v6_major_20221004_1

README.md

@@ -59,17 +59,12 @@ Listed as [security monitoring tool](https://docs.microsoft.com/en-us/azure/arch
 
 ## Release history
 
-__Changes__ (2022-Sep-30 / Major)
-
-* Fix issue #135 
-  * Embedded GitHub Actions OIDC (Open ID Connect) specific functionality to reconnect and get new token ([AzAPICall](https://aka.ms/AzAPICall))
-  * New parameter `-GitHubActionsOIDC` which is only to be used for GitHub Actions `/.github/workflows/AzGovViz_OIDC.yml`
-  * Updated `/.github/workflows/AzGovViz_OIDC.yml` to use the new parameter `-GitHubActionsOIDC`
-* Fix issue #136
-  * Handle return for Storage Accounts located in managed Resource Groups  
-  🌸 Call for contribution: Please review the list of known [managed Resource Groups](https://github.com/JulianHayward/AzSchnitzels/blob/main/info/managedResourceGroups.txt) and contribute if you can, thanks!
-* Added missing variable `NoStorageAccountAccessAnalysis` in `.azuredevops/pipelines/AzGovViz.variables.yml`
-* Use [AzAPICall](https://aka.ms/AzAPICall) PowerShell module version 1.1.30
+__Changes__ (2022-Oct-04 / Major)
+
+* New feature to report on Microsoft Defender for Cloud Email notifications configuration for Subscriptions. Data is provided in the HTML __TenantSummary__ (Subscriptions, Resources & Defender) and __ScopeInsights__
+  * Updated [API reference](#api-reference)
+* Further enrich Subscription insights __TenantSummary__ (Subscriptions, Resources & Defender) - Owner & User Access Administrator Role assignment count (at scope) direct and indirect, plus PIM eligibility count
+* Use [AzAPICall](https://aka.ms/AzAPICall) PowerShell module version 1.1.31
 
 Passed tests: Powershell Core 7.2.6 on Windows  
 Passed tests: Powershell Core 7.2.6 Azure DevOps hosted agent ubuntu-20.04  
@@ -183,7 +178,15 @@ Short presentation on AzGovViz [[download](slides/AzGovViz_intro.pdf)]
   * Hierarchy Settings | Require authorization for Management Group creation
 * __Subscriptions, Resources & Defender__
   * Subscription insights
-    * QuotaId, State, Tags, Microsoft Defender for Cloud Secure Score, Cost, Management Group path, Role assignment limit, enabled Preview features
+    * State
+    * QuotaId
+    * Role assignment limit
+    * Tags
+    * Owner & User Access Administrator Role assignment count (at scope) direct and indirect plus PIM eligibility count
+    * Microsoft Defender for Cloud Secure Score
+    * Microsoft Defender for Cloud Email noticifications configuration
+    * Cost
+    * Management Group path
   * Tag Name usage
     * Insights on usage of Tag Names on Subscriptions, ResourceGroups and Resources
   * Resources
@@ -538,6 +541,7 @@ AzGovViz polls the following APIs
 | ARM | 2020-06-01 | /subscriptions/`subscriptionId`/providers/Microsoft.Resources/tags/default |
 | ARM | 2018-06-01 | /subscriptions/`subscriptionId`/providers/Microsoft.Security/pricings |
 | ARM | 2020-01-01 | /subscriptions/`subscriptionId`/providers/Microsoft.Security/securescores |
+| ARM | 2020-01-01-preview | /subscriptions/`subscriptionId`/providers/Microsoft.Security/securityContacts |
 | ARM | 2019-10-01 | /subscriptions/`subscriptionId`/providers |
 | ARM | 2021-04-01 | /subscriptions/`subscriptionId`/resourcegroups |
 | ARM | 2021-04-01 | /subscriptions/`subscriptionId`/resources |

history.md

@@ -4,6 +4,13 @@
 
 ### AzGovViz version 6
 
+__Changes__ (2022-Oct-04 / Major)
+
+* New feature to report on Microsoft Defender for Cloud Email notifications configuration for Subscriptions. Data is provided in the HTML __TenantSummary__ (Subscriptions, Resources & Defender) and __ScopeInsights__
+  * Updated [API reference](#api-reference)
+* Further enrich Subscription insights __TenantSummary__ (Subscriptions, Resources & Defender) - Owner & User Access Administrator Role assignment count (at scope) direct and indirect, plus PIM eligibility count
+* Use [AzAPICall](https://aka.ms/AzAPICall) PowerShell module version 1.1.31
+
 __Changes__ (2022-Sep-30 / Major)
 
