Added Azure Roles.

clouds/azure/Azure Roles/Dump-AzureRoles.ps1

@@ -0,0 +1,222 @@
+#
+# This script collects Azure RBAC and Azure AD Roles, their definitions and associated permissions.
+# Then lists them in a nice Markdown report.
+#
+# Usage:
+#   PS C:\> powershell -c '. .\Dump-AzureRoles.ps1 ; Dump-AzureRoles' | Out-File roles.md
+#
+# mgeeky / Mariusz Banach, '22
+# <mb [at] binary-offensive.com
+#
+
+Function Get-ARTADRolePermissions {
+    <#
+    .SYNOPSIS
+        Shows Azure AD role permissions.
+
+    .DESCRIPTION
+        Displays all granted permissions on a specified Azure AD role.
+
+    .PARAMETER RoleName
+        Name of the role to inspect.
+
+    .EXAMPLE
+        PS> Get-ARTADRolePermissions -RoleName "Global Administrator"
+    #>
+
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$True)]
+        [String]
+        $RoleName
+    )
+
+    try {
+        $EA = $ErrorActionPreference
+        $ErrorActionPreference = 'silentlycontinue'
+
+        Write-Host @"
+---
+
+#### ``$RoleName``
+
+"@
+
+        (Get-AzureADMSRoleDefinition -Filter "displayName eq '$RoleName'").RolePermissions | % {
+            $_.AllowedResourceActions | % {
+                Write-Host "- ``$_``"
+            }
+        }
+
+        Write-Host ""
+    }
+    catch {
+        Write-Host "[!] Function failed!" -ForegroundColor Red
+        Throw
+        Return
+    }
+    finally {
+        $ErrorActionPreference = $EA
+    }
+}
+
+Function Get-ARTRolePermissions {
+    <#
+    .SYNOPSIS
+        Shows Azure role permissions.
+
+    .DESCRIPTION
+        Displays all granted permissions on a specified Azure RBAC role.
+
+    .PARAMETER RoleName
+        Name of the role to inspect.
+
+    .EXAMPLE
+        PS> Get-ARTRolePermissions -RoleName Owner
+    #>
+
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$True)]
+        [String]
+        $RoleName
+    )
+
+    try {
+        $EA = $ErrorActionPreference
+        $ErrorActionPreference = 'silentlycontinue'
+
+        try {
+            $role = Get-AzRoleDefinition -Name $RoleName
+        }
+        catch {
+            Write-Host "[!] Could not get Role Definition. Possibly due to lacking privileges or lack of connection."
+            Throw
+            Return
+        }
+
+        Write-Host @"
+
+---
+
+#### ``$RoleName``
+
+"@
+
+        if($role.Actions.Length -gt 0 ) {
+            Write-Host "`n- Actions:"
+            $role.Actions | % {
+                Write-Host "  - ``$($_)``"
+            }
+        }
+
+        if($role.NotActions.Length -gt 0 ) {
+            Write-Host "`n- NotActions:"
+            $role.NotActions | % {
+                Write-Host "  - ``$($_)``"
+            }
+        }
+
+        if($role.DataActions.Length -gt 0 ) {
+            Write-Host "`n- DataActions:"
+            $role.DataActions | % {
+                Write-Host "  - ``$($_)``"
+            }
+        }
+
+        if($role.NotDataActions.Length -gt 0 ) {
+            Write-Host "`n- NotDataActions:"
+            $role.NotDataActions | % {
+                Write-Host "  - ``$($_)``"
+            }
+        }
+
+        Write-Host ""
+    }
+    catch {
+        Write-Host "[!] Function failed!" -ForegroundColor Red
+        Throw
+        Return
+    }
+    finally {
+        $ErrorActionPreference = $EA
+    }
+}
+
+
+Function Dump-AzureRoles {
+    $creds = Get-Credential
+    Connect-AzAccount -Credential $creds | Out-Null
+    Connect-AzureAD -Credential $creds | Out-Null
+
+    Write-Host @"
+# Synopsis
+
+First part of this gist contains list of Azure RBAC and Azure AD roles sorted by their names.
+
+Second part contains full definitions of each role along with their permissions assigned.
+
+## Role Definitions
+
+### Azure RBAC Roles
+
+
+| # | RoleName | RoleDescription | RoleId |
+|---|----------|-----------------|--------|
+
+"@
+
+    $azureRbacRoles = Get-AzRoleDefinition | ? { $_.IsCustom -eq $false } | sort -property displayname
+
+    $count = 0
+    $azureRbacRoles | % {
+        $count += 1
+        Write-Host "| $count | ``$($_.Name)`` | _$($_.Description)_ | ``$($_.Id)`` |"
+    }
+
+    Write-Host @"
+
+---
+
+### Azure AD Roles
+
+| # | RoleName | RoleDescription | RoleId |
+|---|----------|-----------------|--------|
+"@
+
+    $azureADRoles = Get-AzureADDirectoryRoleTemplate | sort -property displayname
+
+    $count = 0
+    $azureADRoles | % {
+        $count += 1
+        Write-Host "| $count | ``$($_.DisplayName)`` | _$($_.Description)_ | ``$($_.ObjectId)`` |"
+    }
+
+    Write-Host @"
+
+--- 
+
+## Role Definitions
+
+This section contains detailed definitions of each role along with their assigned permissions sets.
+
+### Azure RBAC Role Definitions
+
+"@
+
+    $azureRbacRoles | % {
+        Get-ARTRolePermissions -RoleName $_.Name
+    }
+
+    Write-Host @"
+
+---
+    
+### Azure AD Role Definitions
+
+"@
+
+    $azureADRoles | % {
+        Get-ARTADRolePermissions -RoleName $_.DisplayName
+    }
+}