6.3.3

.azuredevops/pipelines/AzGovViz.variables.yml

@@ -1,4 +1,4 @@
-# Azure Governance Visualizer v6_major_20230904_1
+# Azure Governance Visualizer v6_major_20231022_1
 # First things first:
 # 1. Replace <YourServiceConnection> with the name of your service connection
 # 2. Replace <YourManagementGroupId> with the your ManagementGroupId
@@ -75,11 +75,31 @@ variables:
   - name: ScriptPrerequisites
     value: prerequisites.ps1
 
+  ## <--- AzAPICall parameters
+  ## Consult the AzAPICall GitHub repository for details aka.ms/AzAPICall
+
   # Enable Debug output
   - name: DebugAzAPICall
     # Switch | example: value: true
     value:
 
+  # Skip the AzAPICall Subscription Validation (only use in case you do not have any valid (quotaId != AAD_* & state != disabled) subscriptions in your tenant)
+  - name: AzAPICallSkipAzContextSubscriptionValidation
+    # Switch | example: value: true
+    value:
+
+  # Define the Subscription Id to use for AzContext (default is to use a random Subscription Id)
+  - name: SubscriptionId4AzContext
+    # String | example: value: "<your-Subscription-Id>"
+    value:
+
+  # Define the Tenant Id to use for AzContext (default is to use the Tenant Id from the current context)
+  - name: TenantId4AzContext
+    # String | example: value: "<your-Tenant-Id>"
+    value:
+
+  ## AzAPICall parameters --->
+
   # The world is split into two kind of delimiters - comma and semicolon - choose yours
   - name: CsvDelimiter
     # String | default = ';' | example: value: ';'
@@ -182,7 +202,7 @@ variables:
     # Switch | example: value: true
     value:
 
-  # Will not resolve Azure Active Directory Group memberships for Role assignments where identity type is 'Group'
+  # Will not resolve Microsoft Entra ID (AAD) Group memberships for Role assignments where identity type is 'Group'
   - name: NoAADGroupsResolveMembers
     # Switch | example: value: true
     value:
@@ -251,16 +271,6 @@ variables:
     # Switch | example: value: true
     value:
 
-  # Define the Subscription Id to use for AzContext (default is to use a random Subscription Id)
-  - name: SubscriptionId4AzContext
-    # String | example: value: "<your-Subscription-Id>"
-    value:
-
-  # Define the Tenant Id to use for AzContext (default is to use the Tenant Id from the current context)
-  - name: TenantId4AzContext
-    # String | example: value: "<your-Tenant-Id>"
-    value:
-
   # Define the number of script blocks running in parallel. Leveraging PowerShell Core´s parallel capability you can define the ThrottleLimit (default=5)
   - name: ThrottleLimit
     # Integer | Default = 10 | example: value: 11

history.md

@@ -4,6 +4,20 @@
 
 ### Azure Governance Visualizer version 6
 
+__Changes__ (2023-Oct-22 / 6.3.3 Minor)
+
+* introduce new optional parameter `-AzAPICallSkipAzContextSubscriptionValidation` [ref](https://aka.ms/AzAPICall)
+* update ARM API-version for RBAC Role definitions. Using `2022-05-01-preview` instead of `2018-11-01-preview`. This will show us 'conditions' [example](https://www.azadvertizer.net/azrolesadvertizer/8b54135c-b56d-4d72-a534-26097cfdc8d8.html)
+* update `/.azuredevops/pipelines/AzGovViz.variables.yml`
+  * add parameter `-AzAPICallSkipAzContextSubscriptionValidation` 
+  * structure AzAPICall related variables
+  * Azure Active Directory becomes Microsoft Entra ID
+* update README.md and setup.md
+  * OIDC for Azure DevOps
+  * update [API reference](#api-reference)
+  * Azure Active Directory becomes Microsoft Entra ID
+* use [AzAPICall](https://aka.ms/AzAPICall) PowerShell module version 1.1.83
+
 __Changes__ (2023-Sep-12 / 6.3.2 Minor)
 
 * another fix for [AzAPICall issue43](https://github.com/JulianHayward/AzAPICall/issues/43). Use-case scenario will be documented in the near future. Kudos to Asbjørn Nielsen (fellowmind dk) @AsbjornNielsen

pwsh/AzGovVizParallel.ps1

@@ -43,7 +43,7 @@
     use this parameter if Resource Diagnostics Policy Lifecycle recommendations should not be created
 
