From da265a0d9a25da632eccc6a3e482dac90b06c047 Mon Sep 17 00:00:00 2001 From: Thomas Naunheim Date: Sat, 2 Nov 2024 16:08:16 +0100 Subject: [PATCH 01/15] Improved workbook and visualizations --- .../EntraOps Privileged EAM - Overview.json | 4 +- ...ntraOps Privileged EAM - Overview.workbook | 331 ++++++++++++++++-- 2 files changed, 311 insertions(+), 24 deletions(-) diff --git a/Workbooks/EntraOps Privileged EAM - Overview.json b/Workbooks/EntraOps Privileged EAM - Overview.json index 7104221..bd74cd7 100644 --- a/Workbooks/EntraOps Privileged EAM - Overview.json +++ b/Workbooks/EntraOps Privileged EAM - Overview.json @@ -17,7 +17,7 @@ }, "workbookSourceId": { "type": "string", - "defaultValue": "PrivilegedEAM", + "defaultValue": "privilegedeam", "metadata": { "description": "The id of resource instance to which the workbook will be associated" } @@ -40,7 +40,7 @@ "kind": "shared", "properties": { "displayName": "[parameters('workbookDisplayName')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"parameters\":[{\"id\":\"4666895c-a22c-4fad-be1c-a8d31c4383d9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SelectLogAnalytics\",\"label\":\"Select Workspace\",\"type\":5,\"isRequired\":true,\"query\":\"resources\\r\\n| where type == \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| project id\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":null},{\"id\":\"cd33301b-949e-4159-bd9d-daf07a2eea28\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleSystem\",\"label\":\"RBAC System\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| distinct RoleSystem\\r\\n| summarize Count = count() by RoleSystem\\r\\n| order by Count desc, RoleSystem asc\\r\\n| project Value = RoleSystem\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"fdb99e3a-478f-4382-b4f4-204c38bc81a9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AdminTierLevelName\",\"label\":\"RBAC Tier Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| mv-expand (parse_json(Classification))\\r\\n| where tostring(Classification.AdminTierLevel) != \\\"\\\" and tostring(Classification.AdminTierLevelName) != \\\"\\\"\\r\\n| distinct tostring(Classification.AdminTierLevel), tostring(Classification.AdminTierLevelName)\\r\\n| order by Classification_AdminTierLevel asc\\r\\n| project Value = Classification_AdminTierLevelName\\r\\n\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"899df38d-0db6-4aec-991f-f3d885c14677\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Service\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| extend Service = tostring(Classification.Service)\\r\\n| distinct Service\\r\\n| order by Service asc\\r\\n| project Value = tostring(Service)\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a7278d5a-1e2f-4eef-a7fc-8b9b4f97e2f8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ObjectType\",\"label\":\"Principal Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| distinct ObjectType\\r\\n| order by ObjectType asc\\r\\n| project Value = tostring(ObjectType)\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8eafa332-2a5b-43dd-90c6-b9d1d12ad033\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PrincipalDisplayName\",\"label\":\"Principal DisplayName\",\"type\":1,\"value\":\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| distinct ObjectId, ObjectType, OnPremSynchronized, ObjectDisplayName, TimeGenerated\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| extend SyncSource = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| summarize Count = count() by SyncSource\\r\\n| join kind = fullouter (datatable(SyncSource:string)['Cloud-Only', 'Hybrid']) on SyncSource\\r\\n| project SyncSource = iff(SyncSource == '', SyncSource1, SyncSource), Count = iff(SyncSource == '', 0, Count)\",\"size\":4,\"title\":\"Sync source of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"SyncSource\",\"exportParameterName\":\"SyncSource\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"sortBy\":[],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SyncSource\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":1},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"Synchronized Privileged Accounts\",\"styleSettings\":{\"maxWidth\":\"25\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",false,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| extend RestrictedManagement = iff(RestrictedManagementByAadRole == true or RestrictedManagementByRAG == true or RestrictedManagementByRMAU == true,\\\"Protected\\\",\\\"Unprotected\\\")\\r\\n| extend RestrictedManagement = iff((ObjectType != \\\"serviceprincipal\\\"), tostring(RestrictedManagement), \\\"Non applicable\\\")\\r\\n| distinct ObjectId, RestrictedManagement\\r\\n| summarize