mgeeky-Penetration-Testing-.../clouds/azure/Azure Roles/Dump-AzureRoles.ps1

Function Get-ARTADRolePermissions {
    <#
    .SYNOPSIS
        Shows Azure AD role permissions.

    .DESCRIPTION
        Displays all granted permissions on a specified Azure AD role.

    .PARAMETER RoleName
        Name of the role to inspect.

    .EXAMPLE
        PS> Get-ARTADRolePermissions -RoleName "Global Administrator"
    #>

    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$True)]
        [String]
        $RoleName
    )

    try {
        $EA = $ErrorActionPreference
        $ErrorActionPreference = 'silentlycontinue'

        Write-Host @"
---

#### ``$RoleName``

"@

        (Get-AzureADMSRoleDefinition -Filter "displayName eq '$RoleName'").RolePermissions | % {
            $_.AllowedResourceActions | % {
                Write-Host "- ``$_``"
            }
        }

        Write-Host ""
    }
    catch {
        Write-Host "[!] Function failed!" -ForegroundColor Red
        Throw
        Return
    }
    finally {
        $ErrorActionPreference = $EA
    }
}

Function Get-ARTRolePermissions {
    <#
    .SYNOPSIS
        Shows Azure role permissions.

    .DESCRIPTION
        Displays all granted permissions on a specified Azure RBAC role.

    .PARAMETER RoleName
        Name of the role to inspect.

    .EXAMPLE
        PS> Get-ARTRolePermissions -RoleName Owner
    #>

    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$True)]
        [String]
        $RoleName
    )

    try {
        $EA = $ErrorActionPreference
        $ErrorActionPreference = 'silentlycontinue'

        try {
            $role = Get-AzRoleDefinition -Name $RoleName
        }
        catch {
            Write-Host "[!] Could not get Role Definition. Possibly due to lacking privileges or lack of connection."
            Return
        }

        Write-Host @"

---

#### ``$RoleName``

"@

        if($role.Actions.Length -gt 0 ) {
            Write-Host "`n- Actions:"
            $role.Actions | % {
                Write-Host "  - ``$($_)``"
            }
        }

        if($role.NotActions.Length -gt 0 ) {
            Write-Host "`n- NotActions:"
            $role.NotActions | % {
                Write-Host "  - ``$($_)``"
            }
        }

        if($role.DataActions.Length -gt 0 ) {
            Write-Host "`n- DataActions:"
            $role.DataActions | % {
                Write-Host "  - ``$($_)``"
            }
        }

        if($role.NotDataActions.Length -gt 0 ) {
            Write-Host "`n- NotDataActions:"
            $role.NotDataActions | % {
                Write-Host "  - ``$($_)``"
            }
        }

        Write-Host ""
    }
    catch {
        Write-Host "[!] Function failed!" -ForegroundColor Red
        Throw
        Return
    }
    finally {
        $ErrorActionPreference = $EA
    }
}


Function Dump-AzureRoles {
    $creds = Get-Credential
    Connect-AzAccount -Credential $creds | Out-Null
    Connect-AzureAD -Credential $creds | Out-Null

    Write-Host @"
# Synopsis

First part of this gist contains list of Azure RBAC and Azure AD roles sorted by their names.

Second part contains full definitions of each role along with their permissions assigned.

## Role Definitions

### Azure RBAC Roles


| # | RoleName | RoleDescription | RoleId |
|---|----------|-----------------|--------|
"@

    $azureRbacRoles = (Get-AzRoleDefinition | ? { $_.IsCustom -eq $false } | sort -property Name)

    $count = 0
    $azureRbacRoles | % {
        $count += 1
        #Write-Host "| $count | ``$($_.Name)`` | _$($_.Description)_ | ``$($_.Id)`` |"
    }

    Write-Host @"

---

### Azure AD Roles

| # | RoleName | RoleDescription | RoleId |
|---|----------|-----------------|--------|
"@

    #$azureADRoles = (Get-AzureADDirectoryRoleTemplate | sort -property displayname)

    $count = 0
    $azureADRoles | % {
        $count += 1
        #Write-Host "| $count | ``$($_.DisplayName)`` | _$($_.Description)_ | ``$($_.ObjectId)`` |"
    }

    Write-Host @"

--- 

## Role Permissions

This section contains detailed definitions of each role along with their assigned permissions sets.

### Azure RBAC Role Permissions

"@

    $azureRbacRoles | % {
        Get-ARTRolePermissions -RoleName $_.Name
    }

    Write-Host @"

---
    
### Azure AD Role Permissions

"@

    $azureADRoles | % {
        #Get-ARTADRolePermissions -RoleName $_.DisplayName
    }
}
Added Azure Roles. 2022-01-25 12:45:14 +01:00			`Function Get-ARTADRolePermissions {`
			`<#`
			`.SYNOPSIS`
			`Shows Azure AD role permissions.`

			`.DESCRIPTION`
			`Displays all granted permissions on a specified Azure AD role.`

			`.PARAMETER RoleName`
			`Name of the role to inspect.`

			`.EXAMPLE`
			`PS> Get-ARTADRolePermissions -RoleName "Global Administrator"`
			`#>`

			`[CmdletBinding()]`
			`Param(`
			`[Parameter(Mandatory=$True)]`
			`[String]`
			`$RoleName`
			`)`

			`try {`
			`$EA = $ErrorActionPreference`
			`$ErrorActionPreference = 'silentlycontinue'`

			`Write-Host @"`
			`---`

			#### ``$RoleName``

			`"@`

			`(Get-AzureADMSRoleDefinition -Filter "displayName eq '$RoleName'").RolePermissions \| % {`
			`$_.AllowedResourceActions \| % {`
			Write-Host "- ``$_``"
			`}`
			`}`

