘/subscriptions/e91d47c4-76f3-4271-a796-21b4ecfe3624/providers/Microsoft.Authorization/roleDefinitions/b24 988ac-6180-42a0-ab88-20f7382dd24c’. Note that this value is null for assignments of the classic roles of Service Administrator and Co-Administrator
  • RoleName: the name of the role that has been assigned to the user, group or service principal. e.g. ‘Contributor’
  • SubjectId: the object identifier of the user, group or service principal that has the access. e.g. ‘51debb58-4e3c-4e0e-bb97-bcc4e1a7ac8d’. Note that this is null for assignments of the classic roles of Service Administrator and Co-Administrator
  • SubjectType: ‘User’ or ‘Group’ or ‘Service Principal’
  • SubjectName: the name of user, group or service principal that has the access. e.g. ‘externalmsauser@outlook.com’
  • Scope: the level in the resource hierarchy at which the subject has the access. It is the URI of the subscription or resource group or the resource. e.g. ‘/subscriptions/e91d47c4-76f3-4271-a796-21b4ecfe3624/resourceGroups/Demo’
  • ScopeType: ’Subscription’ or ‘Resource Group’ or ‘Resource’
  • ScopeName: the name of the subscription, resource group or resource at which the subject has access. e.g. ‘Demo (Region: southcentralus)’

I find it easiest to review the report in excel by exporting the results of the command into a CSV file and formatting it in excel.

Get Azure Access Assignments

Azure Access Assignments

What access does a specific user have on my subscriptions?

To get access assignments applicable to a specific user, just use the Get-AzureAccessAssignments command with the User parameter and specify the user’s email or user principal name. In the example below, I query the access assignments applicable to sameert@aaddemo.com and observe that Sameer has two roles directly assigned to him whereas 6 other role assignments apply to him because they’ve been assigned to groups of which Sameer is a member.

Azure Access Assignments for a User

Who gained (or lost) access to my subscriptions in the past n days?

Run the Get-ARMAccessChangeHistory command to produce a report of who granted (or revoked) what role to whom at what scope within your Azure subscriptions within the past n days (maximum days is 90). The command queries all role assignment events from the Insights resource provider of Azure Resource Manager. The command emits change events with the following properties:

  • Date: at what datetime was access granted or revoked. e.g. ‘2/7/2015 12:28:07 AM’
  • Action: ‘Granted’ or ‘Revoked’
  • DirectoryName: the name of the Azure Active Directory to which the subscription is homed. e.g. ‘aaddemo.com’
  • SubscriptionName: the name of the Azure subscription in which access was granted (or revoked). e.g. ‘ELLENA-TEST’
  • SubscriptionId: the identifier of the Azure subscription in which access was granted (or revoked). e.g. ’09cbd307-aa71-4aca-b346-5f253e6e3ebb’
  • User: the name of the user who granted or revoked access. e.g. ‘ellena@aaddemo.com’
  • RoleId: the identifier or the role that was granted (or revoked). e.g. ‘/subscriptions/09cbd307-aa71-4aca-b346-5f253e6e3ebb/providers/Microsoft.Authorization/roleDefinitions/acd d72a7-3385-48ef-bd42-f606fba81ae7′
  • RoleName: the name or the role that was granted (or revoked). e.g. ‘Reader’
  • SubjectId: the object identifier of the user, group or service principal to which the role was granted (or revoked) e.g. ‘7758ff7a-9c65-4779-af33-f2c2f35aec20′
  • SubjectType: ‘User’, or ‘Group’ or ‘ServicePrincipal’
  • SubjectName: the name of the subject to which the role was granted (or revoked). e.g. ‘CloudSense’
  • Scope: the level in the resource hierarchy at which the role was granted (or revoked). It is the URI of the subscription or resource group or the resource. e.g. ‘/subscriptions/09cbd307-aa71-4aca-b346-5f253e6e3ebb’
  • ScopeType: ‘Subscription’ or ‘Resource Group’ or ‘Resource’
  • ScopeName: the name of the subscription, resource group or resource at which the role was granted (or revoked). e.g ‘ELLENA-TEST (Id: 09cbd307-aa71-4aca-b346-5f253e6e3ebb)’

Azure Access Change History

 

Enjoy!

2 thoughts on “Keep a tab on access settings of your Azure subscriptions

  1. Faisal Rahman

    I am getting the following error after issuing Connect-ARM command and entering the User Information:

    PS C:\> Connect-ARM
    Invoke-WebRequest : The ‘Content-Type’ header must be modified using the appropriate property or method.
    Parameter name: name
    At C:\Users\rahmff\Documents\WindowsPowerShell\Modules\ARM\ARM.psm1:58 char:15
    + $result = Invoke-WebRequest -Method GET -Uri $uri -Headers $headers
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Invoke-WebRequest], ArgumentException
    + FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

    New-Object : Exception calling “.ctor” with “2” argument(s): “‘authority’ Uri should have at least one segment in the
    path (i.e. https:////…)
    Parameter name: authority”
    At C:\Users\rahmff\Documents\WindowsPowerShell\Modules\ARM\ARM.psm1:38 char:18
    + $authContext = New-Object “Microsoft.IdentityModel.Clients.ActiveDirectory.Aut …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
    + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

    You cannot call a method on a null-valued expression.
    At C:\Users\rahmff\Documents\WindowsPowerShell\Modules\ARM\ARM.psm1:46 char:9
    + $authResult = $authContext.AcquireToken($resourceAppIdURI, $clientId, $r …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

    Exception calling “Add” with “2” argument(s): “Key cannot be null.
    Parameter name: key”
    At C:\Users\rahmff\Documents\WindowsPowerShell\Modules\ARM\ARM.psm1:254 char:7
    + $global:ARMTenantAccessTokensARM.Add($tenant.tenantId, $tenantAccessTokenA …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentNullException

    New-Object : Exception calling “.ctor” with “2” argument(s): “‘authority’ Uri should have at least one segment in the
    path (i.e. https:////…)
    Parameter name: authority”
    At C:\Users\rahmff\Documents\WindowsPowerShell\Modules\ARM\ARM.psm1:38 char:18
    + $authContext = New-Object “Microsoft.IdentityModel.Clients.ActiveDirectory.Aut …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
    + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

    You cannot call a method on a null-valued expression.
    At C:\Users\rahmff\Documents\WindowsPowerShell\Modules\ARM\ARM.psm1:46 char:9
    + $authResult = $authContext.AcquireToken($resourceAppIdURI, $clientId, $r …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

    Exception calling “Add” with “2” argument(s): “Key cannot be null.
    Parameter name: key”
    At C:\Users\rahmff\Documents\WindowsPowerShell\Modules\ARM\ARM.psm1:256 char:7
    + $global:ARMTenantAccessTokensGraph.Add($tenant.tenantId, $tenantAccessToke …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentNullException

    Not connected to an ARM. First run Connect-ARM.

    1. dushyantgill Post author

      Hey Faisal, I can’t reproduce the error. Can you please confirm that your PoSh version is 4.0? thanks
      PS C:\> $PSVersionTable

      Name Value
      —- —–
      PSVersion 4.0
      WSManStackVersion 3.0
      SerializationVersion 1.1.0.1
      CLRVersion 4.0.30319.34014
      BuildVersion 6.3.9600.17400
      PSCompatibleVersions {1.0, 2.0, 3.0, 4.0}
      PSRemotingProtocolVersion 2.2

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>