Ola Pessoal,
Neste post vou mostrar como usar o Azure Governance Visualizer, conhecido também como AzGovViz, ‘e um conjunto de scripts que vai te ajudar a entender melhor o seu ambiente no azure em relação ao AD, group e etc..
Versões utilizadas
AzGovViz: 6.6.3
Powershell : 7.3.12
Antes de começar o test, temos que explicar o cenário: como vamos rodar o script para coletar informações, ‘e necessário que tenha instalado o powershell, temos que rodar esse script com um usuário ou uma conta de serviço com privilegio para ler as informações no Azure e para finalizar recomendo que você rode esse script num ambiente controlado, somente com acesso a API do azure.
Agora vamos rodar o script:
1- Baixa o script direto do repositório: https://github.com/JulianHayward/Azure-MG-Sub-Governance-Reporting/blob/master/pwsh/AzGovVizParallel.ps1 e log no azure usando o cmdlet Connect-AzAccount
2- Rode o script usando o powershel a sua escolha, no meu caso estou usando a versão core
./AzGovVizParallel.ps1
Se essa fora a primeira vez que você roda essa script, vai pedir que instale o module AzAPIcall diretamente do powershell Galery, digite y, para instalar.
./AzGovVizParallel.ps1
Start Azure Governance Visualizer (aka AzGovViz) 02-May-2025 15:24:46 (#6.6.3)
Checking PowerShell edition and version
PS check passed : (Major[7]; Minor[3] gt 0); (minimum supported version ‘7.0.3’)
PS Edition: Core; PS Version: 7.3.12
PS Version check succeeded
Output/Files will be created in path ‘/AzGovViz/.’
Verify ‘AzAPICall’ version ‘1.2.4’
Verify ‘AzAPICall’ version ‘1.2.4’ succeeded
Initialize ‘AzAPICall’
AzAPICall 1.2.4
Check required Az modules cmdlets
Az PS module supporting cmdlet ‘Get-AzContext’ installed
Az Module Az.Accounts Version: 2.12.4
Required Az modules cmdlets check succeeded
Create htParameters
codeRunPlatform: Console
AzAPICall debug disabled
AzAPICall htParameters:
Name Value
—- —–
onAzureDevOpsOrGitHubActions False
azAccountsVersion 2.12.4
onGitHubActions False
psVersion 7.3.12
onAzureDevOps False
subscriptionId4AzContext undefined
gitHubRepository aka.ms/AzGovViz
codeRunPlatform Console
writeMethod Host
tenantId4AzContext undefined
debugAzAPICall False
debugWriteMethod Host
skipAzContextSubscriptionValidation False
azAPICallModuleVersion 1.2.4
Create htParameters succeeded
Get Az context
Azure cloud environment: AzureCloud
Get Az context succeeded
Set environment endPoint url mapping
Check endpoint: ‘ARM’; endpoint url: ‘https://management.azure.com/’
Check endpoint: ‘KeyVault’; endpoint url: ‘https://vault.azure.net’
Check endpoint: ‘LogAnalytics’; endpoint url: ‘https://api.loganalytics.io’
Check endpoint: ‘MicrosoftGraph’; endpoint url: ‘https://graph.microsoft.com’
Check endpoint: ‘Login’; endpoint url: ‘https://login.microsoftonline.com’
Check endpoint: ‘Storage’; endpoint url: ‘.core.windows.net’
Add to endpoint: ‘Storage’; endpoint url: ‘.storage.azure.net’
Auth endpoint for ‘Storage’: ‘https://storage.azure.com’
Set endpoint: ‘Kusto’; endpoint url: ‘.kusto.windows.net’
Set endpoint: ‘MonitorIngest’; endpoint url: ‘.ingest.monitor.azure.com’
Auth endpoint for ‘MonitorIngest’: ‘https://monitor.azure.com’
Set environment endPoint url mapping succeeded
Check Az context
Az context AccountId: ”
Az context AccountType: ‘User’
Az context related parameters: -SubscriptionId4AzContext==’undefined’; -TenantId4AzContext==’undefined’; -SkipAzContextSubscriptionValidation==’False’
Check Subscription: ” (criteria: quotaId notLike ‘AAD*’; state==enabled)
+Processing new bearer token request ‘ARM’ “https://management.azure.com”
+Bearer token ‘ARM’: [tokenRequestProcessed: ’05/02/2025 15:24:47′]; [expiryDateTime: ’05/02/2025 16:41:14′]; [timeUntilExpiry: ’01:16:26.5719007′]
Subscription check succeeded – quotaId: ”; state: Enabled
Az context Tenant: ”
Az context Subscription: ‘A ()’ (state: Enabled)
Az context check succeeded
Check AAD UserType
+Processing new bearer token request ‘MicrosoftGraph’ “https://graph.microsoft.com”
+Bearer token ‘MicrosoftGraph’: [tokenRequestProcessed: ’05/02/2025 15:24:54′]; [expiryDateTime: ’05/02/2025 16:20:33′]; [timeUntilExpiry: ’00:55:38.7602629′]
AAD UserType: Member; AAD identityId:
AAD UserType check succeeded
Get ARM locations
Get ARM locations succeeded (locations count: ’97’)
58 physical ARM locations found
Initialize ‘AzAPICall’ succeeded
Setting $ignoreARMLocation to $false
Check if provided parameter value for -ARMLocation ‘westeurope’ is valid
Parameter value for -ARMLocation ‘westeurope’ is valid
