Jesse Loudon jesseloudon

## ADFS_ClaimRule_NameID_SPNameQualifier.txt
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "insertValueHere");

## ADFS_ClaimRule_EmailAddress.txt
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);

## ADFS_ClaimRule_NameID.txt
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

## BitLocker-ActivateOnShutdown.ps1
#Check BitLocker prerequisites
$TPMNotEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | where {$_.IsEnabled_InitialValue -eq $false} -ErrorAction SilentlyContinue
$TPMEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | where {$_.IsEnabled_InitialValue -eq $true} -ErrorAction SilentlyContinue
$WindowsVer = Get-WmiObject -Query 'select * from Win32_OperatingSystem where (Version like "6.2%" or Version like "6.3%" or Version like "10.0%") and ProductType = "1"' -ErrorAction SilentlyContinue
$BitLockerReadyDrive = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
$BitLockerDecrypted = Get-BitLockerVolume -MountPoint $env:SystemDrive | where {$_.VolumeStatus -eq "FullyDecrypted"} -ErrorAction SilentlyContinue
$BLVS = Get-BitLockerVolume | Where-Object {$_.KeyProtector | Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'}} -ErrorAction SilentlyContinue


#Step 1 - Check if TPM is enabled and initialise if required

## AzureProximityPlacementGroup-Demo.azcli
az login
az account set -s "SUBSCRIPTIONID"
az account show -o json

#pre/post deployment discovery - if desired
az group list -o table
az vm availability-set list -o table
az network vnet list -o table
az storage account list -o table
az ppg list -o table

## VNET-AZCLI.azcli
#AuthN
az login

#Create RG
az group create -n "VNET-AZCLI-RG" -l "Australia East"

#Create Hub VNET
az network vnet create -n "msft-hub-vnet" --address-prefix "10.0.0.0/16" --subnet-name "firewall" --subnet-prefix "10.0.1.0/24" --dns-servers "10.0.2.4" "10.0.2.5" "168.63.129.16" --tags department="Central IT" managedBy="Admins" -g "VNET-AZCLI-RG"
az network vnet subnet create -n "ad" --address-prefix "10.0.2.0/24" --vnet-name "msft-hub-vnet" -g "VNET-AZCLI-RG"
az network vnet subnet create -n "mgmt" --address-prefix "10.0.3.0/24" --vnet-name "msft-hub-vnet" -g "VNET-AZCLI-RG"

## VNET-AZBB.json
{
    "$schema": "https://raw.githubusercontent.com/mspnp/template-building-blocks/master/schemas/buildingBlocks.json",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "buildingBlocks": {
            "value": [
                {
                    "type": "VirtualNetwork",
                    "settings": [
                        {

## VNET-AZBB.azcli
#AuthN
az login

#AZBB Deploy VNETs
azbb -g "VNET-AZBB-RG" -s "your-subscription-id" -l "your-azurelocation" -p "C:\Temp\Scripts\VNET-AZBB.json" --deploy

## AuditRoleAssignmentType.json
{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Authorization/roleAssignments"
        },
        {

## AzureRoleAssignmentCleanup.ps1
#AuthN
Connect-AzAccount

#Set Your Subscription ID
Set-AzContext -SubscriptionId "XXXXX-XXXXX-XXXXX-XXXXXX-XXXXXX"

#Common Variables
$FILEPATH = "C:\Temp"
$FILENAME = "AzureRoleAssignmentsToRemove.csv"
$SUBNAME = "SUBSCRIPTIONNAME"
	c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
	=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
	c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
	=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
	#Check BitLocker prerequisites
	$TPMNotEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm \| where {$_.IsEnabled_InitialValue -eq $false} -ErrorAction SilentlyContinue
	$TPMEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm \| where {$_.IsEnabled_InitialValue -eq $true} -ErrorAction SilentlyContinue
	$WindowsVer = Get-WmiObject -Query 'select * from Win32_OperatingSystem where (Version like "6.2%" or Version like "6.3%" or Version like "10.0%") and ProductType = "1"' -ErrorAction SilentlyContinue
	$BitLockerReadyDrive = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
	$BitLockerDecrypted = Get-BitLockerVolume -MountPoint $env:SystemDrive \| where {$_.VolumeStatus -eq "FullyDecrypted"} -ErrorAction SilentlyContinue
	$BLVS = Get-BitLockerVolume \| Where-Object {$_.KeyProtector \| Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'}} -ErrorAction SilentlyContinue


	#Step 1 - Check if TPM is enabled and initialise if required
	az login
	az account set -s "SUBSCRIPTIONID"
	az account show -o json

	#pre/post deployment discovery - if desired
	az group list -o table
	az vm availability-set list -o table
	az network vnet list -o table
	az storage account list -o table
	az ppg list -o table
	#AuthN
	az login

	#Create RG
	az group create -n "VNET-AZCLI-RG" -l "Australia East"

	#Create Hub VNET
	az network vnet create -n "msft-hub-vnet" --address-prefix "10.0.0.0/16" --subnet-name "firewall" --subnet-prefix "10.0.1.0/24" --dns-servers "10.0.2.4" "10.0.2.5" "168.63.129.16" --tags department="Central IT" managedBy="Admins" -g "VNET-AZCLI-RG"
	az network vnet subnet create -n "ad" --address-prefix "10.0.2.0/24" --vnet-name "msft-hub-vnet" -g "VNET-AZCLI-RG"
	az network vnet subnet create -n "mgmt" --address-prefix "10.0.3.0/24" --vnet-name "msft-hub-vnet" -g "VNET-AZCLI-RG"
	{
	"$schema": "https://raw.githubusercontent.com/mspnp/template-building-blocks/master/schemas/buildingBlocks.json",
	"contentVersion": "1.0.0.0",
	"parameters": {
	"buildingBlocks": {
	"value": [
	{
	"type": "VirtualNetwork",
	"settings": [
	{
	#AuthN
	az login

	#AZBB Deploy VNETs
	azbb -g "VNET-AZBB-RG" -s "your-subscription-id" -l "your-azurelocation" -p "C:\Temp\Scripts\VNET-AZBB.json" --deploy
	{
	"mode": "All",
	"policyRule": {
	"if": {
	"allOf": [
	{
	"field": "type",
	"equals": "Microsoft.Authorization/roleAssignments"
	},
	{
	#AuthN
	Connect-AzAccount

	#Set Your Subscription ID
	Set-AzContext -SubscriptionId "XXXXX-XXXXX-XXXXX-XXXXXX-XXXXXX"

	#Common Variables
	$FILEPATH = "C:\Temp"
	$FILENAME = "AzureRoleAssignmentsToRemove.csv"
	$SUBNAME = "SUBSCRIPTIONNAME"