Use PowerShell to Find the Right Azure Roles in Minutes 🔍

-

 

As an IT professional working with Azure, it’s essential to assign the right roles to manage resources efficiently while following the principle of least privilege. My new PowerShell script helps you identify the appropriate Azure roles for managing specific resources (e.g., storage, resource groups) by displaying detailed role information in an interactive window. This tool is perfect for simplifying role assignments and enhancing security. 📌 Key points to consider:
  1. The script requires the Az PowerShell module to be installed.
  2. You must be logged into Azure with sufficient permissions (e.g., Reader or Contributor) to retrieve role definitions.
  3. The output is sorted from least privilege to most privilege, aiding zero trust implementations.
💡 Note: Ensure you’re connected to the correct Azure subscription, as role data depends on your context. Test the script in a non-production environment first! This script is a great way to streamline role management for your team and improve Azure governance. Follow for more Azure tips and scripts! 🚀
PowerShell Script 

## NOTE! Some points to consider for you and the customer

## 1. The script requires the Az PowerShell module to be installed.
## 2. You must be logged into Azure with sufficient permissions (e.g., Reader or Contributor).
## 3. Ensure you’re connected to the correct Azure subscription.



## Install the Az module if not already installed
Install-Module -Name Az -Force -AllowClobber

## Connect to Azure (log in with an account that has access)
Connect-AzAccount

## The script below helps you find roles for managing Azure resources
# Function to check if an action matches a pattern
function DoesActionMatch {
    param (
        [string]$specificAction,
        [string]$pattern
    )
    $regex = $pattern -replace '\*', '.*' -replace '/', '\/'
    if ($specificAction -match "^$regex$") { return $true }
    return $false
}

# Resource map for common terms
$resourceMap = @{
    "storage" = "Microsoft.Storage/*"
    "resource group" = "Microsoft.Resources/subscriptions/resourceGroups/*"
    "virtual machine" = "Microsoft.Compute/virtualMachines/*"
    "vm" = "Microsoft.Compute/virtualMachines/*"
    "network" = "Microsoft.Network/*"
    "sql" = "Microsoft.Sql/*"
    "key vault" = "Microsoft.KeyVault/*"
}

# Ask user what to manage
$userInput = Read-Host "Enter what you want to manage (e.g., 'I want to manage storage' or 'resource group')"

# Parse input
$resourceKey = $null
foreach ($key in $resourceMap.Keys) {
    if ($userInput.ToLower() -match $key) { $resourceKey = $key; break }
}

if (-not $resourceKey) {
    Write-Host "Kunde inte identifiera resursen. Försök igen med t.ex. 'storage', 'resource group' eller 'virtual machine'."
    return
}

$pattern = $resourceMap[$resourceKey]
Write-Host "Söker roller för '$resourceKey' (pattern: $pattern)..."

# Get all built-in roles
$roles = Get-AzRoleDefinition | Where-Object { $_.IsCustom -eq $false }

# Collect matching roles
$matchingRoles = @()
foreach ($role in $roles) {
    $relevantActions = @()
    foreach ($action in $role.Actions) {
        if (DoesActionMatch $action $pattern) { $relevantActions += $action }
    }
    $denied = $false
    foreach ($notAction in $role.NotActions) {
        if (DoesActionMatch $notAction $pattern) { $denied = $true; break }
    }
    if ($relevantActions.Count -gt 0 -and -not $denied) {
        $privilegeLevel = $role.Actions.Count
        $roleName = if ($role.Name) { $role.Name.Trim() } else { if ($role.RoleName) { $role.RoleName.Trim() } else { "OkÀnd roll (felsök: $($role.Id))" } }
        $description = if ($role.Description) { $role.Description.Trim() } else { "Ingen beskrivning tillgÀnglig" }
        $matchingRoles += [pscustomobject]@{Roll=$roleName; Beskrivning=$description; PrivilegieNivÄ=$privilegeLevel; RelevantaActions=($relevantActions -join "; ")}
    }
}

# Show in popup window, sorted from least to most privilege
if ($matchingRoles.Count -gt 0) {
    $matchingRoles | Sort-Object PrivilegieNivÄ | Select-Object Roll, Beskrivning, PrivilegieNivÄ, RelevantaActions | Out-GridView -Title "Roller för att managera '$resourceKey' (sorterat frÄn minst till mest privilegier)"
} else {
    [pscustomobject]@{Roll="Inga roller hittades"; Beskrivning="Ingen match för '$pattern'"; PrivilegieNivÄ=0; RelevantaActions=""} | Out-GridView -Title "Roller för att managera '$resourceKey' (inget resultat)"
}

Kommentarer

Skicka en kommentar

PopulÀra inlÀgg i den hÀr bloggen

Boost Your Graphics Power med GPU-acceleration i Azure Virtual Desktop!

-
Bild
  🎯 Purpose Optimize performance for Remote Desktop sessions by enabling GPU acceleration and video optimization via Microsoft Intune or Group Policy (GPO). 🧠 Prerequisites & Requirements Required skills: Basic knowledge of Windows device management Experience with Microsoft Intune or Group Policy Understanding of Remote Desktop (RDP/AVD) concepts Technical requirements: Windows 10/11 on session hosts GPU-enabled VMs (e.g., NVv3, NVadsA10 v5, NCasT4_v3) Microsoft HEVC codec installed on client devices Proper GPU drivers installed (NVIDIA GRID or AMD) 1. Sign in Go to: https://intune.microsoft.com 2. Create or edit a configuration profile Go to Devices > Configuration profiles Click Create profile Select: Platform: Windows 10 and later Profile type: Settings catalog 3. Add settings Click Add settings and browse to: Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host ...
Read more »

🚀 IntuneWin – Deploying Win32 Apps via Intune 🎯

-
Bild
đŸ”č Benefits of IntuneWin: ✅ Seamless app packaging 📩 ✅ Automated deployment ⚙️ ✅ Centralized cloud management ☁️ ✅ Support for installation & uninstallation 🔄 The IntuneWin format is a method for preprocessing Windows Classic (Win32) applications. The tool transforms application installation files into the .intunewin format. Once you apply this tool to the app packaging folder, you can create an app enrollment configuration that enables advanced deployment features, such as OS version dependencies and uninstallation methods for remote application removal. Win32 apps in Intune size limit of 30 GB per app. To start the configuration 1- First you need to download the Microsoft Win32 Content Prep Tool :  Microsoft Win32 Content Prep Tool 2-  Unzip the tool to a folder, E, C , F etc drive (you can choose any folder you like). 3- Save your application  in the same folder as the Content Prep tools.  4- Now we will create the .intunewin package using PowerS...
Read more »

Block Personal devices to acces to Desktop apps like teams, Onedrive etc and how to troubleshooting the issue.

-
Bild
  You can use Conditional Access to block users based on location, IP address, and more, but now we will talk about blocking access for users who are using personal devices 1. Navigate to Entra ID -> Protection -> Conditional Access and create a new policy. 2- Create new policy 3-   Name your policy Assign your policy to a user/group or to all users. If you assign the policy to all users, be sure to exclude the break-glass account. It's essential to always have a break-glass account in place. In case of an error, you could accidentally lock out all users, so make sure these accounts remain unaffected. 4- In the Target resources select All resources (formerly 'All cloud apps') 5- In the conditions: Device platforms: select which devices you want the policy to apply to. In my case i will select windows and MacOS  Client apps: check all boxes except Browser, which will block everything except the browser. Here’s the magic: In the Filter for devices, you can ...
Read more »