Azure Active Directory: Security Defaults & Conditional Access Policies Report

This report uses the Liongard API and pulls down the Security Defaults Status and Conditional Access Policies of all the Azure Active Directory Inspectors

One benefit of this report is that you'll actually return the Display Names of the objects in the Conditional Access policies. Currently, Liongard only returns the UserID in the Data Print.

Create API Key and Identify Metric UUID

Create the Azure Active Directory Metric using the query Above

Identify the UUID of the Metric:

Create an Access Token https://docs.liongard.com/reference/authentication

You need to convert the API Key and Secret into Base64 string:

$Key = "KEYHERE"

$Secret = "SECRETHERE"

$Bytes = [System.Text.Encoding]::UTF8.GetBytes("$($Key):$($Secret)")

$EncodedText =[Convert]::ToBase64String($Bytes)

Invoke-WebRequest -Uri https://LIONGARDREGIONHERE.app.liongard.com/api/v1/environments/count/ -Headers @{"X-ROAR-API-KEY"="$($EncodedText)"}



Write-Output $EncodedText

Enter Base64 Key on this Page and return a complete list of UUIDs to find the UUID of the metric - https://docs.liongard.com/reference/post_metrics-evaluate

PowerShell Script

Replace these values in bold within the script:

$apikey = 'Base64Key'
$metricUUID = 'ENTERYOURMETRICUUIDHERE'
https://LIONGARDREGIONHERE.app.liongard.com/api/v2/metrics/evaluate
$outputList | Export-Csv -Path "c:\path\report.csv" -NoTypeInformation -Force

$apikey = 'APIKEYHERE'



# Headers

$headers = @{

    "accept" = "application/json"

    "X-ROAR-API-KEY" = $apikey

}



# Define variables

$metricUUID = 'ENTERYOURMETRICUUIDHERE'



# Initialize variables for the loop

$page = 1

$pageSize = 25

$continue = $true



# Create list to store output

$outputList = @()



# Function to get user display names

function Get-UserDisplayNames {

    param(

        [string[]]$UserIds,

        [array]$Users

    )



    $displayNames = @()



    foreach ($userId in $UserIds) {

        $user = $Users | Where-Object { $_.id -eq $userId }

        if ($user) {

            $displayName = $user.displayName

            $displayNames += $displayName

        } else {

            $displayNames += $userId

        }

    }



    return $displayNames -join ', '

}



# Function to get group display names

function Get-GroupDisplayNames {

    param(

        [string[]]$GroupIds,

        [array]$Groups

    )



    $displayNames = @()



    foreach ($groupId in $GroupIds) {

        $group = $Groups | Where-Object { $_.id -eq $groupId }

        if ($group) {

            $displayName = $group.displayName

            $displayNames += $displayName

        } else {

            $displayNames += $groupId

        }

    }



    return $displayNames -join ', '

}



# Function to get role display names

function Get-RoleDisplayNames {

    param(

        [string[]]$RoleIds,

        [array]$Roles

    )



    $displayNames = @()



    foreach ($roleId in $RoleIds) {

        $role = $Roles | Where-Object { $_.id -eq $roleId }

        if ($role) {

            $displayName = $role.displayName

            $displayNames += $displayName

        } else {

            $displayNames += $roleId

        }

    }



    return $displayNames -join ', '

}



# Loop through pages while the flag is set to true

while ($continue) {

    # Send API request

    $response = Invoke-WebRequest -Uri 'https://LIONGARDREGIONHERE.app.liongard.com/api/v2/metrics/evaluate' -Method POST -Headers $headers -ContentType 'application/json' -Body ('{"Metrics":["' + $metricUUID + '"],"Filters":[],"Sorting":[{"SortBy":"EnvironmentName","Direction":"ASC"}],"Pagination":{"Page":' + $page + ',"PageSize":' + $pageSize + '}}')



