October 2021 – TheSleepyAdmins

In this post we will be going through creating an automate report to list all assigned Azure roles and user/group assignments using Microsoft Graph SDK.

This can be useful for environments that haven’t implemented Microsoft privileged identity management for roles management. This can be used to keep track of roles assignments in Azure.

I will be using Microsoft Graph SDK, if you haven’t used this before I have done a previous post on installing and getting start with the Graph SDK.

Using Microsoft Graph PowerShell SDK

I will be using a app registration in Azure AD with certificate authentication (I covered this in one of my previous posts) so I don’t have to use any username or password with the script. We will need to add the required API permission.

To find the specific commands that I needed to use, I generally search for them on the Graph module reference document link below as there are a lot of commands in the Graph SDK module.

https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.applications/?view=graph-powershell-beta

To add the API permission logon to Azure portal

https://portal.azure.com

Open Azure Active Directory > App registrations

Select the Graph registration that was previously created. Under the API permissions select add permissions and add the the required application permissions to run the command.

In this case we will be using the rolemanagment.read.all

Once the API permission is added we can start to create the script.

To get the list of directory roles that are currently in use use

Get-MgDirectoryRole

Then to get the assigned objects use the below command and copy the ID to view details.

Get-MgDirectoryRoleMember -DirectoryRoleId IDValue

To view addtional values for the returned object use

(Get-MgDirectoryRoleMember -DirectoryRoleId IDValue).AdditionalProperties

The full script can be downloaded from the below github link and

https://github.com/TheSleepyAdmin/Scripts/blob/master/MSGraph/RoleAssigment/Get-AdminRolesAssigment.ps1

Below is what the export will look like.

During a recent project we have been starting to use network segregation to give more security and control instead of using a flat network.

This has lead to VM’s being broken up in to there own VMware port groups and segregated VLAN’s.

There are now old port groups that have had all VM’s removed, so we wanted to report on any port groups that have no VM’s associated so that they can be removed as we will hit a issue with max VLAN limit per physical interface.

The quickest way I could think of to create the report was to use PowerCLI, in this post we will go through the process and commands used to create the report.

First we need to connect to vCenter using PowerCLI

We will be using a few different commands in the script.

First we will need to get list of port groups will only be getting distributed port groups as we don’t use standard port groups.

Get-VDPortgroup

Second part of the script is to get the port group view using get-view

Get-View -ViewType Network -Property Name -Filter @{"Name" = "portgroup name"}

We will be using UpdateViewData to add some addtional values to the view to make the script quicker and easier to read see below link for more details on UpdateViewData.

https://blogs.vmware.com/PowerCLI/2011/08/optimize-the-performance-of-powerclis-views.html

To find the properties we wanted to report on we used

Get-VM -Name VMName | Get-View

Use Get-VIObjectByVIView to get the host information.

$vm = Get-VM -name VMName | get-view
(Get-VIObjectByVIView $vm.runtime.host).name

I want to report on the VM name, Host, Cluster and PowerState.

Below we will get the view for the port group and update the view with the additional details that I want in the report.

$networks = Get-View -ViewType Network -Property Name -Filter @{"Name" = "portgroup name"}

$networks | ForEach-Object{($_.UpdateViewData("Vm.Name","Vm.Runtime.Host.Name","Vm.Runtime.Host.Parent.Name","vm.Runtime.PowerState"))}