AzureRm-PowerShell/Audit-AzAdApplication.ps1 at master · JamesDLD/AzureRm-PowerShell · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
<#
.SYNOPSIS
  Audit Azure Ad Application and extract the result in a csv file.
  Outputs list of all Azure AD Apps along with their expiration date, display name, credentials (passwordcredentials or keycredentials), start date, key id. Useful to know the apps that are expiring and take action.
.DESCRIPTION
  REQUIRED : Internet access & Already connected to an Azure tenant
  REQUIRED : PowerShell modules, see variables
.PARAMETER LogFile
   Optional
   Log file path
.NOTES
   AUTHOR: James Dumont le Douarec
.LINK
    https://github.com/JamesDLD/AzureRm-PowerShell
    https://blogs.msdn.microsoft.com/svarukala/2018/01/26/powershell-to-list-all-azure-ad-apps-with-expiration-dates/
    https://gist.github.com/svarukala/64ade1ca6f73a9d18236582e8770d1d4
.EXAMPLE
   .\Audit-AzAdApplication.ps1
#>

param(
  [Parameter(Mandatory=$false,HelpMessage='Log file path')]
  [String]
  $LogFile
)

################################################################################
#                                 Function
################################################################################
#region function
Function Generate_Log_Action([string]$Action, [ScriptBlock]$Command, [string]$LogFile){
	$Output = "Info : $Action  ... "
	Write-Host $Output -ForegroundColor Cyan
    ((Get-Date -UFormat "[%d-%m-%Y %H:%M:%S]  : ") + "Info" + " : " + $Action) | Out-File -FilePath $LogFile -Append -Force
	Try{
		$Result = Invoke-Command -ScriptBlock $Command
	}
	Catch {
		$ErrorMessage = $_.Exception.Message
		$Output = "On action $Action : $ErrorMessage"
        ((Get-Date -UFormat "[%d-%m-%Y %H:%M:%S]  : ") + "Error" + " : " + $Output) | Out-File -FilePath $LogFile -Append -Force
		Write-Error $Output
		$Result = "Error"
	}
	Return $Result
}
#endregion

################################################################################
#                                 Variable
################################################################################
Set-StrictMode -Version 2
$ErrorActionPreference = "Stop"
$results = @()
$workfolder = Split-Path $script:MyInvocation.MyCommand.Path
$date = Get-Date -UFormat "%d-%m-%Y"
#Module Name, Minimum Version
$PowerShellModules = @(
             ("Az.Accounts","1.3.0"),
             ("Az.Resources","1.1.2")
        )

#If not provided, creating the log file
if($LogFile -eq "")
{
    $LogPath = $workfolder + "\logs"
    if(!(Test-Path $LogPath)){mkdir $LogPath}
    $logFile = $LogPath + "\$date-" + $MyInvocation.MyCommand.Name + ".log"
}

ForEach ($PowerShellModule in $PowerShellModules)
{
    $Action = "Importing the Module $($PowerShellModule[0]) with MinimumVersion $($PowerShellModule[1])"
    $Command = {Import-Module $PowerShellModule[0] -MinimumVersion $($PowerShellModule[1]) -ErrorAction Stop}
    $Result = Generate_Log_Action -Action $Action -Command $Command -LogFile $logFile
    if($Result -eq "Error"){Exit 1}
}
#endregion

################################################################################
#                                 Action
################################################################################
$Action = "Getting all Azure Ad Application"
$Command = {Get-AzADApplication -ErrorAction Stop}
$AzADApplications = Generate_Log_Action -Action $Action -Command $Command -LogFile $logFile
if($AzADApplications -eq "Error"){Exit 1}

foreach ($AzADApplication in $AzADApplications)
{
    #$owner = Get-AzADApplicationOwner -ObjectId $app.ObjectID -Top 1

    $Action = "Getting Azure Ad Credential of Application : $($AzADApplication.DisplayName) / Object id : $($AzADApplication.ObjectID)"
    $Command = {Get-AzADAppCredential -ObjectId $AzADApplication.ObjectID -ErrorAction Stop}
    $AzADAppCredential = Generate_Log_Action -Action $Action -Command $Command -LogFile $logFile
    if($AzADAppCredential -eq "Error"){Exit 1}

    $AzADAppCredential |
    %{
        $results += [PSCustomObject] @{
                CredentialType = $_.Type;
                DisplayName = $AzADApplication.DisplayName;
                ExpiryDate = $_.EndDate;
                StartDate = $_.StartDate;
                KeyID = $_.KeyId;
                #Owners = $owner.UserPrincipalName;
            }
        }
}

################################################################################
#                                 Output
################################################################################
$Action = "Exporting the Azure Ad Applications into the file : $($workfolder + "\logs" + "\$date-AzAdApplication.csv")"
$Command = {$results | export-csv $($workfolder + "\logs" + "\$date-AzAdApplication.csv") -notypeinformation -ErrorAction Stop}
$Result = Generate_Log_Action -Action $Action -Command $Command -LogFile $logFile
if($Result -eq "Error"){Exit 1}