Metrics Library

I based this off another metric created by David Chapman, so thanks to him for the original idea! I added the ability to also bring in users from excluded groups for a full picture of what users are excluded from CA policies. There might be a more elegant/streamlined way to run the query but this is what I came up with. Policies.ConditionalAccess[].{ca_displayName:displayName,ca_excludedDisplayNames:join(',',map_by_key(conditions.users.excludeUsers[].{id: @}, ~.Users[], id )[].displayName)ca_excludedGroupMemberDisplayNames:join(',',map_by_key(conditions.users.excludeGroups[].{id:@},~.Groups[], id )[].members[].userPrincipalName.{userPrincipalName: @} | map_by_key(@, ~.Users[], userPrincipalName )[].displayName)}[].{ca_displayName:ca_displayName,ca_excludedDisplayNames:join(',',join(',',[ca_excludedDisplayNames,ca_excludedGroupMemberDisplayNames]).split(@,',').sort(@).unique_list(@)[?not_null(@)])}[].join(': ',[ca_displayName,ca_excludedDisplayNames])

Returns a list of CA policies applied to ANY application in Azure Active Directory Policies.ConditionalAccess[?contains(grantControls.builtInControls, 'mfa') && conditions.applications.includeApplications ].['Name:'displayName, '///''State:'state, '///''Included Applications:'conditions.applications.includeApplications]

Returns a list of CA's enabling MFA in Azure Active Directory Policies.ConditionalAccess[?contains (grantControls.builtInControls, 'mfa')].['Name:'displayName, '///' 'State:'state]

Returns a list of Azure Active Directory/Entra ID Risk Detections RiskDetections[].['---'userDisplayName, '-'userPrincipalName,'-' riskEventType ,'-'locationStr, '-'activityDateTime]