Count = count() by RestrictedManagement\\r\\n\\r\\n\",\"size\":4,\"title\":\"Restricted management of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"AssignmentType\",\"exportParameterName\":\"RestrictedManagement\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OnPremSynchronized\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"RestrictedManagement\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"25\",\"name\":\"Restricted Management\",\"styleSettings\":{\"maxWidth\":\"25\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",false,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| mv-expand parse_json(RoleAssignments)\\r\\n| extend AssignmentType = strcat(RoleAssignments.RoleAssignmentType, \\\" \\\", RoleAssignments.PIMAssignmentType)\\r\\n| summarize count() by AssignmentType\\r\\n| sort by count_\",\"size\":4,\"title\":\"Assignments of privileged roles\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"AssignmentType\",\"exportParameterName\":\"AssignmentType\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OnPremSynchronized\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"RestrictedManagement\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Role Assignments\",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where ObjectType != \\\"group\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by ObjectId, RoleSystem\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| distinct ObjectId, ObjectAdminTierLevelName\\r\\n| summarize Count = count() by ObjectAdminTierLevelName\\r\\n| join kind = fullouter (datatable(ObjectAdminTierLevelName:string)['ControlPlane', 'ManagementPlane','WorkloadPlane','UserAccess','Unclassified']) on ObjectAdminTierLevelName\\r\\n| project ObjectAdminTierLevelName = iff(ObjectAdminTierLevelName == '', ObjectAdminTierLevelName1, ObjectAdminTierLevelName), Count = iff(ObjectAdminTierLevelName == '', 0, Count)\\r\\n| sort by ObjectAdminTierLevelName asc\",\"size\":4,\"title\":\"Classification of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"ObjectAdminTierLevelName\",\"exportParameterName\":\"ObjectAdminTierLevelName\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Classifications Privileged Accounts \",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where ObjectAdminTierLevelName contains '{ObjectAdminTierLevelName}' or '{ObjectAdminTierLevelName}' == \\\"*\\\"\\r\\n| sort by ObjectAdminTierLevelName asc\\r\\n| distinct ObjectId, RoleClassificationAdminTierLevelName = tostring(Classification.AdminTierLevelName)\\r\\n| summarize Count = count() by RoleClassificationAdminTierLevelName\\r\\n| join kind = fullouter (datatable(RoleClassificationAdminTierLevelName:string)['ControlPlane', 'ManagementPlane','WorkloadPlane','UserAccess','Unclassified']) on RoleClassificationAdminTierLevelName\\r\\n| project RoleClassificationAdminTierLevelName = iff(RoleClassificationAdminTierLevelName == '', RoleClassificationAdminTierLevelName1, RoleClassificationAdminTierLevelName), Count = iff(RoleClassificationAdminTierLevelName == '', 0, Count)\",\"size\":4,\"title\":\"Classification of privileged access\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"RoleClassificationAdminTierLevelName\",\"exportParameterName\":\"RoleClassificationAdminTierLevelName\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleClassificationAdminTierLevelName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Classifications Privileged Access\",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| extend OnPremSynchronized = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\\r\\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\\r\\n| extend RestrictedManagement = bag_pack_columns(RestrictedManagementByAadRole, RestrictedManagementByRAG, RestrictedManagementByRMAU)\\r\\n| summarize RoleSystem = make_set(RoleSystem) by ObjectId, ObjectType, ObjectSubType, ObjectDisplayName, OnPremSynchronized, AssignedAdministrativeUnits, tostring(RestrictedManagement)\\r\\n| sort by ObjectDisplayName\",\"size\":0,\"title\":\"List of Privileged Accounts \",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"ObjectId\",\"exportParameterName\":\"ObjectId\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ObjectDisplayName\",\"formatter\":0,\"tooltipFormat\":{\"tooltip\":\"{ObjectUserPrincipalName}\"}},{\"columnMatch\":\"Group\",\"formatter\":1},{\"columnMatch\":\"ObjectAdminTierLevel_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Unclassified\",\"representation\":\"1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"ControlPlane\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"ManagementPlane\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]}}],\"sortBy\":[{\"itemKey\":\"ObjectId\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ObjectId\",\"sortOrder\":1}]},\"name\":\"Related