How to find all places in Azure where specific account is used

How to find all places in Azure where specific account is used

a.k.a. account usage overview

Ondrej Sebela's photo
Ondrej Sebela
Β·

2 min read

Table of contents

I recently dealt with a situation where I needed to clean up our Azure from previously disabled users. To handle such a task, you need to know where such accounts are used in the first place 😁

Therefore I've created the PowerShell function Get-AzureADAccountOccurrence. Because it requires a lot of other helper functions and modules, I've decided to place it into the new AzureADStuff module.

Get-AzureADAccountOccurrence function takes account ID (or UPN) as an input (account can be user, group, service principal) and outputs PSObject with following properties:

  • what account owns (applications, DevOps organizations, sharepoint sites)
  • where is this account as a manager (direct report)
  • membership:
    • directory role membership
    • group membership
    • DevOps role membership
  • IAM role assignments (over groups, resources, resource groups, management groups, subscriptions,.. accross all subscriptions)
  • application:
    • permission consents
    • Users and Groups role assignments

And the result can look like thisπŸ‘‡ image.png image.png image.png image.png

How to

  1. Get all required modules
    • Install the module with all required modules using Install-Module AzureADStuff command

  2. Connect to the cloud services by calling:

    • Connect-AzureAD2
    • Connect-PnPOnline2 -url https://contoso-admin.sharepoint.com (use your own SharePoint admin URL)
    • Connect-AzAccount2

      I've tested this under Global Admin account, but Global Reader or Security Reader IAM role member at Tenant Root Group in Management groups Azure section, should be fine I guess.

  3. Call my function like Get-AzureADAccountOccurrence -UserPrincipalName user@contoso.com -Verbose

    By default, all available data are gathered. If you want just some subset of them, use data parameter. image.png

If you do not want to use PowerShell Gallery installation, you can manually download the module AzureADStuff from my repository. Then install all required modules by calling Install-Module Az.Accounts, Az.Resources, AzureAD, PnP.PowerShell, MSAL.PS. And import downloaded AzureADStuff module using Import-Module command.

Summary

Get-AzureADAccountOccurrence helps to understand where a specific account is used in your AzureAD environment. This can be helpful in many situations like cleaning up your AzureAD from disabled accounts, account usage auditing, account permission review, etc.

I've also created a function for removing/replacing an account from all places where it was found. But that is for another blog post πŸ˜‰

Did you find this article valuable?

Support Ondrej Sebela by becoming a sponsor. Any amount is appreciated!

AzureSecuritysearch
Β