直接运行脚本
#requires -Version 3.0 -Modules AzureRM.Resources
param(
[switch]
$GroupRolesByUser
)
$ErrorActionPreference = 'Stop'
param(
[switch]
$GroupRolesByUser
)
$ErrorActionPreference = 'Stop'
Login-AzureRmAccount -ErrorVariable loginerror -Environment AzureChinaCloud
If ($loginerror -ne $null)
{
Throw {"Error: An error occured during the login process, please correct the error and try again."}
}
Function Select-Subs
{
$ErrorActionPreference = 'SilentlyContinue'
$Menu = 0
$Subs = @(Get-AzureRmSubscription | select Name,ID,TenantId)
{
$ErrorActionPreference = 'SilentlyContinue'
$Menu = 0
$Subs = @(Get-AzureRmSubscription | select Name,ID,TenantId)
Write-Host "Please select the subscription you want to use" -ForegroundColor Green;
$Subs | %{Write-Host "[$($Menu)]" -ForegroundColor Cyan -NoNewline ;Write-host ". $($_.Name)";$Menu++;}
$selection = Read-Host "Please select the Subscription Number - Valid numbers are 0 - $($Subs.count -1)"
If ($Subs.item($selection) -ne $null)
{ Return @{name = $subs[$selection].Name;ID = $subs[$selection].ID} }
}
$Subs | %{Write-Host "[$($Menu)]" -ForegroundColor Cyan -NoNewline ;Write-host ". $($_.Name)";$Menu++;}
$selection = Read-Host "Please select the Subscription Number - Valid numbers are 0 - $($Subs.count -1)"
If ($Subs.item($selection) -ne $null)
{ Return @{name = $subs[$selection].Name;ID = $subs[$selection].ID} }
}
$SubscriptionSelection = Select-Subs
Select-AzureRmSubscription -SubscriptionName $SubscriptionSelection.Name -ErrorAction Stop
Select-AzureRmSubscription -SubscriptionName $SubscriptionSelection.Name -ErrorAction Stop
$ADUser = Get-AzureRmADUser
function Resolve-AzureAdUsers {
param(
[string]$Displayname
)
param(
[string]$Displayname
)
ForEach($i in $ADUser){
if( $i.displayName -eq $Displayname){return $i.UserPrincipalName}
}
}
}
}
function Resolve-AzureAdGroupMembers
{
param(
[guid]
$GroupObjectId,
$GroupList = (Get-AzureRmADGroup)
)
$VerbosePreference = 'continue'
Write-Verbose -Message ('Resolving {0}' -f $GroupObjectId)
$group = $GroupList | Where-Object -Property Id -EQ -Value $GroupObjectId
$groupMembers = Get-AzureRmADGroupMember -GroupObjectId $GroupObjectId
Write-Verbose -Message ('Found members {0}' -f ($groupMembers.DisplayName -join ', '))
$parentGroup = @{
Id = $group.Id
DisplayName = $group.DisplayName
#UserPrincipalName = $group.UserPrincipalName
}
$groupMembers |
Where-Object -Property Type -NE -Value Group |
Select-Object -Property Id, DisplayName,UserPrincipalName, @{
Name = 'ParentGroup'
Expression = { $parentGroup }
}
$groupMembers |
Where-Object -Property type -EQ -Value Group |
ForEach-Object -Process {
Resolve-AzureAdGroupMembers -GroupObjectId $_.Id -GroupList $GroupList
}
}
{
param(
[guid]
$GroupObjectId,
$GroupList = (Get-AzureRmADGroup)
)
$VerbosePreference = 'continue'
Write-Verbose -Message ('Resolving {0}' -f $GroupObjectId)
$group = $GroupList | Where-Object -Property Id -EQ -Value $GroupObjectId
$groupMembers = Get-AzureRmADGroupMember -GroupObjectId $GroupObjectId
Write-Verbose -Message ('Found members {0}' -f ($groupMembers.DisplayName -join ', '))