			`Write-Host ""`
			`}`
			`catch {`
			`Write-Host "[!] Function failed!" -ForegroundColor Red`
			`Throw`
			`Return`
			`}`
			`finally {`
			`$ErrorActionPreference = $EA`
			`}`
			`}`

			`Function Get-ARTRolePermissions {`
			`<#`
			`.SYNOPSIS`
			`Shows Azure role permissions.`

			`.DESCRIPTION`
			`Displays all granted permissions on a specified Azure RBAC role.`

			`.PARAMETER RoleName`
			`Name of the role to inspect.`

			`.EXAMPLE`
			`PS> Get-ARTRolePermissions -RoleName Owner`
			`#>`

			`[CmdletBinding()]`
			`Param(`
			`[Parameter(Mandatory=$True)]`
			`[String]`
			`$RoleName`
			`)`

			`try {`
			`$EA = $ErrorActionPreference`
			`$ErrorActionPreference = 'silentlycontinue'`

			`try {`
			`$role = Get-AzRoleDefinition -Name $RoleName`
			`}`
			`catch {`
			`Write-Host "[!] Could not get Role Definition. Possibly due to lacking privileges or lack of connection."`
			`Return`
			`}`

			`Write-Host @"`

			`---`

			#### ``$RoleName``

			`"@`

			`if($role.Actions.Length -gt 0 ) {`
			Write-Host "`n- Actions:"
			`$role.Actions \| % {`
			Write-Host " - ``$($_)``"
			`}`
			`}`

			`if($role.NotActions.Length -gt 0 ) {`
			Write-Host "`n- NotActions:"
			`$role.NotActions \| % {`
			Write-Host " - ``$($_)``"
			`}`
			`}`

			`if($role.DataActions.Length -gt 0 ) {`
			Write-Host "`n- DataActions:"
			`$role.DataActions \| % {`
			Write-Host " - ``$($_)``"
			`}`
			`}`

			`if($role.NotDataActions.Length -gt 0 ) {`
			Write-Host "`n- NotDataActions:"
			`$role.NotDataActions \| % {`
			Write-Host " - ``$($_)``"
			`}`
			`}`

			`Write-Host ""`
			`}`
			`catch {`
			`Write-Host "[!] Function failed!" -ForegroundColor Red`
			`Throw`
			`Return`
			`}`
			`finally {`
			`$ErrorActionPreference = $EA`
			`}`
			`}`


			`Function Dump-AzureRoles {`
			`$creds = Get-Credential`
			`Connect-AzAccount -Credential $creds \| Out-Null`
			`Connect-AzureAD -Credential $creds \| Out-Null`

			`Write-Host @"`
			`# Synopsis`

			`First part of this gist contains list of Azure RBAC and Azure AD roles sorted by their names.`

			`Second part contains full definitions of each role along with their permissions assigned.`

			`## Role Definitions`

			`### Azure RBAC Roles`


			`\| # \| RoleName \| RoleDescription \| RoleId \|`
			`\|---\|----------\|-----------------\|--------\|`
			`"@`

Added Azure Roles. 2022-01-25 13:11:29 +01:00			`$azureRbacRoles = (Get-AzRoleDefinition \| ? { $_.IsCustom -eq $false } \| sort -property Name)`
Added Azure Roles. 2022-01-25 12:45:14 +01:00
			`$count = 0`
			`$azureRbacRoles \| % {`
			`$count += 1`
Added Azure Roles. 2022-01-25 13:11:29 +01:00			#Write-Host "\| $count \| ``$($_.Name)`` \| _$($_.Description)_ \| ``$($_.Id)`` \|"
Added Azure Roles. 2022-01-25 12:45:14 +01:00			`}`

			`Write-Host @"`

			`---`

			`### Azure AD Roles`

			`\| # \| RoleName \| RoleDescription \| RoleId \|`
			`\|---\|----------\|-----------------\|--------\|`
			`"@`

Added Azure Roles. 2022-01-25 13:11:29 +01:00			`#$azureADRoles = (Get-AzureADDirectoryRoleTemplate \| sort -property displayname)`
Added Azure Roles. 2022-01-25 12:45:14 +01:00
			`$count = 0`
			`$azureADRoles \| % {`
			`$count += 1`
Added Azure Roles. 2022-01-25 13:11:29 +01:00			#Write-Host "\| $count \| ``$($_.DisplayName)`` \| _$($_.Description)_ \| ``$($_.ObjectId)`` \|"
Added Azure Roles. 2022-01-25 12:45:14 +01:00			`}`

			`Write-Host @"`

			`---`

Added Azure Roles. 2022-01-25 12:59:19 +01:00			`## Role Permissions`
Added Azure Roles. 2022-01-25 12:45:14 +01:00
			`This section contains detailed definitions of each role along with their assigned permissions sets.`

Added Azure Roles. 2022-01-25 12:59:19 +01:00			`### Azure RBAC Role Permissions`
Added Azure Roles. 2022-01-25 12:45:14 +01:00
			`"@`

			`$azureRbacRoles \| % {`
			`Get-ARTRolePermissions -RoleName $_.Name`
			`}`

			`Write-Host @"`

			`---`

Added Azure Roles. 2022-01-25 12:59:19 +01:00			`### Azure AD Role Permissions`
Added Azure Roles. 2022-01-25 12:45:14 +01:00
			`"@`

			`$azureADRoles \| % {`
Added Azure Roles. 2022-01-25 13:11:29 +01:00			`#Get-ARTADRolePermissions -RoleName $_.DisplayName`
Added Azure Roles. 2022-01-25 12:45:14 +01:00			`}`
Added Azure Roles. 2022-01-25 12:59:19 +01:00			`}`