Azure Active Directory: Security Defaults & Conditional Access Policies Report | Voters

Azure Active Directory: Security Defaults & Conditional Access Policies Report
submitted
Sam Walker
This report uses the Liongard API and pulls down the Security Defaults Status and Conditional Access Policies of all the Azure Active Directory InspectorsOne benefit of this report is that you'll actually return the Display Names of the objects in the Conditional Access policies. Currently, Liongard only returns the UserID in the Data Print.Create API Key and Identify Metric UUIDCreate the Azure Active Directory Metric using the query AboveIdentify the UUID of the Metric:Create an Access Token https://docs.liongard.com/reference/authenticationYou need to convert the API Key and Secret into Base64 string:$Key = "KEYHERE"
$Secret = "SECRETHERE"
$Bytes = [System.Text.Encoding]::UTF8.GetBytes("$($Key):$($Secret)")
$EncodedText =[Convert]::ToBase64String($Bytes)
Invoke-WebRequest -Uri https://LIONGARDREGIONHERE.app.liongard.com/api/v1/environments/count/ -Headers @{"X-ROAR-API-KEY"="$($EncodedText)"}
Write-Output $EncodedTextEnter Base64 Key on this Page and return a complete list of UUIDs to find the UUID of the metric - https://docs.liongard.com/reference/post_metrics-evaluatePowerShell ScriptReplace these values in bold within the script:$apikey = 'Base64Key'$metricUUID = 'ENTERYOURMETRICUUIDHERE'https://LIONGARDREGIONHERE.app.liongard.com/api/v2/metrics/evaluate$outputList | Export-Csv -Path "c:\path\report.csv" -NoTypeInformation -Force$apikey = 'APIKEYHERE'
Headers
$headers = @{
"accept" = "application/json"
"X-ROAR-API-KEY" = $apikey
}
Define variables
$metricUUID = 'ENTERYOURMETRICUUIDHERE'
Initialize variables for the loop
$page = 1
$pageSize = 25
$continue = $true
Create list to store output
$outputList = @()
Function to get user display names
function Get-UserDisplayNames {
param(
[string[]]$UserIds,
[array]$Users
)
$displayNames = @()
foreach ($userId in $UserIds) {
$user = $Users | Where-Object { $_.id -eq $userId }
if ($user) {
$displayName = $user.displayName
$displayNames += $displayName
} else {
$displayNames += $userId
}
}
return $displayNames -join ', '
}
Function to get group display names
function Get-GroupDisplayNames {
param(
[string[]]$GroupIds,
[array]$Groups
)
$displayNames = @()
foreach ($groupId in $GroupIds) {
$group = $Groups | Where-Object { $_.id -eq $groupId }
if ($group) {
$displayName = $group.displayName
$displayNames += $displayName
} else {
$displayNames += $groupId
}
}
return $displayNames -join ', '
}
Function to get role display names
function Get-RoleDisplayNames {
param(
[string[]]$RoleIds,
[array]$Roles
)
$displayNames = @()
foreach ($roleId in $RoleIds) {
$role = $Roles | Where-Object { $_.id -eq $roleId }
if ($role) {
$displayName = $role.displayName
$displayNames += $displayName
} else {
$displayNames += $roleId
}
}
return $displayNames -join ', '
}
Loop through pages while the flag is set to true
while ($continue) {
Send API request
$response = Invoke-WebRequest -Uri 'https://LIONGARDREGIONHERE.app.liongard.com/api/v2/metrics/evaluate' -Method POST -Headers $headers -ContentType 'application/json' -Body ('{"Metrics":["' + $metricUUID + '"],"Filters":[],"Sorting":[{"SortBy":"EnvironmentName","Direction":"ASC"}],"Pagination":{"Page":' + $page + ',"PageSize":' + $pageSize + '}}')
Convert API response to JSON
$json = $response | ConvertFrom-Json
$data = $json.Data
$totalPages = $json.Pagination.TotalPages
Loop through the data
foreach ($item in $data) {
$systemInfo = $item.Value.SystemInfo
Extract relevant data from SystemInfo
$securityDefaultsEnabled = $systemInfo.Overview.SecurityDefaults.isEnabled
