Do you want to have visibility on your Tenant´s Management Group hierarchy - document it in csv, html and markdown?
AzGovViz is a PowerShell based script that iterates your Azure Tenants Management Group hierarchy down to Subscription level. It captures most relevant Azure governance capabilities such as Azure Policy, RBAC and Blueprints and more. From the collected data AzGovViz provides visibility on your Hierarchy Map, creates a Tenant Summary and builds granular Scope Insights on Management Groups and Subscriptions. The technical requirements as well as the required permissions are minimal.
You can run the script either for your Tenant Root Group or any other Management Group that you have read access on.
The new version comes with a handful of enhancements:
- HTML filterable tables
- Resource Types Diagnostics capable
- Resource Diagnostics Policy Findings
- Resource Provider details
- Policy Assignments filter excluded scopes
- Use of deprecated built-in policies
- Subscription QuotaId Whitelist
The new version comes with a handful of enhancements:
- Optimized user experience for the HTML output
- Summary for Tenant / selected Management Group scope
- Reflect Tenant, ManagementGroup and Subscription Limits for Azure Governance capabilities
- Some security related best practice highlighting
- More details: Management Groups, Subscriptions, Policies, Policy Sets (Initiatives), Orphaned Policies, RBAC and Policy related RBAC (DINE MI), Orphaned Roles, Orphaned RoleAssignments, Blueprints, Subscription State, Subscription QuotaId, Subscription Tags, Azure Scurity Center Secure Score, ResourceGroups count, Resource types and count by region, Limits, Security findings
- Resources / leveraging Azure Resource Graph
- Parameter based output (hierarchy only, 'srubbed' user information and more..)
- HTML version check
detailed html file
*IDs from screenshot are randomized
basic markdown in Azure DevOps Wiki
*IDs from screenshot are randomized
- CSV file
- HTML file
- the html file uses Java Script and CSS files which are hosted on various CDNs (Content Delivery Network). For details review the BuildHTML region in the AzGovViz.ps1 script file.
- Browsers tested: Edge, new Edge and Chrome
- MD (markdown) file
- for use with Azure DevOps Wiki leveraging the Mermaid plugin
note: there is some fixing ongoing at the mermaid project to optimize the graphical experience:
mermaid-js/mermaid#1289
mermaid-js/mermaid#1177
- RBAC Role: Reader on Management Group level
- API permissions: If you run the script in Azure Automation or on Azure DevOps hosted agent you will need to grant API permissions in Azure Active Directory (get-AzRoleAssignment cmdlet requirements). The Automation Account or Service Connection App registration (Application) must be granted with: Azure Active Directory API | Application | Directory | Read.All (admin consent might be required)
- Requires PowerShell Az Modules
- Az.Accounts
- Az.Resources
- Az.ResourceGraph
- Usage
.\AzGovViz.ps1 -managementGroupId <your-Management-Group-Id>
- Parameters
- ManagementGroupId
- CsvDelimiter (the world is split into two kind of delimiters - comma and semicolon - choose yours)
- OutputPath
- AzureDevOpsWikiAsCode
- DoNotShowRoleAssignmentsUserData (scrub user information)
- LimitCriticalPercentage (limit warning level, default is 80%)
- HierarchyTreeOnly (output only the hierarchy tree for Management Groups including linked Subscriptions)
- SubscriptionQuotaIdWhitelist (process only subscriptions with defined QuotaId(s))
UseAzureRM parametersupport for AzureRm modules has been deprecated
- Passed tests: Powershell Core on Windows
- Passed tests: Powershell 5.1.18362.752 on Windows
- Passed tests: Powershell Core on Linux Ubuntu 18.04 LTS
The provided example Pipeline is configured to run based on a shedule (every 6 hours). It will push the AzGovViz markdown output file to the 'wiki' folder in the 'Azure-MG-Sub-Governance-Reporting' Repository which will feed your Wiki.
- In Azure DevOps make sure to enable the Multistage Pipelines feature https://docs.microsoft.com/en-us/azure/devops/pipelines/get-started/multi-stage-pipelines-experience?view=azure-devops
- Clone the AzGovViz Repo
- Create Pipeline, configure your pipeline selecting Existing Azure Pipelines YAML file, select the AzGovViz YAML from the AzGovViz (Azure-MG-Sub-Governance-Reporting) Repo
- Permissions: In order to allow the pipeline to push files back to our 'wiki' folder in the 'Azure-MG-Sub-Governance-Reporting' Repository the Build Service ('%ProjectName% Build Service (%OrgName%)') must be granted Contribute and Create Branch permissions
- Run the Pipeline
- Create Wiki by choosing Publish Code as Wiki, define the folder 'wiki' from the 'Azure-MG-Sub-Governance-Reporting' Repository as source
Make sure your Service Connection has the required permissions (see Required permissions in Azure).
AzGovViz creates very detailed information about your Azure Governance setup. In your organizations best interest the outputs should be protected from not authorized access!
Subscriptions where QuotaId starts with with "AAD_" are being skipped, all others are queried (https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/understand-cost-mgt-data#supported-microsoft-azure-offers).
Limits are not acquired programmatically, they are hardcoded. The links used to check related Limits are commented in the param section of the script.
Please feel free to contribute. Thanks to so many supporters - testing, giving feedback, making suggestions, presenting use-case, posting/blogging articles, refactoring code - THANK YOU!
Special thanks to Tim Wanierke, Brooks Vaughn, Friedrich Weinmann
Also check https://www.azadvertizer.net to keep up with the pace on Azure Governance capabilities such as Azure Policies, Policy Initiatives, Policy Aliases, RBAC Roles and Resource Providers including operations.