$parentGroup = @{
Id = $group.Id
DisplayName = $group.DisplayName
#UserPrincipalName = $group.UserPrincipalName
}
$groupMembers |
Where-Object -Property Type -NE -Value Group |
Select-Object -Property Id, DisplayName,UserPrincipalName, @{
Name = 'ParentGroup'
Expression = { $parentGroup }
}
$groupMembers |
Where-Object -Property type -EQ -Value Group |
ForEach-Object -Process {
Resolve-AzureAdGroupMembers -GroupObjectId $_.Id -GroupList $GroupList
}
}
$roleAssignments = Get-AzureRmRoleAssignment -IncludeClassicAdministrators
$members = $roleAssignments | ForEach-Object -Process {
Write-Verbose -Message ('Processing Assignment {0}' -f $_.RoleDefinitionName)
$roleAssignment = $_
if($roleAssignment.ObjectType -eq 'Group')
{
Resolve-AzureAdGroupMembers -GroupObjectId $roleAssignment.ObjectId `
| Select-Object -Property Id,
SignInName,DisplayName,UserPrincipalName,
ParentGroup, @{
Name = 'RoleDefinitionName'
Expression = { $roleAssignment.RoleDefinitionName }
}, @{
Name = 'Scope'
Expression = { $roleAssignment.Scope }
}, @{
Name = 'CanDelegate'
Expression = { $roleAssignment.CanDelegate }
}
}
else
{
$roleAssignment | Select-Object -Property @{
Name = 'Id'
Expression = { $_.ObjectId }
},
SignInName, DisplayName,UserPrincipalName,
@{
Name = 'RoleDefinitionName'
Expression = { $roleAssignment.RoleDefinitionName }
},
Scope,
CanDelegate
}
}
Write-Verbose -Message ('Processing Assignment {0}' -f $_.RoleDefinitionName)
$roleAssignment = $_
if($roleAssignment.ObjectType -eq 'Group')
{
Resolve-AzureAdGroupMembers -GroupObjectId $roleAssignment.ObjectId `
| Select-Object -Property Id,
SignInName,DisplayName,UserPrincipalName,
ParentGroup, @{
Name = 'RoleDefinitionName'
Expression = { $roleAssignment.RoleDefinitionName }
}, @{
Name = 'Scope'
Expression = { $roleAssignment.Scope }
}, @{
Name = 'CanDelegate'
Expression = { $roleAssignment.CanDelegate }
}
}
else
{
$roleAssignment | Select-Object -Property @{
Name = 'Id'
Expression = { $_.ObjectId }
},
SignInName, DisplayName,UserPrincipalName,
@{
Name = 'RoleDefinitionName'
Expression = { $roleAssignment.RoleDefinitionName }
},
Scope,
CanDelegate
}
}
if($GroupRolesByUser)
{
$members |
Sort-Object -Property DisplayName, RoleDefinitionName `
|
Group-Object -Property DisplayName `
|
Select-Object -Property Count,
Name,
@{
Name = 'RoleDefinitions'
Expression = { $_.Group.RoleDefinitionName -join ', ' }
},
ParentGroup
}
else
{
$members|Select-Object -Property Scope,Displayname,
@{
Name = 'LoginName'
Expression = {$(Resolve-AzureAdUsers -Displayname $_.DisplayName)}
},RoleDefinitionName|Out-GridView
}
{
$members |
Sort-Object -Property DisplayName, RoleDefinitionName `
|
Group-Object -Property DisplayName `
|
Select-Object -Property Count,
Name,
@{
Name = 'RoleDefinitions'
Expression = { $_.Group.RoleDefinitionName -join ', ' }
},
ParentGroup
}
else
{
$members|Select-Object -Property Scope,Displayname,
@{
Name = 'LoginName'
Expression = {$(Resolve-AzureAdUsers -Displayname $_.DisplayName)}
},RoleDefinitionName|Out-GridView
}