Friday, March 16, 2018

Reporting on Azure Application Security Groups

In my last two posts, we have been talking about Azure Application Security groups.  The goal of this post is to create a small powershell script that we can use to audit/report on assignment of the groups against NIC resources.

The script below essentially goes through each NIC and looks at the IpConfigurations configuration.  If an application security group is present, it displays it in a list.

The script is a little rough, but it does the trick for now. Enjoy!


param(
    [Parameter(Mandatory=$true)]
    [string]$subscriptionId,
    [string]$resourceGroupName
)

"Authenticating to Azure..."
try
{
    $azureLogin = Get-AzureRmContext
 if ($azureLogin.Subscription.Id -ne $subscriptionId){
  $azureLogin
  throw "This session is NOT logged in with the subscription id $subscriptionId"
 }
}
catch
{
    Login-AzureRmAccount -SubscriptionId $subscriptionId
}

if ($resourceGroupName){
    $nics = Get-AzureRmNetworkInterface -ResourceGroupName $resourceGroupName
} else {
    $nics = Get-AzureRmNetworkInterface
}

$nicObjects = @()

foreach ($nic in $nics){
    $nicName = $nic.Name
    $applicationSecurityGroups = @()
    foreach ($secGroup in $nic.IpConfigurations.ApplicationSecurityGroups){
        $secGroupResource = Get-AzureRmResource -resourceId $secGroup.id
        $applicationSecurityGroups += "{0}/{1}" -f $secGroupResource.ResourceGroupName, $secGroupResource.Name
    }
    $nicObject = New-object System.Object
    $nicObject | Add-Member -MemberType NoteProperty -name "name" -value $nicName
    $nicObject | Add-Member -MemberType NoteProperty -Name "Application Security Groups" -value ($applicationSecurityGroups)

    $nicObjects += $nicObject
}

$nicObjects | Format-Table