How to find all places in Azure where specific account is used
a.k.a. account usage overview
I recently dealt with a situation where I needed to clean up our Azure from previously disabled users. To handle such a task, you need to know where such accounts are used in the first place π
Therefore I've created the PowerShell function Get-AzureADAccountOccurrence
. Because it requires a lot of other helper functions and modules, I've decided to place it into the new AzureADStuff module.
Get-AzureADAccountOccurrence
function takes account ID (or UPN) as an input (account can be user, group, service principal) and outputs PSObject with following properties:
- what account owns (applications, DevOps organizations, sharepoint sites)
- where is this account as a manager (direct report)
- membership:
- directory role membership
- group membership
- DevOps role membership
- IAM role assignments (over groups, resources, resource groups, management groups, subscriptions,.. accross all subscriptions)
- application:
- permission consents
- Users and Groups role assignments
And the result can look like thisπ
How to
- Get all required modules
- Install the module with all required modules using
Install-Module AzureADStuff
command
- Install the module with all required modules using
Connect to the cloud services by calling:
Connect-AzureAD2
Connect-PnPOnline2 -url https://contoso-admin.sharepoint.com
(use your own SharePoint admin URL)Connect-AzAccount2
I've tested this under Global Admin account, but
Global Reader
orSecurity Reader
IAM role member atTenant Root Group
inManagement groups
Azure section, should be fine I guess.
Call my function like
Get-AzureADAccountOccurrence -UserPrincipalName user@contoso.com -Verbose
By default, all available data are gathered. If you want just some subset of them, use
data
parameter.
If you do not want to use PowerShell Gallery installation, you can manually download the module AzureADStuff from my repository. Then install all required modules by calling
Install-Module Az.Accounts, Az.Resources, AzureAD, PnP.PowerShell, MSAL.PS
. And import downloaded AzureADStuff module usingImport-Module
command.
Summary
Get-AzureADAccountOccurrence
helps to understand where a specific account is used in your AzureAD environment. This can be helpful in many situations like cleaning up your AzureAD from disabled accounts, account usage auditing, account permission review, etc.
I've also created a function for removing/replacing an account from all places where it was found. But that is for another blog post π