Skip to content

Latest commit

 

History

History
387 lines (297 loc) · 24.3 KB

history.md

File metadata and controls

387 lines (297 loc) · 24.3 KB

AzGovViz - Azure Governance Visualizer

AzGovViz version history

AzGovViz version 6

Changes (2022-May-05 / Major)

  • fix: using:scriptPath variable in foreach parallel (this is only relevant for Azure DevOps and GitHub if you have a non default folder structure in your repository)

Changes (2022-May-02 / Minor)

  • Tenant Summary Change Tracking - RBAC Role assignments: add PIM (Priviledged Identity Management) information
  • Azure DevOps pipeline YAML - change vmImage: 'ubuntu-18.04' to vmImage: 'ubuntu-20.04'
  • Published new HTML demo

Changes (2022-May-01 / Major)

  • Switch from ARM API endpoint roleAssignmentSchedules to roleAssignmentScheduleInstances, switch from api-version 2020-10-01-preview to 2020-10-01
  • Update GitHub Actions workflows
  • Update pwsh/prerequisites.ps1 script (relevant for GitHub Actions and Azure DevOps Pipeline)
  • Update API reference
  • Update Setup Guide
  • Bugfix

Changes (2022-Apr-25 / Major)

  • New JSON output *_PolicyAll.json - Contains all relations of Policy/Set definitions and Policy assignments
  • New parameter -ShowMemoryUsage - Shows memory usage at memory intense sections of the scripts, this shall help you determine if the the worker is well sized for AzGovViz
  • Leveraging AzAPICall PowerShell module. The AzAPICall function has been removed from the AzGovViz code base and has been published as a module to the PoweShell Gallery (GitHub)
  • Foreach -parallel import the AzAPICall module instead of $using:
  • Optimize GitHub Actions workflows (YAML)
  • Added list of APIs that are polled by AzGovViz
  • Microsoft Graph v1.0/directoryObjects/getByIds do batching is exceeds 1000 identities
  • Performance optimization
  • Bugfixes

Changes (2022-Jan-31 / Major)

  • New TenantSummary | RBAC feature - insights on all Role definitions that are capable to write Role assignments
  • TenantSummary | Subscriptions, Resources & Defender | Subscriptions report (new) Role assignment limits
  • Handling orphaned Policy assignments (scope Management Group)
  • Datacollection for Management Groups process in batches (batch per Management Group level)
  • Update Dockerfile
  • Update API version for Resources, ResourceGroups and Subscriptions
  • Further enrich _PolicyDefinitions and _PolicySetDefinitions CSV outputs
  • HTML file performance optimization
  • Include instructions for GitHub Actions in the Setup Guide
  • New demo uploaded
  • Bugfixes

Changes (2022-Jan-16 / Major)

  • New parameter -ManagementGroupsOnly - collect data only for Management Groups (Subscription data such as e.g. Policy assignments etc. will not be collected)
  • New feature TenantSummary | Subscriptions, Resources & Defender, TenantSummary | Azure Active Directory and ScopeInsights insights on UserAssignedIdentities/Resources - which resource has an user assigned managed identity assigned / vice versa. Includes CSV export. Thanks to Thomas Naunheim (Microsoft Azure MVP) for inspiration :)
  • New feature TenantSummary | Policy | Policy assignments orphanded (Policy assignments's Policy definition does not exist / likely Management Group scoped Policy defintion - Management Group deleted)
  • Optimize DefinitionInsights collapsible JSON definitions
  • Defender plans usage / highlight use of depcrecated plans such as Container Registry & Kubernetes
  • New 'Large Tenant' feature TenantSummary | Policy | Policy assignments if the number of Policy assignments exceeds the -HtmlTableRowsLimit parameter's value (default = 20.000) then the html table will not be created / the CSV file will still be created
  • New feature TenantSummary | Azure Active Directory | AAD ServicePrincipals type=ManagedIdentity orphaned Managed Identities (for Policy assignment related Managed Identities - Policy assignment does not exist anymore)
  • Fix PIM (Priviliged Identity Management) state for inherited Subscription Role assignments
  • TenantSummary | Azure Active Directory add link to AzADServicePrincipalInsights (POC)
  • Add CSV export for Policy Exemptions
  • Add workflow files (YAML) for GitHub Actions (one for OpenID Connect (OIDC))
  • Bugfixes
  • HTML output patch jQuery / use latest version 3.6.0
  • Update Demo
  • AzAPICall enhanced error handling (GeneralError, ResourceGroupNotFound)
  • Script optimization / prepare for PS module

Changes (2021-Dec-10 / Minor)

