Martin Ehrnst ehrnst

## migrate-devops-repo.ps1
param(
    [Parameter(HelpMessage="The Azure DevOps organization.")]
    [string]$adoOrg = "Adatum",

    [Parameter(Mandatory=$true, HelpMessage="The Azure DevOps team project.")]
    [string]$adoTeamProject,

    [Parameter(Mandatory=$true, HelpMessage="The Azure DevOps repository.")]
    [string]$adoRepo,

## appRegistrationSignIns.ps1
<#
.SYNOPSIS
This script retrieves Azure Active Directory (AD) applications with expired secrets and checks their sign-in logs.

.DESCRIPTION
The script first retrieves all Azure AD applications using the Get-AzADApplication cmdlet. It then filters these applications to only include those where the password credential has expired more than 30 days ago and where there is only one password credential.
For each of these applications, the script retrieves the AppId and constructs three queries to check the sign-in logs for the last 30 days. The queries are for service principal sign-ins, non-interactive user sign-ins, and interactive sign-ins.
The script then executes these queries using the Invoke-AzOperationalInsightsQuery cmdlet and stores the results in three separate variables: $servicePrincipalSignins, $nonInteractiveSignins, and $interactiveSignins.

Finally, the script outputs the results of these queries.

## Azure-graph-partnerCenter-examples.ps1
        # Connect to partner center via refresh token
        # Considering the refresh token is stored securely. We will have to get a new access token.

        $clientId = {multi tenant app id}
        $secret = {multi tnant app secret}
        $partnerAccessTokenUri = "https://login.windows.net/$partnerTenant/oauth2/token"

        $params = @{
            resource = "https://api.partnercenter.microsoft.com";
            grant_type = "refresh_token";

## start-policyRemediation.ps1
# in case you have multiple subscriptions...
select-azsubscription -SubscriptionName "SubscriptionName"

# get all non-compliant policies that can be remediated
$nonCompliantPolicies = Get-AzPolicyState | Where-Object { $_.ComplianceState -eq "NonCompliant" -and $_.PolicyDefinitionAction -eq "deployIfNotExists" }

# loop through ans start individual tasks per policy
foreach ($policy in $nonCompliantPolicies) {

    $remediationName = "rem." + $policy.PolicyDefinitionName

## reqCertFromTemplate.ps1
# Request the certificate throuh template called "WebServer"
Get-Certificate -Template "WebServer" -DnsName "computername.fqdn" -CertStoreLocation cert:\LocalMachine\My -SubjectName "CN=computerName.fqdn, C=CountryCode, L=MyCity, O=Organization OU=Department, S=State"

# After approval. Use request to download and install cert
$cert = (get-childItem -path cert:\LocalMachine\Request)
get-certificate -Request cert:\LocalMachine\Request\$cert

## azopenai-slack.ps1
# slack test

$slackKey = Get-AzKeyVaultsecret -VaultName "" -Name "" -AsPlainText
$azOpenAiKey = Get-AzKeyVaultsecret -VaultName "" -Name "" -AsPlainText
$slackChannelId = ""
$slackThreadId = ""
$openAiUrl = ""
$slackUrl = "https://slack.com/api/conversations.replies?channel=$slackChannelId&ts=$slackThreadId&pretty=1"
$slackHeaders= @{
    "Authorization" = "Bearer $slackKey"

## containertest.bicep
param storageAccountName string

resource container 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-09-01' = {
    name: '${storageAccountName}/default/mycontainer'
}


## Get-PCAAppUserAuthenticationBearer.ps1
function Get-PCAppUserAuthenticationBearer {
    <#
    .SYNOPSIS
       Function to retrieve App+User bearer token from Microsoft CSP API
    .DESCRIPTION
       This function connects to Azure AD to generate an oAuth token.
       Aquired token is then used against the partner center REST API to generate a App+User jwt token. https://api.partnercenter.microsoft.com/generatetoken

       You can read more about the authentication method here: https://msdn.microsoft.com/en-us/library/partnercenter/mt634709.aspx
    .PARAMETER ClientID

## create-adappgithub.ps1
# creates an appregistration in Azure AD and connects it with a github repo
# use as an example only

[CmdletBinding()]
param (
    [Parameter(Mandatory)]
    [string]
    $gitHubRepoName,
    [Parameter(Mandatory)]
    [string]

## get-resource-changes-from-rg-with-tag.kql
// get latest resource changes based on resource group tag
resourcechanges
| join kind= inner (
resourcecontainers
| where type =~ 'microsoft.resources/subscriptions/resourcegroups'
	| where isnotempty(tags)
	| where tags['key'] =~ 'value'
    | project subscriptionId, resourceGroup)
on subscriptionId, resourceGroup
| extend changeTime = todatetime(properties.changeAttributes.timestamp),
	param(
	[Parameter(HelpMessage="The Azure DevOps organization.")]
	[string]$adoOrg = "Adatum",

	[Parameter(Mandatory=$true, HelpMessage="The Azure DevOps team project.")]
	[string]$adoTeamProject,

	[Parameter(Mandatory=$true, HelpMessage="The Azure DevOps repository.")]
	[string]$adoRepo,
	<#
	.SYNOPSIS
	This script retrieves Azure Active Directory (AD) applications with expired secrets and checks their sign-in logs.