Privileged Accounts \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where ObjectId == '{ObjectId}' or '{ObjectId}' == '*'\\r\\n| where RoleSystem contains ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| extend OnPremSynchronized = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\\r\\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\\r\\n| mv-expand RoleAssignments\\r\\n| project RoleAssignments, RoleSystem\\r\\n| evaluate bag_unpack(RoleAssignments)\\r\\n| extend Classification = column_ifexists(\\\"Classification\\\",\\\"\\\")\\r\\n| mv-expand parse_json(Classification)\\r\\n| extend AdminTierLevel = Classification.AdminTierLevelName\\r\\n| extend Service = Classification.Service\\r\\n| extend TaggedBy = Classification.TaggedBy\\r\\n| where Service contains ('*') or '*' in ('*')\\r\\n| extend TransitiveBy = column_ifexists(\\\"TransitiveByObjectDisplayName\\\", \\\"\\\")\\r\\n| summarize AdminTierLevels = make_set(AdminTierLevel), Service = make_set(Service) by\\r\\n RoleSystem,\\r\\n tostring(RoleAssignmentId),\\r\\n RoleDefinitionName,\\r\\n tostring(RoleAssignmentScopeId),\\r\\n RoleAssignmentScopeName,\\r\\n PIMManagedRole,\\r\\n PIMAssignmentType,\\r\\n RoleAssignmentType,\\r\\n TransitiveBy,\\r\\n tostring(TaggedBy)\\r\\n| extend AdminTierLevel = iff(isnotempty(AdminTierLevels[0]), AdminTierLevels[0], \\\"Unclassified\\\")\\r\\n| sort by tostring(AdminTierLevel) asc, tostring(RoleAssignmentScopeId) asc, RoleDefinitionName asc\\r\\n| project-reorder RoleSystem, AdminTierLevel, RoleDefinitionName, RoleAssignmentScopeName, PIMAssignmentType, RoleAssignmentType, TransitiveBy, PIMManagedRole, Service\",\"size\":0,\"title\":\"Related privileged role assignments\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RoleAssignmentType\",\"formatter\":0,\"tooltipFormat\":{\"tooltip\":\"[\\\"TransitiveByObjectDisplayName\\\"]\"}},{\"columnMatch\":\"RoleAssignmentScopeId\",\"formatter\":0,\"tooltipFormat\":{\"tooltip\":\"[\\\"RoleAssignmentScopeName\\\"]\"}}],\"sortBy\":[{\"itemKey\":\"RoleSystem\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"RoleSystem\",\"sortOrder\":1}]},\"name\":\"Related privileged role assignments\"}],\"isLocked\":false,\"fallbackResourceIds\":[\"azure monitor\"]}", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"parameters\":[{\"id\":\"4666895c-a22c-4fad-be1c-a8d31c4383d9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SelectLogAnalytics\",\"label\":\"Select Workspace\",\"type\":5,\"isRequired\":true,\"query\":\"resources\\r\\n| where type == \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| project id\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"/subscriptions/4d3e5b65-8a52-4b2f-b5cd-1670c700136b/resourceGroups/lab-mgmt/providers/Microsoft.OperationalInsights/workspaces/lab-la-4d3e5b65-8a52-4b2f-b5cd-1670c700136b\"},{\"id\":\"cd33301b-949e-4159-bd9d-daf07a2eea28\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleSystem\",\"label\":\"RBAC System\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| distinct RoleSystem\\r\\n| summarize Count = count() by RoleSystem\\r\\n| order by Count desc, RoleSystem asc\\r\\n| project Value = RoleSystem\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"fdb99e3a-478f-4382-b4f4-204c38bc81a9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AdminTierLevelName\",\"label\":\"RBAC Tier Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| mv-expand (parse_json(Classification))\\r\\n| where tostring(Classification.AdminTierLevel) != \\\"\\\" and tostring(Classification.AdminTierLevelName) != \\\"\\\"\\r\\n| distinct tostring(Classification.AdminTierLevel), tostring(Classification.AdminTierLevelName)\\r\\n| order by Classification_AdminTierLevel asc\\r\\n| project Value = Classification_AdminTierLevelName\\r\\n\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"899df38d-0db6-4aec-991f-f3d885c14677\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Service\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| extend Service = tostring(Classification.Service)\\r\\n| distinct Service\\r\\n| order by Service asc\\r\\n| project Value = tostring(Service)\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a7278d5a-1e2f-4eef-a7fc-8b9b4f97e2f8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ObjectType\",\"label\":\"Principal Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| distinct ObjectType\\r\\n| order by ObjectType asc\\r\\n| project Value = tostring(ObjectType)\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8eafa332-2a5b-43dd-90c6-b9d1d12ad033\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PrincipalDisplayName\",\"label\":\"Principal