 * Fix issue #135 

pwsh/dev/devAzGovVizParallel.ps1

@@ -337,10 +337,10 @@ Param
     $Product = 'AzGovViz',
 
     [string]
-    $AzAPICallVersion = '1.1.30',
+    $AzAPICallVersion = '1.1.31',
 
     [string]
-    $ProductVersion = 'v6_major_20220930_2',
+    $ProductVersion = 'v6_major_20221004_1',
 
     [string]
     $GithubRepository = 'aka.ms/AzGovViz',
@@ -875,6 +875,7 @@ if ($azAPICallConf['htParameters'].HierarchyMapOnly -eq $false) {
     $htDoARMRoleAssignmentScheduleInstances.Do = $true
     $storageAccounts = [System.Collections.ArrayList]::Synchronized((New-Object System.Collections.ArrayList))
     $arrayStorageAccountAnalysisResults = [System.Collections.ArrayList]::Synchronized((New-Object System.Collections.ArrayList))
+    $htDefenderEmailContacts = [System.Collections.Hashtable]::Synchronized((New-Object System.Collections.Hashtable))
 }
 
 if (-not $HierarchyMapOnly) {

pwsh/dev/functions/dataCollection/dataCollectionFunctions.ps1

@@ -58,6 +58,77 @@ function dataCollectionDefenderPlans {
 }
 $funcDataCollectionDefenderPlans = $function:dataCollectionDefenderPlans.ToString()
 
+function dataCollectionDefenderEmailContacts {
+    [CmdletBinding()]Param(
+        [string]$scopeId,
+        [string]$scopeDisplayName,
+        $SubscriptionQuotaId
+    )
+
+    $currentTask = "Getting Microsoft Defender for Cloud Email contacts for Subscription: '$($scopeDisplayName)' ('$scopeId') [quotaId:'$SubscriptionQuotaId']"
+    #https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings
+    $uri = "$($azAPICallConf['azAPIEndpointUrls'].ARM)/subscriptions/$($scopeId)/providers/Microsoft.Security/securityContacts?api-version=2020-01-01-preview"
+    $method = 'GET'
+    $defenderSecurityContactsResult = AzAPICall -AzAPICallConfiguration $azAPICallConf -uri $uri -method $method -listenOn 'Content' -currentTask $currentTask -caller 'CustomDataCollection'
+
+    if ($defenderSecurityContactsResult -eq 'SubScriptionNotRegistered' -or $defenderSecurityContactsResult -eq 'DisallowedProvider') {
+    }
+    else {
+        if ($defenderSecurityContactsResult.Count -gt 0) {
+            foreach ($entry in $defenderSecurityContactsResult) {
+
+                if ($entry.properties) {
+                    if ($entry.properties.notificationsByRole.roles.count -gt 0) {
+                        $roles = ($entry.properties.notificationsByRole.roles | Sort-Object) -join "$CsvDelimiterOpposite "
+                    }
+                    else {
+                        $roles = 'none'
+                    }
+
+                    if ($entry.properties.emails) {
+                        if (-not [string]::IsNullOrWhiteSpace($entry.properties.emails)) {
+                            $emailsSplitted = $entry.properties.emails -split ';'
+                            $arrayEmails = @()
+                            foreach ($email in $emailsSplitted) {
+                                $arrayEmails += "'$email'"
+                            }
+                            $emails = ($arrayEmails | Sort-Object) -join "$CsvDelimiterOpposite "
+                        }
+                        else {
+                            $emails = $entry.properties.emails
+                        }
+                    }
+                    else {
+                        $emails = 'none'
+                    }
+
+                    if ($entry.properties.alertNotifications.state) {
+                        $alertNotificationsState = $entry.properties.alertNotifications.state
+                    }
+
+                    if ($entry.properties.alertNotifications.minimalSeverity) {
+                        $alertNotificationsminimalSeverity = $entry.properties.alertNotifications.minimalSeverity
+                    }
+                }
+                else {
+                    $roles = 'n/a'
+                    $emails = 'n/a'
+                    $alertNotificationsState = 'n/a'
+                    $alertNotificationsminimalSeverity = 'n/a'
+                }
+
+                $script:htDefenderEmailContacts.($scopeId) = @{
+                    emails                            = $emails
+                    roles                             = $roles
+                    alertNotificationsState           = $alertNotificationsState
+                    alertNotificationsminimalSeverity = $alertNotificationsminimalSeverity
+                }
+            }
+        }
+    }
+}
+$funcDataCollectionDefenderEmailContacts = $function:dataCollectionDefenderEmailContacts.ToString()
+
 function dataCollectionDiagnosticsSub {
     [CmdletBinding()]Param(
         [string]$scopeId,