	.DESCRIPTION
	The script first retrieves all Azure AD applications using the Get-AzADApplication cmdlet. It then filters these applications to only include those where the password credential has expired more than 30 days ago and where there is only one password credential.
	For each of these applications, the script retrieves the AppId and constructs three queries to check the sign-in logs for the last 30 days. The queries are for service principal sign-ins, non-interactive user sign-ins, and interactive sign-ins.
	The script then executes these queries using the Invoke-AzOperationalInsightsQuery cmdlet and stores the results in three separate variables: $servicePrincipalSignins, $nonInteractiveSignins, and $interactiveSignins.

	Finally, the script outputs the results of these queries.
	# Connect to partner center via refresh token
	# Considering the refresh token is stored securely. We will have to get a new access token.

	$clientId = {multi tenant app id}
	$secret = {multi tnant app secret}
	$partnerAccessTokenUri = "https://login.windows.net/$partnerTenant/oauth2/token"

	$params = @{
	resource = "https://api.partnercenter.microsoft.com";
	grant_type = "refresh_token";
	# in case you have multiple subscriptions...
	select-azsubscription -SubscriptionName "SubscriptionName"

	# get all non-compliant policies that can be remediated
	$nonCompliantPolicies = Get-AzPolicyState \| Where-Object { $_.ComplianceState -eq "NonCompliant" -and $_.PolicyDefinitionAction -eq "deployIfNotExists" }

	# loop through ans start individual tasks per policy
	foreach ($policy in $nonCompliantPolicies) {

	$remediationName = "rem." + $policy.PolicyDefinitionName
	# Request the certificate throuh template called "WebServer"
	Get-Certificate -Template "WebServer" -DnsName "computername.fqdn" -CertStoreLocation cert:\LocalMachine\My -SubjectName "CN=computerName.fqdn, C=CountryCode, L=MyCity, O=Organization OU=Department, S=State"

	# After approval. Use request to download and install cert
	$cert = (get-childItem -path cert:\LocalMachine\Request)
	get-certificate -Request cert:\LocalMachine\Request\$cert
	# slack test

	$slackKey = Get-AzKeyVaultsecret -VaultName "" -Name "" -AsPlainText
	$azOpenAiKey = Get-AzKeyVaultsecret -VaultName "" -Name "" -AsPlainText
	$slackChannelId = ""
	$slackThreadId = ""
	$openAiUrl = ""
	$slackUrl = "https://slack.com/api/conversations.replies?channel=$slackChannelId&ts=$slackThreadId&pretty=1"
	$slackHeaders= @{
	"Authorization" = "Bearer $slackKey"
	param storageAccountName string

	resource container 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-09-01' = {
	name: '${storageAccountName}/default/mycontainer'
	}
	function Get-PCAppUserAuthenticationBearer {
	<#
	.SYNOPSIS
	Function to retrieve App+User bearer token from Microsoft CSP API
	.DESCRIPTION
	This function connects to Azure AD to generate an oAuth token.
	Aquired token is then used against the partner center REST API to generate a App+User jwt token. https://api.partnercenter.microsoft.com/generatetoken

	You can read more about the authentication method here: https://msdn.microsoft.com/en-us/library/partnercenter/mt634709.aspx
	.PARAMETER ClientID
	# creates an appregistration in Azure AD and connects it with a github repo
	# use as an example only

	[CmdletBinding()]
	param (
	[Parameter(Mandatory)]
	[string]
	$gitHubRepoName,
	[Parameter(Mandatory)]
	[string]
	// get latest resource changes based on resource group tag
	resourcechanges
	\| join kind= inner (
	resourcecontainers
	\| where type =~ 'microsoft.resources/subscriptions/resourcegroups'
	\| where isnotempty(tags)
	\| where tags['key'] =~ 'value'
	\| project subscriptionId, resourceGroup)
	on subscriptionId, resourceGroup
	\| extend changeTime = todatetime(properties.changeAttributes.timestamp),