  • deprecation of parameter -AzureDevOpsWikiAsCode / Based on environment variables the script will detect the code run platform
  • changed throttlelimit default from 5 to 10

Changes (2021-Dec-09 / Minor)

  • Run AzGovViz in GitHub CodeSpaces - thanks! Carlos Mendible (Microsoft Cloud Solution Architect - Spain)
  • JSON output update -> filenames will indicate if Role assignment is PIM (Priviliged Identity Management) based

Changes (2021-Nov-23 / Major)

  • Add Microsoft Defender for Cloud 'Defender Plans' reporting (TenantSummary -> Subscriptions, Resources & Defender; ScopeInsights -> Defender Plans)
  • Adopt to new naming Azure Security Center (ASC) / Microsoft Defender for Cloud. Renamed parameter -NoASCSecureScore to -NoMDfCSecureScore (old parameter will still work)
  • Update policyAssignment API version '2020-09-01' to '2021-06-01'
  • Fix ScopeInsights Tags usage
  • Fix dateTime formatting / use default format (createdOn/updatedOn)
  • Consumption feature has potential to fail. Changed Azure Consumption feature default = disabled; introducing new parameter -DoAzureConsumption
  • Changed -HtmlTableRowsLimit default from 40.000 to 20.000
  • CSV output related changes
    • Update *_RoleAssignments.csv output (add column for scope ResourceGroup name; add column for scope Resource name)
    • Optimize *_PolicyDefinitions.csv and *_PolicySetDefinitions.csv file content / add BuiltIn definitions
    • Add CSV export *_ResourceProviders.csv (all Resource Providers and their states for all Subscriptions)
    • Add CSV export *_RoleDefinitions.csv (BuiltIn and Custom including some enriched information)
  • AzAPICall update error handing for 'Resource diagnostic settings' and 'AAD groups transitive members count'
  • Script optimization

Changes (2021-Nov-01 / Major)

  • New output - Feature request to create Scope Insights output per Subscription has been implement. With this new feature you can share Subscription Scope Insights with Subscription responsible staff. Use parameter -NoSingleSubscriptionOutput to disable the feature
  • Update Required permissions in Azure Active Directory for the scenario of a Guest User executing the script
  • Add 'daily summary' output (CSV) to easily track your Tenant´s Governance evolution over time - Tim will hopefully create a PR for how he leverages AzGovViz historical data for Azure Log Analytics based dashboards
  • Improved permission related error handling

Changes (2021-Oct-25 / Major)

  • AzAPICall enhanced error handling (general error 'An error has occurred.' ; roleAssignment schedules)

Changes (2021-Oct-21 / Major)

  • AzAPICall enhanced error handling (GatewayAuthenticationFailed; roleAssignment schedules)

Release v6 Changes

  • Removed usage of Azure PowerShell cmdlet 'Get-AzRoleAssignment' / preparing for upcoming deprecation of 'Azure Active Directory Graph' API (announcement)
  • Management Group diagnostic setting - reflect inheritance of diagnostic settings from upper Management Group scopes
  • TenantSummary Policy assignments - resolve Managed Identity (if Policy assignment effect is DeployIfNotExists (DINE) or Modify)
  • Removed TenantSummary RBAC Classic Role assignments
  • Improved AzAPICall error handling and output
  • Azure DevOps pipeline (yml) updated prerequisites to include Repository 'contribute' permission check
  • Added Application Insights stats
  • Performance optimization
  • Bugfixes

AzGovViz version 5

Changes (2021-Sep-19 / Major)

  • Fix Issue #60
  • Fix JSON file creation / path containing brackets
  • AzAPICall enhanced error handling (ClientCertificateValidationFailure)
  • Minor performance optimization
  • Bugfixes

Changes (2021-Sep-13 / Major)

  • Fix Issue #58
  • Add Windows invalid character usage (Management Group, Subscription, Policy/Set definition, Rolicy assignment, Role definition)

Changes (2021-Sep-08 / Major)

  • Update AzAPICall handle variants of throttled requests

Changes (2021-Sep-07 / Minor)

  • Update AzAPICall CostManagement return
  • Fix markdown output (Management Group Hierarchy leveraging Mermaid plugin); hierarchy broken when not executing against Tenant Root Group but child Management Group

Changes (2021-Sep-03 / Major)

  • AzAPICall enhanced error handling

Changes (2021-Sep-01 / Major)

  • Update AzAPICall CostManagement return

Changes (2021-Aug-30 / Major)