Get the list of users, groups, and roles
$users = $item.Value.Users
$groups = $item.Value.Groups
$roles = $item.Value.RoleDefinitions
Check if ConditionalAccess array is null or empty
if ($item.Value.Policies.ConditionalAccess) {
Loop through ConditionalAccess policies
foreach ($conditionalAccessPolicy in $item.Value.Policies.ConditionalAccess) {
$policyDisplayName = $conditionalAccessPolicy.displayName
$policyCreatedDateTime = $conditionalAccessPolicy.createdDateTime
$policyModifiedDateTime = $conditionalAccessPolicy.modifiedDateTime
$policyState = $conditionalAccessPolicy.state
Convert array fields to comma-separated strings
$includeUserIds = $conditionalAccessPolicy.conditions.users.includeUsers
$excludeUserIds = $conditionalAccessPolicy.conditions.users.excludeUsers
$includeGroupIds = $conditionalAccessPolicy.conditions.users.includeGroups
$excludeGroupIds = $conditionalAccessPolicy.conditions.users.excludeGroups
$includeRoleIds = $conditionalAccessPolicy.conditions.users.includeRoles
$excludeRoleIds = $conditionalAccessPolicy.conditions.users.excludeRoles
Look up user display names
$includeUsers = Get-UserDisplayNames -UserIds $includeUserIds -Users $users
$excludeUsers = Get-UserDisplayNames -UserIds $excludeUserIds -Users $users
Look up group display names
$includeGroups = Get-GroupDisplayNames -GroupIds $includeGroupIds -Groups $groups
$excludeGroups = Get-GroupDisplayNames -GroupIds $excludeGroupIds -Groups $groups
Look up role display names
$includeRoles = Get-RoleDisplayNames -RoleIds $includeRoleIds -Roles $roles
$excludeRoles = Get-RoleDisplayNames -RoleIds $excludeRoleIds -Roles $roles
Output data to separate columns
$output = [PSCustomObject]@{
"SystemID" = $item.SystemID
"FriendlyName" = $item.FriendlyName
"InspectorName" = $item.InspectorName
"EnvironmentID" = $item.EnvironmentID
"EnvironmentName" = $item.EnvironmentName
"MetricID" = $item.MetricID
"MetricUUID" = $item.MetricUUID
"MetricName" = $item.MetricName
"TimelineID" = $item.TimelineID
"TimelineDate" = $item.TimelineDate
"SecurityDefaultsEnabled" = $securityDefaultsEnabled
"ConditionalAccessDisplayName" = $policyDisplayName
"ConditionalAccessCreatedDateTime" = $policyCreatedDateTime
"ConditionalAccessModifiedDateTime" = $policyModifiedDateTime
"ConditionalAccessState" = $policyState
"IncludeUsers" = $includeUsers
"ExcludeUsers" = $excludeUsers
"IncludeGroups" = $includeGroups
"ExcludeGroups" = $excludeGroups
"IncludeRoles" = $includeRoles
"ExcludeRoles" = $excludeRoles
}
$outputList += $output
}
} else {
Output data with null values for conditional access fields
$output = [PSCustomObject]@{
"SystemID" = $item.SystemID
"FriendlyName" = $item.FriendlyName
"InspectorName" = $item.InspectorName
"EnvironmentID" = $item.EnvironmentID
"EnvironmentName" = $item.EnvironmentName
"MetricID" = $item.MetricID
"MetricUUID" = $item.MetricUUID
"MetricName" = $item.MetricName
"TimelineID" = $item.TimelineID
"TimelineDate" = $item.TimelineDate
"SecurityDefaultsEnabled" = $securityDefaultsEnabled
"ConditionalAccessDisplayName" = $null
"ConditionalAccessCreatedDateTime" = $null
"ConditionalAccessModifiedDateTime" = $null
"ConditionalAccessState" = $null
"IncludeUsers" = $null
"ExcludeUsers" = $null
"IncludeGroups" = $null
"ExcludeGroups" = $null
"IncludeRoles" = $null
"ExcludeRoles" = $null
}
$outputList += $output
}
}
Increment page number
if ($page -ge $totalPages) {
$continue = $false
} else {
$page++
}
}
Export the final output list
$outputList | Export-Csv -Path "c:\path\report.csv" -NoTypeInformation -Force
{SystemInfo: SystemInfo, Policies: Policies, Users: Users, Groups: Groups, RoleDefinitions: RoleDefinitions}
June 29, 2023