0
votes

I want to monitor who made a change in rbac assignment, I created powershell script for collection data from Azure Activity Log. I used below piece of code. Using this solution I am able to get items like: caller - user who made a role assignment change, timestamp, Resource name - on this resource assignment change has been provided, action type - write or delete

In Activity Log panel in Azure portal, in Summary portal (Message: shared with "user info"), I can see name of a user who has been granted permissions/assignment to the resource, but using my powershell script I am not able to catch this information, is there any method to get this info?

Get-AzureRmLog -StartTime (Get-Date).AddDays(-7) | 
Where-Object {$_.Authorization.Action -like 
'Microsoft.Authorization/roleAssignments/*'} |
Select-Object @{N="Caller";E={$_.Caller}}, 
@{N="Resource";E={$_.Authorization.Scope}}, 
@{N="Action";E={Split-Path $_.Authorization.action -leaf}},
EventTimestamp

script output:

Caller         : [email protected]
Resource   :/subscriptions/xxxx/resourceGroups/Powershell/providers/Microsoft.Compute/virtualMachines/xx/providers/Microsoft.Authorization/roleAssignments/xxxx
Action         : write
EventTimestamp : 8/29/2019 10:12:31 AM
3

3 Answers

0
votes

Does this work for you?

Get-AzureRmLog -StartTime (Get-Date).AddDays(-7) | 
Where-Object {$_.Authorization.Action -like 'Microsoft.Authorization/roleAssignments/*'} | 
Select-Object @{N="Caller";E={$_.Caller}}, 
@{N="Resource";E={$_.Authorization.Scope}}, 
@{N="Action";E={Split-Path $_.Authorization.action -leaf}},
@{N="Name";E={$_.Claims.Content.name}}, 
EventTimestamp

My output:

Caller         : [email protected]
Resource       : /subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.Authorization/roleAssignments/xxxx
Action         : write
Name           : John Doe
EventTimestamp : 30.08.2019 12.05.52

NB: I used Get-AzLog. Not sure if there is any difference between Get-AzLog and Get-AzureRmLog.

0
votes

Fairly certain this wouldn't be exposed with this cmdlet. I dont even see this information in the Role Assignments. So not sure what do you mean exactly.

0
votes

Your requirement of fetching the user name to whom the RBAC role is assigned is currently not supported using Az PowerShell cmdlet Get-AzLog or Get-AzureRmLog.

However, we can accomplish your requirement by leveraging Azure REST API for Activity Logs - List and Az PowerShell cmdlet Get-AzureADUser.

In this way as we are depending on Azure REST API for Activity Logs - List (but looks like you want PowerShell way of accomplishing the requirement) so call the REST API in PowerShell as something shown below.

    $request = "https://management.azure.com/subscriptions/{subscriptionId}/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&`$filter={$filter}"
    $auth = "eyxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    $authHeader = @{
    'Content-Type'='application/json'
    'Accept'='application/json'
    'Authorization'= "Bearer $auth"
    }
    $Output = Invoke-RestMethod -Uri $request -Headers $authHeader -Method GET -Body $Body
    $ActivityLogsFinalOutput = $Output.Value

Develop your PowerShell code to get "PrincipalId" (which is under "properties") from the output of your Azure REST API for Activity Logs - List call. The fetched "PrincipalId" is the ObjectID of the user whom you want to get ultimately.

Now leverage Az PowerShell cmdlet Get-AzureADUser and have your command something like shown below.

(Get-AzureADUser -ObjectID "<PrincipalID>").DisplayName

Hope this helps!! Cheers!!

UPDATE:

Please find PowerShell way of fetching auth token (i.e., $auth) that needs to be used in above REST API call.

$ClientID       = "<ClientID>" #ApplicationID
$ClientSecret   = "<ClientSecret>"  #key from Application
$tennantid      = "<TennantID>"

$TokenEndpoint = {https://login.windows.net/{0}/oauth2/token} -f $tennantid 
$ARMResource = "https://management.core.windows.net/";

$Body1 = @{
        'resource'= $ARMResource
        'client_id' = $ClientID
        'grant_type' = 'client_credentials'
        'client_secret' = $ClientSecret
}

$params = @{
    ContentType = 'application/x-www-form-urlencoded'
    Headers = @{'accept'='application/json'}
    Body = $Body1
    Method = 'Post'
    URI = $TokenEndpoint
}

$token = Invoke-RestMethod @params
$token | select access_token, @{L='Expires';E={[timezone]::CurrentTimeZone.ToLocalTime(([datetime]'1/1/1970').AddSeconds($_.expires_on))}} | fl *

I see this new way as well but I didn't get chance to test this out. If interested, you may alternatively try this or go with above approach.

UPDATE2:

$ActivityLogsFinalOutput| %{
    if(($_.properties.responseBody) -like "*principalId*"){
        $SplittedPrincipalID = $_.properties.responseBody -split "PrincipalID"
        $SplittedComma = $SplittedPrincipalID[1] -split ","
        $SplittedDoubleQuote = $SplittedComma[0] -split "`""
        $PrincipalID = $SplittedDoubleQuote[2]
        #Continue code for getting Azure AD User using above fetched $PrincipalID
        #...
        #...
    }
}

enter image description here