pwsh/dev/functions/html/htmlFunctions.ps1

@@ -234,7 +234,7 @@ function processScopeInsights($mgChild, $mgChildOf) {
 <button type="button" class="collapsible" id="table_$mgId">$levelSpacing<img class="imgMg $($classDefaultMG)" src="https://www.azadvertizer.net/azgovvizv4/icon/Icon-general-11-Management-Groups.svg"> <span class="valignMiddle">$mgNameAndOrId $subInfo</span></button>
 <div class="content">
 <table class="bottomrow">
-<tr><td class="detailstd"><p><a href="#hierarchy_$mgId"><i class="fa fa-eye" aria-hidden="true"></i> <i>Highlight Management Group in HierarchyMap</i></a></p></td></tr>
+<tr><td class="detailstd"><p><a href="#hierarchy_$mgId"><i class="fa fa-eye" aria-hidden="true" style="color: #0078df"></i> <i>Highlight Management Group in HierarchyMap</i></a></p></td></tr>
 "@
         if ($mgId -eq $defaultManagementGroupId) {
             $script:html += @'
@@ -300,7 +300,7 @@ function processScopeInsightsMGSubs($mgChild) {
             if (-not $NoScopeInsights) {
                 $script:html += @"
                 <table class="subTable">
-                <tr><td class="detailstd"><p><a href="#hierarchySub_$mgChild"><i class="fa fa-eye" aria-hidden="true"></i> <i>Highlight Subscription in HierarchyMap</i></a></p></td></tr>
+                <tr><td class="detailstd"><p><a href="#hierarchySub_$mgChild"><i class="fa fa-eye" aria-hidden="true" style="color: #0078df"></i> <i>Highlight Subscription in HierarchyMap</i></a></p></td></tr>
 "@
             }
 

pwsh/dev/functions/processDataCollection.ps1

@@ -352,6 +352,7 @@ function processDataCollection {
                 $alzPolicyHashes = $using:alzPolicyHashes
                 $alzPolicySetHashes = $using:alzPolicySetHashes
                 $htDoARMRoleAssignmentScheduleInstances = $using:htDoARMRoleAssignmentScheduleInstances
+                $htDefenderEmailContacts = $using:htDefenderEmailContacts
                 #other
                 $function:addRowToTable = $using:funcAddRowToTable
                 $function:namingValidation = $using:funcNamingValidation
@@ -378,6 +379,7 @@ function processDataCollection {
                 $function:dataCollectionRoleDefinitions = $using:funcDataCollectionRoleDefinitions
                 $function:dataCollectionRoleAssignmentsSub = $using:funcDataCollectionRoleAssignmentsSub
                 $function:dataCollectionClassicAdministratorsSub = $using:funcDataCollectionClassicAdministratorsSub
+                $function:dataCollectionDefenderEmailContacts = $using:funcDataCollectionDefenderEmailContacts
                 #endregion UsingVARs
 
                 $addRowToTableDone = $false
@@ -430,6 +432,9 @@ function processDataCollection {
                         }
                         DataCollectionDefenderPlans @baseParameters @dataCollectionDefenderPlansParameters
 
+                        #defenderEmailContacts
+                        DataCollectionDefenderEmailContacts @baseParameters
+
                         #diagnostics
                         $dataCollectionDiagnosticsSubParameters = @{
                             ChildMgMgPath = $childMgMgPath