DisplayName\",\"type\":1,\"value\":\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| distinct ObjectId, ObjectType, OnPremSynchronized, ObjectDisplayName, TimeGenerated\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| extend SyncSource = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| summarize Count = count() by SyncSource\\r\\n| join kind = fullouter (datatable(SyncSource:string)['Cloud-Only', 'Hybrid']) on SyncSource\\r\\n| project SyncSource = iff(SyncSource == '', SyncSource1, SyncSource), Count = iff(SyncSource == '', 0, Count)\",\"size\":4,\"title\":\"Sync source of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"SyncSource\",\"exportParameterName\":\"SyncSource\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"sortBy\":[],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SyncSource\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":1},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"Synchronized Privileged Accounts\",\"styleSettings\":{\"maxWidth\":\"25\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('*' == \\\"Cloud-Only\\\", false, true)\\r\\n or '*' == '*'\\r\\n or '*' == 'All Privileged Identities'\\r\\n| where RoleSystem in ('*') or '*' in ('*')\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ('*') or '*' in ('*')\\r\\n| where Classification.Service in ('*') or '*' in ('*')\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where ObjectType in ('*') or '*' in ('*')\\r\\n| where ObjectDisplayName contains '' or '' == \\\"\\\"\\r\\n| extend RestrictedAssignments = bag_pack_columns(RestrictedManagementByAadRole, RestrictedManagementByRAG, RestrictedManagementByRMAU)\\r\\n| extend RestrictedManagement = case(\\r\\n ObjectType == \\\"serviceprincipal\\\", \\\"Not available\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"Role-assignable\\\" and parse_json(RestrictedAssignments).RestrictedManagementByRMAU == \\\"True\\\", \\\"Conflict\\\",\\r\\n ObjectType == \\\"group\\\" and ObjectSubType != \\\"Role-assignable\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"security\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\",\\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRAG == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and parse_json(Roles).PIMAssignmentType == \\\"Permanent\\\", \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByRAG == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n \\\"Not applied\\\")\\r\\n| distinct ObjectId, RestrictedManagement\\r\\n| summarize Count = count() by RestrictedManagement\",\"size\":4,\"title\":\"Restricted management of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"AssignmentType\",\"exportParameterName\":\"RestrictedManagement\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OnPremSynchronized\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"RestrictedManagement\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"25\",\"name\":\"Restricted Management\",\"styleSettings\":{\"maxWidth\":\"25\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",false,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| mv-expand parse_json(RoleAssignments)\\r\\n| extend AssignmentType = strcat(RoleAssignments.RoleAssignmentType, \\\" \\\", RoleAssignments.PIMAssignmentType)\\r\\n| summarize count() by AssignmentType\\r\\n| sort by count_\",\"size\":4,\"title\":\"Assignments of privileged roles\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"AssignmentType\",\"exportParameterName\":\"AssignmentType\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OnPremSynchronized\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"RestrictedManagement\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Role Assignments\",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where ObjectType != \\\"group\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by ObjectId, RoleSystem\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| distinct ObjectId, ObjectAdminTierLevelName\\r\\n| summarize Count = count() by ObjectAdminTierLevelName\\r\\n| join kind = fullouter (datatable(ObjectAdminTierLevelName:string)['ControlPlane', 'ManagementPlane','WorkloadPlane','UserAccess','Unclassified']) on ObjectAdminTierLevelName\\r\\n| project ObjectAdminTierLevelName = iff(ObjectAdminTierLevelName == '', ObjectAdminTierLevelName1, ObjectAdminTierLevelName), Count = iff(ObjectAdminTierLevelName == '', 0, Count)\\r\\n| extend SortOrder = case(\\r\\n ObjectAdminTierLevelName == \\\"ControlPlane\\\", 1,\\r\\n ObjectAdminTierLevelName == \\\"ManagementPlane\\\", 2,\\r\\n ObjectAdminTierLevelName == \\\"WorkloadPlane\\\", 3,\\r\\n