AutoSysOps

View Original

Automatically create an azure authorization matrix

Maybe you recognize the situation where there is a big azure environment with multiple developer teams and other kind teams all needing access to different parts of azure. Especially in these cases often for the sake of compliancy and control the OPS team is asked to provide an matrix containing all the different permissions set so that this can be checked.

I’ve seen many teams struggle with getting these matrices created. Some tried to implement it into their procedures where changes to the environment also had to be changed in the matrix instantly. But still sometimes there had to be a manual check to see if it was correct, and this also only works if the OPS team is the only team able to hand out permissions. If you are in a situation where team leads can hand out permissions in specific subscriptions or resourcegroups it becomes even harder to capture this in a process.

So because of the Azure Spring Clean I’ve decided to create a powershell module which can gather this for you and display it in a way that can be used. This powershell module can be found on github.

The goal of this module is to eventually upload it to the PSGallery but for now it can just be downloaded from github because it’s still in an early version. This blogpost is to get it out there and gather some feedback so it can be improved to match as many needs as possible.

At the moment you can create an Azure DevOps pipeline to run the different functions of the module and create a nice output. To do this you will need to create a service connection (in this example it’s called “AuthMatrix”) to the top level management group in your subscription. You will also need to look up the app registration that is created and add the following API Permissions:

Next we could make a simple pipeline in Azure DevOps by using this yaml file:

See this content in the original post

This pipeline will download the module from github and get the tokens needed from the AzurePowershell task. It will then create the authorization matrix and save it as a markdown file. This markdown file is then uploaded as a summary in Azure DevOps. If you run the pipeline the result will look like this:

You’ll notice the “Extensions” tab visible. If you click on it you will see a screen like this:

This is a visual representation of the authorization matrix. In the columns it shows the different principals which have permissions set to them. These principals are ordered on their type, first it will show groups, then it will show managed identities followed applications and finally users. The idea behind this order is that the more to the right you go the less ideal these ways of settings permissions are.
In the rows of this table it shows the different roles set to the principals. The roles are grouped on their scope level, so first it shows the Root scope, then it shows roles set on management group level, followed by subscription and resourcegroup level and finally roles set to the individual resources. The idea is here the same again, the lower you go the less ideal it is.
In the table it will show “SET” if this role is set to this specific principal.

For now this is all I have to show for this module. I would love for the community to take a look at it. If you have suggestions about it you can submit them on github or leave them here as a comment or contact me on twitter or any other platform. I plan on improving this module more at least to a point where I think it’s good enough for a release on the powershell gallery. If you want to help contribute feel free to create a pull request on github or contact me.