delorgedj/gist:3b25af0e1ccd5d4e19ba1bc5a0a0013a

## gistfile1.txt
################## RBAC ROLES SCRIPT ############################
#
#Author DJD 4/11/2017 ###
################################################################
#

##Login to Azure ARM
##This script gathers information about Azure ARM REsources
$azureAccountName ="username@.onmicrosoft.com"
$azurePassword = ConvertTo-SecureString "passwordhere" -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential($azureAccountName, $azurePassword)
Add-AzureRmAccount -Credential $psCred


##Switch Subscriptions and set subscriptions
Set-AzureRmContext -SubscriptionName "subscriptionname"
Register-AzureRmResourceProvider -ProviderNamespace "Microsoft.RecoveryServices"
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.sql


############ List all Azure Ad Groups with Object ID and output to a csv file for further use ########
Connect-AzureAD -Credential $psCred

Get-AzureADGroup |  Export-Csv -Path "c:\Temp\EHM-AzureGroupdata.csv"

############ LIst all Current Roles ############

Get-AzureRmRoleDefinition | FT Name, Description

########## List Actions of Roles ####################
Get-AzureRmRoleDefinition Contributor | FL Actions, NotActions  ## Command ####
(Get-AzureRmRoleDefinition "Virtual Machine Contributor").Actions  #### Role to get actions from ####


########## Get Users who have access to a Role ##############

Get-AzureRmRoleAssignment -ResourceGroupName P-RGE-ADDC  | FL DisplayName, RoleDefinitionName, Scope   ### Must replace RG ####


############## List Roles Assigned to a user ###############
Get-AzureRmRoleAssignment -SignInName v-daviddelorge@eaglehm.com | FL DisplayName, RoleDefinitionName, Scope

#### This Script expnads the properties to groups as well #############
Get-AzureRmRoleAssignment -SignInName v-daviddelorge@eaglehm.com -ExpandPrincipalGroups | FL DisplayName, RoleDefinitionName, Scope

#################  Script to Grant access ##################
################ To assign a role, you need to identify both the object (user, group, or application) and the scope/ plus the Object ID ######

############# TO Get Object ID for an Azure Group ######
Get-AzureRmADGroup -SearchString "TLR-BurnsData"


##### List all applications Role assignments for all Service Principals #########
# Get all service principals, and for each one, get all the app role assignments,
# resolving the app role ID to it's display name.
Get-AzureADServicePrincipal | % {

  # Build a hash table of the service principal's app roles. The 0-Guid is
  # used in an app role assignment to indicate that the principal is assigned
  # to the default app role (or rather, no app role).
  $appRoles = @{ "$([Guid]::Empty.ToString())" = "(default)" }
  $_.AppRoles | % { $appRoles[$_.Id] = $_.DisplayName }

  # Get the app role assignments for this app, and add a field for the app role name
  Get-AzureADServiceAppRoleAssignment -ObjectId ($_.ObjectId) | Select ResourceDisplayName, PrincipalDisplayName,  Id | % {  $_ | Add-Member "AppRoleDisplayName" $appRoles[$_.Id] -Passthru
  }
}


##### TO get specific Object ID for an Azure Principle or Application ######

Get-AzureRmADServicePrincipal -SearchString "ServiceNow - PROD"
## COpy ID##


#######################################################################
#######################################################################
### ASSIGN A ROLE TO AN APPLICATION AT SUB SCOPE ######################


New-AzureRmRoleAssignment -ObjectId 028804df-dfcf-4fa9-886e-89d18bc99673 -RoleDefinitionName Contributor -Scope /subscriptions/a06a5db5-fbde-49a1-a9f0-bf20012db699

####### Assign a role to a user at the resource group scope ############
New-AzureRmRoleAssignment -SignInName v-daviddelorge@eaglehm.com -RoleDefinitionName "Virtual Machine Contributor" -ResourceGroupName D-RGE-AzureB2C


############## Use CSV File, to add multiple Users to a REsource Group ############
$Users =  import-csv C:\Temp\Users.csv
$Users | ForEach-Object {   New-AzureRmRoleAssignment -SignInName $_.Username -RoleDefinitionName "Virtual Machine Contributor" -ResourceGroupName D-RGE-AzureB2C }


################# Assign a role to a group at the resource scope ###############
New-AzureRmRoleAssignment -ObjectId <object id> -RoleDefinitionName <role name in quotes> -ResourceName <resource name> -ResourceType <resource type>`
 -ParentResource <parent resource> -ResourceGroupName <resource group name>

###################### Remove Access #####################
Remove-AzureRmRoleAssignment -ObjectId <object id> -RoleDefinitionName <role name> -Scope <scope such as subscription id>
	################## RBAC ROLES SCRIPT ############################
	#
	#Author DJD 4/11/2017 ###
	################################################################
	#