    # Convert API response to JSON

    $json = $response | ConvertFrom-Json

    $data = $json.Data

    $totalPages = $json.Pagination.TotalPages



    # Loop through the data

    foreach ($item in $data) {

        $systemInfo = $item.Value.SystemInfo



        # Extract relevant data from SystemInfo

        $securityDefaultsEnabled = $systemInfo.Overview.SecurityDefaults.isEnabled



        # Get the list of users, groups, and roles

        $users = $item.Value.Users

        $groups = $item.Value.Groups

        $roles = $item.Value.RoleDefinitions



        # Check if ConditionalAccess array is null or empty

        if ($item.Value.Policies.ConditionalAccess) {

            # Loop through ConditionalAccess policies

            foreach ($conditionalAccessPolicy in $item.Value.Policies.ConditionalAccess) {

                $policyDisplayName = $conditionalAccessPolicy.displayName

                $policyCreatedDateTime = $conditionalAccessPolicy.createdDateTime

                $policyModifiedDateTime = $conditionalAccessPolicy.modifiedDateTime

                $policyState = $conditionalAccessPolicy.state



                # Convert array fields to comma-separated strings

                $includeUserIds = $conditionalAccessPolicy.conditions.users.includeUsers

                $excludeUserIds = $conditionalAccessPolicy.conditions.users.excludeUsers

                $includeGroupIds = $conditionalAccessPolicy.conditions.users.includeGroups

                $excludeGroupIds = $conditionalAccessPolicy.conditions.users.excludeGroups

                $includeRoleIds = $conditionalAccessPolicy.conditions.users.includeRoles

                $excludeRoleIds = $conditionalAccessPolicy.conditions.users.excludeRoles



                # Look up user display names

                $includeUsers = Get-UserDisplayNames -UserIds $includeUserIds -Users $users

                $excludeUsers = Get-UserDisplayNames -UserIds $excludeUserIds -Users $users



                # Look up group display names

                $includeGroups = Get-GroupDisplayNames -GroupIds $includeGroupIds -Groups $groups

                $excludeGroups = Get-GroupDisplayNames -GroupIds $excludeGroupIds -Groups $groups



                # Look up role display names

                $includeRoles = Get-RoleDisplayNames -RoleIds $includeRoleIds -Roles $roles

                $excludeRoles = Get-RoleDisplayNames -RoleIds $excludeRoleIds -Roles $roles



                # Output data to separate columns

                $output = [PSCustomObject]@{

                    "SystemID" = $item.SystemID

                    "FriendlyName" = $item.FriendlyName

                    "InspectorName" = $item.InspectorName

                    "EnvironmentID" = $item.EnvironmentID

                    "EnvironmentName" = $item.EnvironmentName

                    "MetricID" = $item.MetricID

                    "MetricUUID" = $item.MetricUUID

                    "MetricName" = $item.MetricName

                    "TimelineID" = $item.TimelineID

                    "TimelineDate" = $item.TimelineDate

                    "SecurityDefaultsEnabled" = $securityDefaultsEnabled

                    "ConditionalAccessDisplayName" = $policyDisplayName

                    "ConditionalAccessCreatedDateTime" = $policyCreatedDateTime

                    "ConditionalAccessModifiedDateTime" = $policyModifiedDateTime

                    "ConditionalAccessState" = $policyState

                    "IncludeUsers" = $includeUsers

                    "ExcludeUsers" = $excludeUsers

                    "IncludeGroups" = $includeGroups

                    "ExcludeGroups" = $excludeGroups

                    "IncludeRoles" = $includeRoles

                    "ExcludeRoles" = $excludeRoles

                }



                $outputList += $output

            }

        } else {

            # Output data with null values for conditional access fields

            $output = [PSCustomObject]@{

                "SystemID" = $item.SystemID

                "FriendlyName" = $item.FriendlyName

                "InspectorName" = $item.InspectorName

                "EnvironmentID" = $item.EnvironmentID

                "EnvironmentName" = $item.EnvironmentName

                "MetricID" = $item.MetricID

                "MetricUUID" = $item.MetricUUID

                "MetricName" = $item.MetricName

                "TimelineID" = $item.TimelineID

                "TimelineDate" = $item.TimelineDate

                "SecurityDefaultsEnabled" = $securityDefaultsEnabled

                "ConditionalAccessDisplayName" = $null

                "ConditionalAccessCreatedDateTime" = $null

                "ConditionalAccessModifiedDateTime" = $null

                "ConditionalAccessState" = $null

                "IncludeUsers" = $null

                "ExcludeUsers" = $null

                "IncludeGroups" = $null

                "ExcludeGroups" = $null

                "IncludeRoles" = $null

                "ExcludeRoles" = $null

            }



            $outputList += $output

        }

    }



    # Increment page number

    if ($page -ge $totalPages) {

        $continue = $false

    } else {

        $page++

    }

}



# Export the final output list

$outputList | Export-Csv -Path "c:\path\report.csv" -NoTypeInformation -Force

Report.csv

Query

{SystemInfo: SystemInfo, Policies: Policies, Users: Users, Groups: Groups, RoleDefinitions: RoleDefinitions}

Attach files

Enter a subject

Please enter your email address

RELATED METRIC

Azure Active Directory: Security Defaults & Conditional Access Policies Report

Create API Key and Identify Metric UUID

PowerShell Script