MapAz is a PowerShell module that helps you query you Azure tenants and map resources, identities and access into meaningful objects.
Join our |Zero| Labs Slack Community workspace for any questions, issues, or suggestions.
MapAz requires utilizes Az, Az.Resources and Az.Accounts. To install, simply run the following from an elevated PowerShell shell:
Install-Module -Name Az
Install-Module -Name Az.Resources
Install-Module -Name Az.Accounts
Install-Module MapAzMapAz assumes you are already logged in to your Azure tenant, and that you have read permissions or have the security reader role on all subscriptions you need to analize.
First, connect to your tenant with the appropriate account
Connect-AzAccountNext, collect access operations for all users:
$ua = Get-MapAzAllUsersAccess -VerboseEach object in $ua desctibes a potential operation an account can perform on a resource or provider. Each object has the the following fields:
- ResourceId : full resource path
- ResourceName : name of the resource
- ResourceType : shown as <Provider/resourcetype>
- Operation : which allowed operation is allowed
- OperationType : read/write or action
- UserId : Object ID of the user
- UserName : Name of the user (if exists)
- Plane : Control / Data Plane
By default, MapAz will only collect resources available via the ARM API. However, it is possible to try and enumerate more resources:
Clear-MapAzScriptCache
$resources = Get-MapAzResource -ScanSubResources