	##Login to Azure ARM
	##This script gathers information about Azure ARM REsources
	$azureAccountName ="username@.onmicrosoft.com"
	$azurePassword = ConvertTo-SecureString "passwordhere" -AsPlainText -Force
	$psCred = New-Object System.Management.Automation.PSCredential($azureAccountName, $azurePassword)
	Add-AzureRmAccount -Credential $psCred


	##Switch Subscriptions and set subscriptions
	Set-AzureRmContext -SubscriptionName "subscriptionname"
	Register-AzureRmResourceProvider -ProviderNamespace "Microsoft.RecoveryServices"
	Register-AzureRmResourceProvider -ProviderNamespace Microsoft.sql


	############ List all Azure Ad Groups with Object ID and output to a csv file for further use ########
	Connect-AzureAD -Credential $psCred

	Get-AzureADGroup \| Export-Csv -Path "c:\Temp\EHM-AzureGroupdata.csv"

	############ LIst all Current Roles ############

	Get-AzureRmRoleDefinition \| FT Name, Description

	########## List Actions of Roles ####################
	Get-AzureRmRoleDefinition Contributor \| FL Actions, NotActions ## Command ####
	(Get-AzureRmRoleDefinition "Virtual Machine Contributor").Actions #### Role to get actions from ####


	########## Get Users who have access to a Role ##############

	Get-AzureRmRoleAssignment -ResourceGroupName P-RGE-ADDC \| FL DisplayName, RoleDefinitionName, Scope ### Must replace RG ####



	############## List Roles Assigned to a user ###############
	Get-AzureRmRoleAssignment -SignInName v-daviddelorge@eaglehm.com \| FL DisplayName, RoleDefinitionName, Scope

	#### This Script expnads the properties to groups as well #############
	Get-AzureRmRoleAssignment -SignInName v-daviddelorge@eaglehm.com -ExpandPrincipalGroups \| FL DisplayName, RoleDefinitionName, Scope

	################# Script to Grant access ##################
	################ To assign a role, you need to identify both the object (user, group, or application) and the scope/ plus the Object ID ######

	############# TO Get Object ID for an Azure Group ######
	Get-AzureRmADGroup -SearchString "TLR-BurnsData"


	##### List all applications Role assignments for all Service Principals #########
	# Get all service principals, and for each one, get all the app role assignments,
	# resolving the app role ID to it's display name.
	Get-AzureADServicePrincipal \| % {

	# Build a hash table of the service principal's app roles. The 0-Guid is
	# used in an app role assignment to indicate that the principal is assigned
	# to the default app role (or rather, no app role).
	$appRoles = @{ "$([Guid]::Empty.ToString())" = "(default)" }
	$_.AppRoles \| % { $appRoles[$_.Id] = $_.DisplayName }

	# Get the app role assignments for this app, and add a field for the app role name
	Get-AzureADServiceAppRoleAssignment -ObjectId ($_.ObjectId) \| Select ResourceDisplayName, PrincipalDisplayName, Id \| % { $_ \| Add-Member "AppRoleDisplayName" $appRoles[$_.Id] -Passthru
	}
	}



	##### TO get specific Object ID for an Azure Principle or Application ######

	Get-AzureRmADServicePrincipal -SearchString "ServiceNow - PROD"
	## COpy ID##


	#######################################################################
	#######################################################################
	### ASSIGN A ROLE TO AN APPLICATION AT SUB SCOPE ######################



	New-AzureRmRoleAssignment -ObjectId 028804df-dfcf-4fa9-886e-89d18bc99673 -RoleDefinitionName Contributor -Scope /subscriptions/a06a5db5-fbde-49a1-a9f0-bf20012db699

	####### Assign a role to a user at the resource group scope ############
	New-AzureRmRoleAssignment -SignInName v-daviddelorge@eaglehm.com -RoleDefinitionName "Virtual Machine Contributor" -ResourceGroupName D-RGE-AzureB2C



	############## Use CSV File, to add multiple Users to a REsource Group ############
	$Users = import-csv C:\Temp\Users.csv
	$Users \| ForEach-Object { New-AzureRmRoleAssignment -SignInName $_.Username -RoleDefinitionName "Virtual Machine Contributor" -ResourceGroupName D-RGE-AzureB2C }



	################# Assign a role to a group at the resource scope ###############
	New-AzureRmRoleAssignment -ObjectId <object id> -RoleDefinitionName <role name in quotes> -ResourceName <resource name> -ResourceType <resource type>`
	-ParentResource <parent resource> -ResourceGroupName <resource group name>

	###################### Remove Access #####################
	Remove-AzureRmRoleAssignment -ObjectId <object id> -RoleDefinitionName <role name> -Scope <scope such as subscription id>