 .PARAMETER NoAADGroupsResolveMembers
-    use this parameter if Azure Active Directory Group memberships should not be resolved for Role assignments where identity type is 'Group'
+    use this parameter if Microsoft Entra ID Group memberships should not be resolved for Role assignments where identity type is 'Group'
 
 .PARAMETER AADServicePrincipalExpiryWarningDays
     define Service Principal Secret and Certificate grace period (lifetime below the defined will be marked for warning / default is 14 days)
@@ -71,10 +71,10 @@
     Define the direction the Mermaid based HierarchyMap should be built TD (default) = TopDown (Horizontal), LR = LeftRight (Vertical)
 
 .PARAMETER SubscriptionId4AzContext
-    Define the Subscription Id to use for AzContext (default is to use a random Subscription Id)
+    Define the Subscription Id to use for AzContext (default is to use a random Subscription Id) #consult the AzAPICall GitHub repository for details aka.ms/AzAPICall
 
 .PARAMETER TenantId4AzContext
-    Define the Tenant Id to use for AzContext. Default is to use the Tenant Id from the current context
+    Define the Tenant Id to use for AzContext. Default is to use the Tenant Id from the current context #consult the AzAPICall GitHub repository for details aka.ms/AzAPICall
 
 .PARAMETER NoCsvExport
     Export enriched 'Role assignments' data, enriched 'Policy assignments' data and 'all resources' (subscriptionId, mgPath, resourceType, id, name, location, tags, createdTime, changedTime)
@@ -221,7 +221,7 @@
     Define if Resource Diagnostics Policy Lifecycle recommendations should not be created
     PS C:\>.\AzGovVizParallel.ps1 -ManagementGroupId <your-Management-Group-Id> -NoResourceDiagnosticsPolicyLifecycle
 
-    Define if Azure Active Directory Group memberships should not be resolved for Role assignments where identity type is 'Group'
+    Define if Microsoft Entra ID Group memberships should not be resolved for Role assignments where identity type is 'Group'
     PS C:\>.\AzGovVizParallel.ps1 -ManagementGroupId <your-Management-Group-Id> -NoAADGroupsResolveMembers
 
     Define Service Principal Secret and Certificate grace period (lifetime below the defined will be marked for warning / default is 14 days)
@@ -245,10 +245,10 @@
     Define the direction the Mermaid based HierarchyMap should be built in Markdown TD = TopDown (Horizontal), LR = LeftRight (Vertical)
     PS C:\>.\AzGovVizParallel.ps1 -ManagementGroupId <your-Management-Group-Id> -MermaidDirection "LR"
 
-    Define the Subscription Id to use for AzContext (default is to use a random Subscription Id)
+    Define the Subscription Id to use for AzContext (default is to use a random Subscription Id) #consult the AzAPICall GitHub repository for details aka.ms/AzAPICall
     PS C:\>.\AzGovVizParallel.ps1 -ManagementGroupId <your-Management-Group-Id> -SubscriptionId4AzContext "<your-Subscription-Id>"
 
-    Define the Tenant Id to use for AzContext (default is to use the Tenant Id from the current context)
+    Define the Tenant Id to use for AzContext (default is to use the Tenant Id from the current context) #consult the AzAPICall GitHub repository for details aka.ms/AzAPICall
     PS C:\>.\AzGovVizParallel.ps1 -ManagementGroupId <your-Management-Group-Id> -TenantId4AzContext "<your-Tenant-Id>"
 
     Do not Export enriched 'Role assignments' data, enriched 'Policy assignments' data and 'all resources' (subscriptionId, mgPath, resourceType, id, name, location, tags, createdTime, changedTime)
@@ -365,13 +365,27 @@ Param
     $Product = 'AzGovViz',
 
     [string]
-    $AzAPICallVersion = '1.1.79',
+    $ProductVersion = '6.3.3',
 
     [string]
-    $ProductVersion = '6.3.2',
+    $GithubRepository = 'aka.ms/AzGovViz',
 