  • Adding feature for RBAC Role assignments: determine 'standing' from PIM (Priviledged Identity Mangement) managed Role assignments
  • New parameter -NoResources - this will speed up the processing time but information like Resource diagnostics capability and resource type stats will not be made available (featured for large tenants)
  • Integrate AzGovViz with AzOps (after 'AzOps - Push' run AzGovViz) - (line 77 AzGovViz.yml). Checkout AzOps Accellerator
  • Performance optimization

Changes (2021-Aug-25 / Major)

  • Resource diagnostics capability for logs and metrics will only be checked for 1st party (Microsoft) Resource types

Changes (2021-Aug-22 / Major)

  • Bugfix - indirect Role assignments (applied through AAD group membership); switched to Graph beta endpoint as v1.0 only resolves users and groups, whilst we´re also interested in Service Principals - List group transitive members

Changes (2021-Aug-18 / Major)

  • Added ASC Secure Score for Management Groups
  • Policy Compliance - if API returns 'ResponseTooLarge' then flag Policy Compliance entries with 'skipped' for given scope
  • Added demo-output folder containing all outputs (html, csv, md, json, log)
  • Bugfixes

Changes (2021-Aug-06 / Major)

  • Enriched Policy assignments with list of used parameters
  • Enriched Role assignments on Groups with Group member count
  • Optimize JSON outputs
  • CSP scenario error handling
  • Bugfixes
  • Performance optimization

Changes (2021-July-28 / Major)

  • As demanded by the community reactivated parameters -PolicyAtScopeOnly and -RBACAtScopeOnly
  • New paramter -AADGroupMembersLimit. Defines the limit (default=500) of AAD Group members; For AAD Groups that have more members than the defined limit Group members will not be resolved
  • New parameter -JsonExportExcludeResourceGroups - JSON Export will not include ResourceGroups (Policy & Role assignments)
  • New parameter -JsonExportExcludeResources- JSON Export will not include Resources (Role assignments)
  • Bugfixes
  • Performance optimization

Changes (2021-July-22 / Major)

  • Full blown JSON definition output. Leveraging Git with this new capability you can easily track any changes that occurred in between the previous and last AzGovViz run.
    newBuiltInRoleDefinition
    * a new BuiltIn RBAC Role definition was added
  • Renamed parameter -PolicyIncludeResourceGroups to , -DoNotIncludeResourceGroupsOnPolicy (from now Policy assignments on ResourceGroups will be included by default)
  • Renamed parameter -RBACIncludeResourceGroupsAndResources to , -DoNotIncludeResourceGroupsAndResourcesOnRBAC (from now Role assignments on ResourceGroups and Resources will be included by default)
  • New parameter -HtmlTableRowsLimit. Although the parameter -LargeTenant was introduced recently, still the html output may become too large to be processed properly. The new parameter defines the limit of rows - if for the html processing part the limit is reached then the html table will not be created (csv and json output will still be created). Default rows limit is 40.000
  • Added NonCompliance Message for Policy assignments
  • Cosmetics
  • Bugfixes
  • Performance optimization

Changes (2021-July-07 / Major)

  • Replaced parameters -NoScopeInsights, -RBACAtScopeOnly and -PolicyAtScopeOnly with -LargeTenant. A large tenant is a tenant with more than ~500 Subscriptions - the HTML output for large tenants simply becomes too big, therefore will not create ScopeInsights and will not show inheritance for Policy and Role assignments in the TenantSummary (html) output
  • Add Tenant to HierarchyMap including count of Role assignments
  • Executing against any child Management Group will show all parent Management Groups in HierarchyMap
  • Cosmetics / Icons
  • Bugfixes
  • Performance optimization - optimized data collection to reduce memory utilization -> big, fat 'Thank You' to Tim Wanierke and Brooks Vaughn

Changes (2021-June-16 / Minor)

  • added detailed Setup instructions

Changes (2021-June-07 / Major)

  • Breaking Changes
    • Changed parameter -CsvExport to -NoCsvExport - You will need to explicitly deny CSV export using -NoCsvExport
    • Changed parameter -JsonExport to -NoJsonExport - You will need to explicitly deny JSON export using -NoJsonExport
  • HierarchyMap enrich Management Groups with counts on Policy assignments, scoped Policy definitions and Role assignments
  • Enhanced Management Group and Subscription Diagnostic settings / list Management Groups and Subscriptions that do not have Diagnostic settings applied
  • Updated API error codes / throttle handling
  • Bugfixes

Changes (2021-June-01 / Feature)

  • Added Management Group and Subscription Diagnostic settings
  • Restructure TenantSummary - 'Diagnostics' gets its own section

Changes (2021-May-19)