ObjectAdminTierLevelName == \\\"UserAccess\\\", 4,\\r\\n 5) // Default value for any other entries\\r\\n| order by SortOrder asc\\r\\n| project-away SortOrder\",\"size\":4,\"title\":\"Classification of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"ObjectAdminTierLevelName\",\"exportParameterName\":\"ObjectAdminTierLevelName\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Classifications Privileged Accounts \",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where ObjectAdminTierLevelName contains '{ObjectAdminTierLevelName}' or '{ObjectAdminTierLevelName}' == \\\"*\\\"\\r\\n| sort by ObjectAdminTierLevelName asc\\r\\n| distinct ObjectId, RoleClassificationAdminTierLevelName = tostring(Classification.AdminTierLevelName)\\r\\n| summarize Count = count() by RoleClassificationAdminTierLevelName\\r\\n| join kind = fullouter (datatable(RoleClassificationAdminTierLevelName:string)['ControlPlane', 'ManagementPlane','WorkloadPlane','UserAccess','Unclassified']) on RoleClassificationAdminTierLevelName\\r\\n| project RoleClassificationAdminTierLevelName = iff(RoleClassificationAdminTierLevelName == '', RoleClassificationAdminTierLevelName1, RoleClassificationAdminTierLevelName), Count = iff(RoleClassificationAdminTierLevelName == '', 0, Count)\\r\\n| extend SortOrder = case(\\r\\n RoleClassificationAdminTierLevelName == \\\"ControlPlane\\\", 1,\\r\\n RoleClassificationAdminTierLevelName == \\\"ManagementPlane\\\", 2,\\r\\n RoleClassificationAdminTierLevelName == \\\"WorkloadPlane\\\", 3,\\r\\n RoleClassificationAdminTierLevelName == \\\"UserAccess\\\", 4,\\r\\n 5) // Default value for any other entries\\r\\n| order by SortOrder asc\\r\\n| project-away SortOrder\",\"size\":4,\"title\":\"Classification of privileged access\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"RoleClassificationAdminTierLevelName\",\"exportParameterName\":\"RoleClassificationAdminTierLevelName\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleClassificationAdminTierLevelName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Classifications Privileged Access\",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| extend OnPremSynchronized = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\\r\\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\\r\\n| extend RestrictedAssignments = bag_pack_columns(RestrictedManagementByAadRole, RestrictedManagementByRAG, RestrictedManagementByRMAU)\\r\\n| extend RestrictedManagement = case(\\r\\n ObjectType == \\\"serviceprincipal\\\", \\\"Not available\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"Role-assignable\\\" and parse_json(RestrictedAssignments).RestrictedManagementByRMAU == \\\"True\\\", \\\"Conflict\\\",\\r\\n ObjectType == \\\"group\\\" and ObjectSubType != \\\"Role-assignable\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"security\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\",\\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRAG == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and parse_json(Roles).PIMAssignmentType == \\\"Permanent\\\", \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByRAG == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n \\\"Not applied\\\")\\r\\n| summarize RoleSystem = make_set(RoleSystem) by ObjectId, ObjectType, ObjectSubType, ObjectDisplayName, ObjectAdminTierLevelName, OnPremSynchronized, RestrictedManagement, AssignedAdministrativeUnits, tostring(RestrictedAssignments)\\r\\n| sort by ObjectDisplayName\",\"size\":0,\"title\":\"List of Privileged Accounts \",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"ObjectId\",\"exportParameterName\":\"ObjectId\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ObjectType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"user\",\"representation\":\"Person\",\"text\":\"User\"},{\"operator\":\"==\",\"thresholdValue\":\"serviceprincipal\",\"representation\":\"Capture\",\"text\":\"Service Principal\"},{\"operator\":\"==\",\"thresholdValue\":\"group\",\"representation\":\"PersonWithFriend\",\"text\":\"Group\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Question\",\"text\":\"unknown\"}]}},{\"columnMatch\":\"ObjectDisplayName\",\"formatter\":0,\"tooltipFormat\":{\"tooltip\":\"{ObjectUserPrincipalName}\"}},{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"ControlPlane\",\"representation\":\"Sev0\",\"text\":\"Control Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"ManagementPlane\",\"representation\":\"Sev3\",\"text\":\"Management Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"UserAccess\",\"representation\":\"Sev4\",\"text\":\"User