This report uses the Liongard API and pulls down the Security Defaults Status and Conditional Access Policies of all the Azure Active Directory InspectorsOne benefit of this report is that you'll actually return the Display Names of the objects in the Conditional Access policies. Currently, Liongard only returns the UserID in the Data Print.Create API Key and Identify Metric UUIDCreate the Azure Active Directory Metric using the query AboveIdentify the UUID of the Metric:Create an Access Token https://docs.liongard.com/reference/authenticationYou need to convert the API Key and Secret into Base64 string:$Key = "KEYHERE" $Secret = "SECRETHERE" $Bytes = [System.Text.Encoding]::UTF8.GetBytes("$($Key):$($Secret)") $EncodedText =[Convert]::ToBase64String($Bytes) Invoke-WebRequest -Uri https://LIONGARDREGIONHERE.app.liongard.com/api/v1/environments/count/ -Headers @{"X-ROAR-API-KEY"="$($EncodedText)"} Write-Output $EncodedTextEnter Base64 Key on this Page and return a complete list of UUIDs to find the UUID of the metric - https://docs.liongard.com/reference/post_metrics-evaluatePowerShell ScriptReplace these values in bold within the script:$apikey = 'Base64Key'$metricUUID = 'ENTERYOURMETRICUUIDHERE' https://LIONGARDREGIONHERE.app.liongard.com/api/v2/metrics/evaluate$outputList | Export-Csv -Path "c:\path\report.csv" -NoTypeInformation -Force$apikey = 'APIKEYHERE' Headers $headers = @{ "accept" = "application/json" "X-ROAR-API-KEY" = $apikey } Define variables $metricUUID = 'ENTERYOURMETRICUUIDHERE' Initialize variables for the loop $page = 1 $pageSize = 25 $continue = $true Create list to store output $outputList = @() Function to get user display names function Get-UserDisplayNames { param( [string[]]$UserIds, [array]$Users ) $displayNames = @() foreach ($userId in $UserIds) { $user = $Users | Where-Object { $_.id -eq $userId } if ($user) { $displayName = $user.displayName $displayNames += $displayName } else { $displayNames += $userId } } return $displayNames -join ', ' } Function to get group display names function Get-GroupDisplayNames { param( [string[]]$GroupIds, [array]$Groups ) $displayNames = @() foreach ($groupId in $GroupIds) { $group = $Groups | Where-Object { $_.id -eq $groupId } if ($group) { $displayName = $group.displayName $displayNames += $displayName } else { $displayNames += $groupId } } return $displayNames -join ', ' } Function to get role display names function Get-RoleDisplayNames { param( [string[]]$RoleIds, [array]$Roles ) $displayNames = @() foreach ($roleId in $RoleIds) { $role = $Roles | Where-Object { $_.id -eq $roleId } if ($role) { $displayName = $role.displayName $displayNames += $displayName } else { $displayNames += $roleId } } return $displayNames -join ', ' } Loop through pages while the flag is set to true while ($continue) { Send API request $response = Invoke-WebRequest -Uri ' https://LIONGARDREGIONHERE.app.liongard.com/api/v2/metrics/evaluate ' -Method POST -Headers $headers -ContentType 'application/json' -Body ('{"Metrics":["' + $metricUUID + '"],"Filters":[],"Sorting":[{"SortBy":"EnvironmentName","Direction":"ASC"}],"Pagination":{"Page":' + $page + ',"PageSize":' + $pageSize + '}}') Convert API response to JSON $json = $response | ConvertFrom-Json $data = $ json.Data $totalPages = $json.Pagination.TotalPages Loop through the data foreach ($item in $data) { $systemInfo = $item.Value.SystemInfo Extract relevant data from SystemInfo $securityDefaultsEnabled = $systemInfo.Overview.SecurityDefaults.isEnabled Get the list of users, groups, and roles $users = $item.Value.Users $groups = $item.Value.Groups $roles = $item.Value.RoleDefinitions Check if ConditionalAccess array is null or empty if ($item.Value.Policies.ConditionalAccess) { Loop through ConditionalAccess policies foreach ($conditionalAccessPolicy in $item.Value.Policies.ConditionalAccess) { $policyDisplayName = $conditionalAccessPolicy.displayName $policyCreatedDateTime = $conditionalAccessPolicy.createdDateTime $policyModifiedDateTime = $conditionalAccessPolicy.modifiedDateTime $policyState = $conditionalAccessPolicy.state Convert array fields to comma-separated strings $includeUserIds = $conditionalAccessPolicy.conditions.users.includeUsers $excludeUserIds = $conditionalAccessPolicy.conditions.users.excludeUsers $includeGroupIds = $conditionalAccessPolicy.conditions.users.includeGroups $excludeGroupIds = $conditionalAccessPolicy.conditions.users.excludeGroups $includeRoleIds = $conditionalAccessPolicy.conditions.users.includeRoles $excludeRoleIds = $conditionalAccessPolicy.conditions.users.excludeRoles Look up user display names $includeUsers = Get-UserDisplayNames -UserIds $includeUserIds -Users $users $excludeUsers = Get-UserDisplayNames -UserIds $excludeUserIds -Users $users Look up group display names $includeGroups = Get-GroupDisplayNames -GroupIds $includeGroupIds -Groups $groups $excludeGroups = Get-GroupDisplayNames -GroupIds $excludeGroupIds -Groups $groups Look up role display names $includeRoles = Get-RoleDisplayNames -RoleIds $includeRoleIds -Roles $roles $excludeRoles = Get-RoleDisplayNames -RoleIds $excludeRoleIds -Roles $roles Output data to separate columns $output = [PSCustomObject]@{ "SystemID" = $item.SystemID "FriendlyName" = $item.FriendlyName "InspectorName" = $item.InspectorName "EnvironmentID" = $item.EnvironmentID "EnvironmentName" = $item.EnvironmentName "MetricID" = $item.MetricID "MetricUUID" = $item.MetricUUID "MetricName" = $item.MetricName "TimelineID" = $item.TimelineID "TimelineDate" = $item.TimelineDate "SecurityDefaultsEnabled" = $securityDefaultsEnabled "ConditionalAccessDisplayName" = $policyDisplayName "ConditionalAccessCreatedDateTime" = $policyCreatedDateTime "ConditionalAccessModifiedDateTime" = $policyModifiedDateTime "ConditionalAccessState" = $policyState "IncludeUsers" = $includeUsers "ExcludeUsers" = $excludeUsers "IncludeGroups" = $includeGroups "ExcludeGroups" = $excludeGroups "IncludeRoles" = $includeRoles "ExcludeRoles" = $excludeRoles } $outputList += $output } } else { Output data with null values for conditional access fields $output = [PSCustomObject]@{ "SystemID" = $item.SystemID "FriendlyName" = $item.FriendlyName "InspectorName" = $item.InspectorName "EnvironmentID" = $item.EnvironmentID "EnvironmentName" = $item.EnvironmentName "MetricID" = $item.MetricID "MetricUUID" = $item.MetricUUID "MetricName" = $item.MetricName "TimelineID" = $item.TimelineID "TimelineDate" = $item.TimelineDate "SecurityDefaultsEnabled" = $securityDefaultsEnabled "ConditionalAccessDisplayName" = $null "ConditionalAccessCreatedDateTime" = $null "ConditionalAccessModifiedDateTime" = $null "ConditionalAccessState" = $null "IncludeUsers" = $null "ExcludeUsers" = $null "IncludeGroups" = $null "ExcludeGroups" = $null "IncludeRoles" = $null "ExcludeRoles" = $null } $outputList += $output } } Increment page number if ($page -ge $totalPages) { $continue = $false } else { $page++ } } Export the final output list $outputList | Export-Csv -Path "c:\path\report.csv" -NoTypeInformation -Force {SystemInfo: SystemInfo, Policies: Policies, Users: Users, Groups: Groups, RoleDefinitions: RoleDefinitions}

Billing Reconcilliation: Azure Active Directory Users without users in the RoarExclude group. Users[?accountEnabled == true && (contains(assignedGroups, RoarExclude ) == false || !assignedGroups)] | length(@)

Billing Reconcilliation: Azure Active Directory Users without users in the RoarExclude group. Users[?accountEnabled == true && (contains(assignedGroups, RoarExclude ) == false || !assignedGroups)].displayName

This metric will return a complete list of Azure AD Conditional Access policies and a list of excluded users for each policy. This is difficult because the policies only contain a list of user's ID, not their display names. Policies.ConditionalAccess[].{ca_displayName: displayName, user_displayName: join(', ', map_by_key(conditions.users.excludeUsers[].{id: @}, ~.Users[], id )[].displayName)}[].join(': ', [ca_displayName, to_string(user_displayName)])

This is good to identify clients with a service or services.If looking for 2 services:SecureScore[?contains(enabledServices, HasAaADP1 ) || contains(enabledServices, HasAaADP2 )] && SystemInfo.Overview.CompanyName SecureScore[?contains(enabledServices, HasAADP2 )] && SystemInfo.Overview.CompanyName

Returns the number of users assigned to group. This is a contains function, so you don't need to be exact. Users[?contains(to_string(assignedGroups[]), 'Group')].displayName | length(@)