  • Removed Azure PowerShell module requirement Az.ResourceGraph
  • TenantSummary 'Change tracking' section. Tracks newly created and updated custom Policy, PolicySet and RBAC Role definitions, Policy/RBAC Role assignments and Resources that occured within the last 14 days (period can be adjusted using new parameter -ChangeTrackingDays)
  • New parameters -PolicyIncludeResourceGroups and -RBACIncludeResourceGroupsAndResources - include Policy assignments on ResourceGroups, include Role assignments on ResourceGroups and Resources
  • New parameters -PolicyAtScopeOnly and -RBACAtScopeOnly - removing 'inherited' lines in the HTML file; use this parameter if you run against a larger tenants
  • New parameter -CsvExport - export enriched data for 'Role assignments', 'Policy assignments' data and 'all resources' (subscriptionId, managementGroup path, resourceType, id, name, location, tags, createdTime, changedTime)
  • !experimental New parameter -JsonExport- export of ManagementGroup Hierarchy including all MG/Sub Policy/RBAC definitions, Policy/RBAC assignments and some more relevant information to JSON
  • Added ClassicAdministrators Role assignment information
  • Restructure TenantSummary - Limits gets its own section
  • Added sytem metadata for Policy/RBAC definitions and assignments
  • New parameter -FileTimeStampFormat- define the time format for the output files (default is yyyyMMdd_HHmmss)
  • Updated API error codes
  • Cosmetics / Icons
  • Bugfixes
  • Performance optimization

Changes (2021-Mar-26)

  • Code adaption to prevent billing related errors in sovereign cloud AzureChinaCloud (.Billing n/a)
  • New parameter -SubscriptionId4AzContext - Define the Subscription Id to use for AzContext (default is to use a random Subscription Id)
  • New parameter -AzureDevOpsWikiHierarchyDirection - Azure DevOps Markdown Management Group hierarchy tree direction. Use 'TD' for Top->Down, use 'LR' for Left->Right (default is 'TD'; use 'LR' for larger Management Group hierarchies)
  • Bugfixes
  • Performance optimization

Breaking Changes (2021-Feb-28)

  • When granting Azure Active Directory Graph API permissions in the background an AAD Role assignment for AAD Group Directory readers was triggered automatically - since January/February 2021 this is no longer the case. Review the updated AzGovViz technical documentation section for detailed permission requirements.

Let´s accellerate by going parallel! (2021-Feb-14)

  • Support for PowerShell Core ONLY! No support for PowerShell version < 7.0.3
  • New section DefinitionInsights - Insights on all built-in and custom Policy, PolicySet and RBAC Role definitions
  • New parameter -NoScopeInsights - Q: Why would you want to do this? A: In larger tenants the ScopeInsights section blows up the html file (up to unusable due to html file size)
  • New parameter -ThrottleLimit - Leveraging PowerShell Core´s parallel capability you can define the ThrottleLimit (default=5)
  • New parameter DoTranscript - Log the console output
  • Parameter SubscriptionQuotaIdWhitelist now expects an array
  • Renamed parameter -NoServicePrincipalResolve to -NoAADServicePrincipalResolve
  • Renamed parameter -ServicePrincipalExpiryWarningDays to -AADServicePrincipalExpiryWarningDays
  • Bugfixes

Note: In order to run AzGovViz Version 5 in Azure DevOps you also must use the v5 pipeline YAML.

AzGovViz version 4

Updates 2021-Jan-26

  • Role Assigments indicate if User is Member/Guest
  • Enrich information for Policy assignment related ServicePrincipal/Managed Identity (Policy assignment details on policy/set definition and Role assignments)
  • Preloading of TableFilter removed for TenantSummary PolicyAssignmentsAll and RoleAssignmentsAll (on poor hardware loading the HTML file took quite long)
  • Fix 'Orphaned Custom Roles' bug - thanks to Tim Wanierke
  • More bugfixes
  • Performance optimization

Updates 2021-Jan-18

  • Feature: Policy Exemptions
  • Feature: ResourceLocks
  • Feature: Tag Name Usage
  • Feature: Cost Management / Consumption Reporting - use another API
  • Bugfixes

Updates 2021-Jan-08

  • Feature: Cost Management / Consumption Reporting - Changed AzureConsumptionPeriod default to 1 day
    Consumption
  • Bugfixes