+    # <--- AzAPICall related parameters #consult the AzAPICall GitHub repository for details aka.ms/AzAPICall
     [string]
-    $GithubRepository = 'aka.ms/AzGovViz',
+    $AzAPICallVersion = '1.1.83',
+
+    [switch]
+    $DebugAzAPICall,
+
+    [switch]
+    $AzAPICallSkipAzContextSubscriptionValidation,
+
+    [string]
+    $SubscriptionId4AzContext = 'undefined',
+
+    [string]
+    $TenantId4AzContext = 'undefined',
+    # AzAPICall related parameters --->
 
     [string]
     $ScriptPath = 'pwsh', #e.g. 'myfolder\pwsh'
@@ -382,9 +396,6 @@ Param
     [switch]
     $AzureDevOpsWikiAsCode, #deprecated - Based on environment variables the script will detect the code run platform
 
-    [switch]
-    $DebugAzAPICall,
-
     [switch]
     $NoCsvExport,
 
@@ -468,12 +479,6 @@ Param
     [Alias('AzureDevOpsWikiHierarchyDirection')]
     [parameter(ValueFromPipeline)][ValidateSet('TD', 'LR')][string]$MermaidDirection = 'TD',
 
-    [string]
-    $SubscriptionId4AzContext = 'undefined',
-
-    [string]
-    $TenantId4AzContext = 'undefined',
-
     [int]
     $ChangeTrackingDays = 14,
 
@@ -616,7 +621,7 @@ Param
     $MSTenantIds = @('2f4a9838-26b7-47ee-be60-ccc1fdec5953', '33e01921-4d64-4f8c-a055-5bdaffd5e33d'),
 
     [array]
-    $ValidPolicyEffects = @('append', 'audit', 'auditIfNotExists', 'deny', 'deployIfNotExists', 'modify', 'manual', 'disabled', 'EnforceRegoPolicy', 'enforceSetting')
+    $ValidPolicyEffects = @('append', 'audit', 'auditIfNotExists', 'deny', 'denyAction', 'deployIfNotExists', 'modify', 'manual', 'disabled', 'EnforceRegoPolicy', 'enforceSetting')
 )
 
 $Error.clear()
@@ -2085,7 +2090,8 @@ function cacheBuiltIn {
         if ($builtInCapability -eq 'RoleDefinitions') {
             $currentTask = 'Caching built-in Role definitions'
             #Write-Host " $currentTask"
-            $uri = "$($azAPICallConf['azAPIEndpointUrls'].ARM)/subscriptions/$($azAPICallConf['checkContext'].Subscription.Id)/providers/Microsoft.Authorization/roleDefinitions?api-version=2018-07-01&`$filter=type eq 'BuiltInRole'"
+            $uri = "$($azAPICallConf['azAPIEndpointUrls'].ARM)/subscriptions/$($azAPICallConf['checkContext'].Subscription.Id)/providers/Microsoft.Authorization/roleDefinitions?api-version=2022-05-01-preview&`$filter=type eq 'BuiltInRole'"
+            #$uri = "$($azAPICallConf['azAPIEndpointUrls'].ARM)/providers/Microsoft.Authorization/roleDefinitions?api-version=2022-05-01-preview&`$filter=type eq 'BuiltInRole'"
             $method = 'GET'
             $requestRoleDefinitionAPI = AzAPICall -AzAPICallConfiguration $azAPICallConf -uri $uri -method $method -currentTask $currentTask
 
@@ -25011,7 +25017,7 @@ extensions: [{ name: 'sort' }]
 