Azure Governance Visualizer version ‘6.6.3’ – AzAPICall PowerShell module version requirement check succeeded: ‘1.2.4’ or greater – current: ‘1.2.4’
Azure Governance Visualizer version is up to date ‘6.6.3’
Environment: AzureCloud
* * * HINT: PIM (Privileged Identity Management) Eligibility reporting * * *
Parameter -NoPIMEligibility == ‘False’
Executing principal accountType: ‘User’
PIM Eligibility reporting requires to execute the script as ServicePrincipal. API Permission ‘PrivilegedAccess.Read.AzureResources’ is required
For this run we switch the parameter -NoPIMEligibility from ‘False’ to ‘True’
Parameter -NoPIMEligibility == ‘True’
* * * * * * * * * * * * * * * * * * * * * *
Press Enter to continue…:
Como nao temos PIM neste example, o scrip informa isso e pergunta se queremos continuar
Add Azure Governance Visualizer htParameters
htParameters:
Name Value
—- —–
GitHubActionsOIDC False
PolicyAtScopeOnly False
NoPolicyComplianceStates False
subscriptionId4AzContext undefined
accountType User
ProductVersion 6.6.3
azAccountsVersion 2.12.4
RBACAtScopeOnly False
DoAzureConsumptionPreviousMonth False
DoPSRule False
skipAzContextSubscriptionValidation False
NoResourceProvidersAtAll False
HierarchyMapOnly False
azAPICallModuleVersion 1.2.4
DoNotIncludeResourceGroupsOnPolicy False
gitHubRepository aka.ms/AzGovViz
subscriptionQuotaId PayAsYouGo_2014-09-01
ManagementGroupsOnly False
userObjectId
debugWriteMethod Host
DoNotShowRoleAssignmentsUserData False
azureCloudEnvironment AzureCloud
PSRuleFailedOnly False
psVersion 7.3.12
ARMLocations {australiacentral, australiacentral2, australiaeast, australiasoutheast…}
DoNotIncludeResourceGroupsAndResourcesOnRBAC False
tenantId4AzContext undefined
NoResourceProvidersDetailed False
onAzureDevOps False
onAzureDevOpsOrGitHubActions False
debugAzAPICall False
NoJsonExport False
NoResources False
userType Member
codeRunPlatform Console
DoAzureConsumption False
NoMDfCSecureScore False
NoALZPolicyVersionChecker False
ThrottleLimit 10
LargeTenant False
APIMappingCloudEnvironment {[costManagementQuery, System.Collections.Hashtable], [roleDefinitions, System.Collections.Hashtable], [securityPricings, System.Collections.Hashtable]}
onGitHubActions False
writeMethod Host
NoStorageAccountAccessAnalysis False
NoNetwork False
Add Azure Governance Visualizer htParameters succeeded
Permission check results
RBAC ‘Reader’ permissions on Management Group – check PASSED
Detected 1 Management Groups
Please select a Management Group from the list below:
# name displayName id
– —- ———– —
1 Tenant Root Group /providers/Microsoft.Management/managementGroups/
If you don’t see your ManagementGroupID try using the parameter -ManagementGroupID
Please enter a selection from 1 to 1:
Como não definimos qual é management group para verificar, sera aberta uma lista para seleção
…
Press Enter to continue…:
Running Azure Governance Visualizer (6.6.3) for ManagementGroupId: ”
‘Azure Landing Zones (ALZ) Policy Version Checker’ feature supported for Cloud environment ‘AzureCloud’
Processing ‘Azure Landing Zones (ALZ) Policy Version Checker’ base data
Working directory is ‘/AzGovViz’
Creating temporary directory ‘/AzGovViz/ALZ_20250502_152803’
Switching to temporary directory ‘/AzGovViz/ALZ_20250502_152803’
Try cloning ‘https://github.com/Azure/Enterprise-Scale.git’
Cloning into ‘Enterprise-Scale’…
remote: Enumerating objects: 19802, done.
remote: Counting objects: 100% (536/536), done.
remote: Compressing objects: 100% (296/296), done.
remote: Total 19802 (delta 486), reused 240 (delta 240), pack-reused 19266 (from 5)
Receiving objects: 100% (19802/19802), 111.61 MiB | 19.75 MiB/s, done.
Resolving deltas: 100% (14859/14859), done.
Cloning ‘https://github.com/Azure/Enterprise-Scale.git’ succeeded
Switching to directory ‘/AzGovViz/ALZ_20250502_152803/Enterprise-Scale’
…
Alguns minutos de espera, o seu arquivo em html vai estar pronto, junto com outros arquivos em csv com informacoes do seu ambiente.
3- Abre o arquivo: AzGovViz_….html, para visualizar o seu report, o arquivo que foi gerador vai ser bem parecido com essa baixo, porem com as informacoes do seu domino:
https://www.azadvertizer.net/azgovvizv4/demo/AzGovViz_demo.html
Muito obrigado pela atenção e ate a próxima
Referencias:
– https://www.azadvertizer.net/azgovvizv4/demo/AzGovViz_demo.html
– https://github.com/JulianHayward/Azure-MG-Sub-Governance-Reporting/blob/master/pwsh/AzGovVizParallel.ps1
–https://github.com/JulianHayward/Azure-MG-Sub-Governance-Reporting