Updates 2021-Jan-06 - Happy New Year

  • Feature: Resolve Azure Active Directory Group memberships for Role assignment with identity type 'Group' leveraging Microsoft Graph. With this capability AzGovViz can ultimately provide holistic insights on permissions granted for Management Groups and Subscriptions (honors parameter -DoNotShowRoleAssignmentsUserData). Use parameter -NoAADGroupsResolveMembers to disable the feature
    AADGroupMembers
  • Feature: New TenantSummary section 'Azure Active Directory' -> Check all Azure Active Directory Service Principals (type=Application that have a Role assignment) for Secret/Certificate expiry. Mark all Service Principals (type=ManagedIdentity) that are related to a Policy assignments. Use parameter -NoServicePrincipalResolve to disable this feature
  • Feature: Cost Management / Consumption Reporting for Subscriptions including aggregation at Management Group level. Use parameter -NoAzureConsumption to disable this feature.
    Note: Per default the consumption query will request consumption data for the last full 1 day (if you run it today, will capture the cost for yesterday), use the parameter -AzureConsumptionPeriod to define a favored time period e.g. -AzureConsumptionPeriod 7 (for 7 days)
  • Removed parameter -Experimental. 'Resource Diagnostics Policy Lifecycle' enabled by default. Use -NoResourceDiagnosticsPolicyLifecycle to disable the feature.
  • Renamed parameter -DisablePolicyComplianceStates to -NoPolicyComplianceStates for better consistency
  • Optimize 'Get Resource Types capability for Resource Diagnostics' query - thanks Brooks Vaughn
  • Update Pipeline to honor master/main change
  • Add info to HTML file on parameters used
  • Performance optimization

Updates 2020-Dec-17

  • Now supporting > 5000 entities (Subscriptions/Management Groups) :) thanks Brooks Vaughn

Updates 2020-Dec-15

  • Pipeline azurePowerShellVersion: latestVersion / ensures compatibility with latest Az.ResourceGraph 0.8.0 Release
  • Error handling optimization / API
  • Fix 'deprecated Policy assignments'
  • Fix 'orphaned Custom Role definitions'

Updates 2020-Nov-30

  • New parameter -DisablePolicyComplianceStates -NoPolicyComplianceStates (see Parameters)
  • Error handling optimization / API

Updates 2020-Nov-25

  • Highlight default Management Group
  • Add AzAPICall debugging parameter -DebugAzAPICall
  • Fix for using parameter -HierarchyMapOnly

Updates 2020-Nov-19

Updates 2020-Nov-08

  • Re-model Bearer token handling (Az PowerShell Module Az.Accounts > 1.9.5 no longer provides access to the tokenCache GitHub issue)
  • Adding Scope information for Custom Policy definitions and Custom PolicySet definitions sections in TenantSummary
  • Cosmetics and User Experience enhancement
  • New demo

Updates 2020-Nov-01

  • Error handling optimization
  • Enhanced read-permission validation
  • Toggle capabilities in TenantSummary (avoiding information overload)

Updates 2020-Oct-12

  • Adding option to download HTML tables to csv
    Download CSV
  • Preloading of TableFilter removed for ScopeInsights (on poor hardware loading the HTML file took quite long)
  • Added column un-select option for some HTML tables
  • Performance optimization

Release v4

  • Resource information for Management Groups (Resources in all child Subscriptions) in the ScopeInsights section
  • Excluded Subscriptions information (whitelisted, disabled, AAD_ QuotaId)
  • Bugfixes, Bugfixes, Bugfixes
  • Cosmetics and User Experience enhancement
  • Performance optimization
  • API error handling / retry optimization
  • New Parameters -NoASCSecureScore, -NoResourceProvidersDetailed (see Parameters)

AzGovViz version 3

  • HTML filterable tables
  • Resource Types Diagnostics capability check
  • ResourceDiagnostics Policy Lifecycle recommendations (experimental)
  • Resource Diagnostics Policy Findings
  • Resource Provider details
  • Policy assignments filter excluded scopes
  • Use of deprecated uilt-in Policy definitions
  • Subscription QuotaId Whitelist

AzGovViz version 2

  • Optimized user experience for the HTML output
  • TenantSummary / selected Management Group scope
  • Reflect Tenant, ManagementGroup and Subscription Limits for Azure Governance capabilities
  • Some security related best practice highlighting
  • More details: Management Groups, Subscriptions, Policy definitions, PolicySet definitions (Initiatives), orphaned Policy definitions, RBAC and Policy related RBAC (DINE MI), orphaned Role definitions, orphaned Role assignments, Blueprints, Subscription State, Subscription QuotaId, Subscription Tags, Azure Scurity Center Secure Score, ResourceGroups count, Resource types and count by region, Limits, Security findings
  • Resources / leveraging Azure Resource Graph
  • Parameter based output (hierarchy only, 'srubbed' user information and more..)
  • HTML version check