     #region tenantSummaryAAD
     [void]$htmlTenantSummary.AppendLine(@'
-<button type="button" class="collapsible" id="tenantSummaryAAD"><hr class="hr-textAAD" data-content="Azure Active Directory" /></button>
+<button type="button" class="collapsible" id="tenantSummaryAAD"><hr class="hr-textAAD" data-content="Microsoft Entra ID" /></button>
 <div class="content TenantSummaryContent">
 <i class="padlx fa fa-lightbulb-o" aria-hidden="true"></i> <span class="info">Check out <b>AzADServicePrincipalInsights</b></span> <a class="externallink" href="https://aka.ms/azadserviceprincipalinsights" target="_blank" rel="noopener">GitHub <i class="fa fa-external-link" aria-hidden="true"></i></a><br>
 <i class="padlx fa fa-lightbulb-o" aria-hidden="true"></i> <span class="info">Demystifying Service Principals - Managed Identities</span> <a class="externallink" href="https://devblogs.microsoft.com/devops/demystifying-service-principals-managed-identities/" target="_blank" rel="noopener">devBlogs <i class="fa fa-external-link" aria-hidden="true"></i></a><br>
@@ -33783,22 +33789,23 @@ verifyModules3rd -modules $modules
 #Region initAZAPICall
 Write-Host "Initialize 'AzAPICall'"
 $parameters4AzAPICallModule = @{
-    DebugAzAPICall           = $DebugAzAPICall
-    SubscriptionId4AzContext = $SubscriptionId4AzContext
-    TenantId4AzContext       = $TenantId4AzContext
-    GithubRepository         = $GithubRepository
+    DebugAzAPICall                      = $DebugAzAPICall
+    SubscriptionId4AzContext            = $SubscriptionId4AzContext
+    TenantId4AzContext                  = $TenantId4AzContext
+    GithubRepository                    = $GithubRepository
+    SkipAzContextSubscriptionValidation = $AzAPICallSkipAzContextSubscriptionValidation
 }
 $azAPICallConf = initAzAPICall @parameters4AzAPICallModule
 Write-Host " Initialize 'AzAPICall' succeeded" -ForegroundColor Green
 #EndRegion initAZAPICall
 
 #region required AzAPICall version
-if (-not ([System.Version]"$($azapicallConf['htParameters'].azAPICallModuleVersion)" -ge [System.Version]'1.1.79')) {
+if (-not ([System.Version]"$($azapicallConf['htParameters'].azAPICallModuleVersion)" -ge [System.Version]'1.1.83')) {
     Write-Host 'AzAPICall version check failed -> https://aka.ms/AzAPICall; https://www.powershellgallery.com/packages/AzAPICall'
-    throw "This version of Azure Governance Visualizer ($ProductVersion) requires AzAPICall module version 1.1.79 or greater"
+    throw "This version of Azure Governance Visualizer ($ProductVersion) requires AzAPICall module version 1.1.83 or greater"
 }
 else {
-    Write-Host "AzAPICall module version requirement check succeeded: 1.1.79 or greater - current: $($azapicallConf['htParameters'].azAPICallModuleVersion) " -ForegroundColor Green
+    Write-Host "AzAPICall module version requirement check succeeded: 1.1.83 or greater - current: $($azapicallConf['htParameters'].azAPICallModuleVersion) " -ForegroundColor Green
 }
 #endregion required AzAPICall version
 
@@ -34076,7 +34083,32 @@ if (-not $HierarchyMapOnly) {
     cacheBuiltIn
     showMemoryUsage
 
+    if ($subsToProcessInCustomDataCollection.count -eq 0) {
+        Write-Host '--- Info ---' -ForegroundColor Yellow
+        Write-Host '--- Seems this tenant has no subscriptions. Activating parameter -ManagementGroupsOnly' -ForegroundColor Yellow
+        $ManagementGroupsOnly = $true
+        $script:azAPICallConf['htParameters'].ManagementGroupsOnly = $true
+    }
     if (-not $ManagementGroupsOnly) {
+
+        #region sanity check / AzContext has subscription
+        if (-not $azAPICallConf['checkcontext'].Subscription.Id) {
+            Write-Host '--- Sanity check ---' -ForegroundColor Yellow
+            Write-Host 'Current AzContext has no subscription:' -ForegroundColor Yellow
+            Write-Host ($azAPICallConf['checkcontext'] | Select-Object -ExcludeProperty Environment, ExtendedProperties | ConvertTo-Json -Depth 99)
+            if ($AzAPICallSkipAzContextSubscriptionValidation) {
+                Write-Host 'You have enabled the parameter -AzAPICallSkipAzContextSubscriptionValidation' -ForegroundColor Yellow
+                Write-Host "Please use the parameter -SubscriptionId4AzContext '<subscriptionId>'" -ForegroundColor Yellow
+                throw
+            }
+            else {
+                Write-Host 'You have NOT enabled the parameter -AzAPICallSkipAzContextSubscriptionValidation, but somehow reached this point in the script.' -ForegroundColor Yellow
+                Write-Host "Please use the parameter -SubscriptionId4AzContext '<subscriptionId>'" -ForegroundColor Yellow
+                throw
+            }
+        }
+        #endregion sanity check / AzContext has subscription
+
         #region Getting Tenant Resource Providers
         $startGetRPs = Get-Date
         $currentTask = 'Getting Tenant Resource Providers'