krnese

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {},
    "variables": {
        "policyDefinitionName": "Enable-Azure-Delegated-Resource-Management",
        "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
    },
    "resources": [
        {

krnese

# Demo script

# Login to the MSP tenant

Connect-AzAccount
# Select InspireProd (customer subscription for demo)

if ((Get-AzContext).Subscription.Name -ne "InspireProd")
{
    Select-AzSubscription -SubscriptionName "InspireProd"

krnese

function New-AzTenantDeployment {
    <#
        1/1/2020 - Kristian Nese
        In anticipation of updated SDKs, this function can be used to target ARM deployments to tenant scope
        
        .Synopsis
        Deploys Azure Resource Manager template to an Azure tenant

        .Example
        New-AzTenantDeployment -Name <name> -Location <location> -TemplateFile <path> -ParameterFile <path>

krnese

# Query Tenant Activity Log for the last 10 days

$GetDate = (Get-Date).AddDays((-10))

$dateFormatForQuery = $GetDate.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ")
# Getting Azure context for the API call

$currentContext = Get-AzContext

# fetching new token

krnese

function Get-AzMgHierarchy {
    [cmdletbinding()]
    param (
        [string]$mgGroupId
    )
 
    # Getting Azure connection context for the signed in user
    $currentContext = Get-AzContext
 
    # fetching new token

krnese

{
    "properties": {
        "displayName": "Deploy Azure Log Analytics if not exist on subscription",
        "mode": "All",
        "policyType": "Custom",
        "parameters": {
            "workspaceName": {
                "type": "string",
                "metadata": {
                    "description": "Provide suffix for Log Analytics workspace that will be created per subscription"

krnese

{
    "properties": {
        "displayName": "Deploys Activity Logs to Log Analytics",
        "policyType": "Custom",
        "mode": "All",
        "description": "Ensures that Activity Log Diagnostics settings are set to push logs into Log Analytics",
        "parameters": {
            "logAnalytics": {
                "type": "String",
                "metadata": {

krnese

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters":{},
    "resources":[],
    "outputs": {
        "policyDefinitionTemplate": {
            "value": "[reference('/subscriptions/4d6a661f-2192-5ef8-a377-ae79beb54f3c/providers/Microsoft.Authorization/policyDefinitions/09612efe-434f-4555-bd46-4ca7dcc4c709', '2018-05-01').policyRule.then.details.deployment.properties.template]",
            "type": "object"
        },

krnese

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters":{},
    "resources":[],
    "outputs": {
        "policyDefinitionTemplate": {
            "value": "[reference('/subscriptions/4d6a661f-2192-5ef8-a377-ae79beb54f3c/providers/Microsoft.Authorization/policyDefinitions/614c4ec0-be43-4dd5-bd50-b21e570c4abb', '2018-05-01').policyRule.then.details.deployment.properties.template]",
            "type": "object"
        },

krnese

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "policyDefinitionId": {
            "type": "string"
        },
        "policyAssignmentId": {
            "type": "string"
        }