Access\"},{\"operator\":\"==\",\"thresholdValue\":\"Unclassified\",\"representation\":\"Line\",\"text\":\"Unclassified\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Line\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"RestrictedManagement\",\"formatter\":18,\"formatOptions\":{\"linkColumn\":\"RestrictedAssignments\",\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Applied\",\"representation\":\"success\",\"text\":\"Applied\"},{\"operator\":\"==\",\"thresholdValue\":\"Conflict\",\"representation\":\"2\",\"text\":\"Conflict\"},{\"operator\":\"==\",\"thresholdValue\":\"Not applied\",\"representation\":\"4\",\"text\":\"Not applied\"},{\"operator\":\"==\",\"thresholdValue\":\"Not available\",\"representation\":\"cancelled\",\"text\":\"Not available\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"AssignedAdministrativeUnits\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"RestrictedAssignments\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Restricted Management\",\"formatter\":18,\"formatOptions\":{\"linkColumn\":\"RestrictedAssignments\",\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Applied\",\"representation\":\"success\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"Restricted Management applied by RMAU, Role-Assingable Group or Directory Role Assignment\"}},{\"operator\":\"==\",\"thresholdValue\":\"Not available\",\"representation\":\"Normal\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"No restricted management for object type available\"}},{\"operator\":\"==\",\"thresholdValue\":\"Not applied\",\"representation\":\"4\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"No assignment for restricted assignment\"}},{\"operator\":\"==\",\"thresholdValue\":\"Conflict\",\"representation\":\"2\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"Assignment to two or more restricted management capabilities which are not compatible\"}},{\"operator\":\"==\",\"thresholdValue\":\"Applied\",\"representation\":\"success\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"Strong restricted management by RMAU and Role-Assignable Group\"}},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"Group\",\"formatter\":1},{\"columnMatch\":\"ObjectAdminTierLevel_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Unclassified\",\"representation\":\"1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"ControlPlane\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"ManagementPlane\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]}}],\"sortBy\":[{\"itemKey\":\"$gen_thresholds_RestrictedManagement_6\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_RestrictedManagement_6\",\"sortOrder\":1}]},\"name\":\"Related Privileged Accounts \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where ObjectId == '{ObjectId}' or '{ObjectId}' == '*'\\r\\n| where RoleSystem contains ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| extend OnPremSynchronized = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\\r\\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\\r\\n| mv-expand RoleAssignments\\r\\n| project RoleAssignments, RoleSystem\\r\\n| evaluate bag_unpack(RoleAssignments)\\r\\n| extend Classification = column_ifexists(\\\"Classification\\\",\\\"\\\")\\r\\n| mv-expand parse_json(Classification)\\r\\n| extend AdminTierLevel = Classification.AdminTierLevelName\\r\\n| extend Service = Classification.Service\\r\\n| extend TaggedBy = Classification.TaggedBy\\r\\n| where Service contains ('*') or '*' in ('*')\\r\\n| extend TransitiveBy = column_ifexists(\\\"TransitiveByObjectDisplayName\\\", \\\"\\\")\\r\\n| summarize AdminTierLevels = make_set(AdminTierLevel), Service = make_set(Service), TaggedBy = make_set(TaggedBy) by\\r\\n RoleSystem,\\r\\n tostring(RoleAssignmentId),\\r\\n RoleDefinitionName,\\r\\n tostring(RoleAssignmentScopeId),\\r\\n RoleAssignmentScopeName,\\r\\n PIMAssignmentType,\\r\\n RoleAssignmentType,\\r\\n TransitiveBy,\\r\\n TransitiveByAssignment = RoleAssignmentSubType,\\r\\n EligibilityBy\\r\\n| extend AdminTierLevel = iff(isnotempty(AdminTierLevels[0]), AdminTierLevels[0], \\\"Unclassified\\\")\\r\\n| sort by tostring(AdminTierLevel) asc, tostring(RoleAssignmentScopeId) asc, RoleDefinitionName asc\\r\\n| project-reorder RoleSystem, AdminTierLevel, RoleDefinitionName, RoleAssignmentScopeName, PIMAssignmentType, RoleAssignmentType, TransitiveBy, TransitiveByAssignment, EligibilityBy, Service\\r\\n| project-away AdminTierLevels\",\"size\":0,\"title\":\"Related privileged role assignments\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RoleSystem\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"IdentityGovernance\",\"representation\":\"Share\",\"text\":\"Identity Governance\"},{\"operator\":\"==\",\"thresholdValue\":\"Azure\",\"representation\":\"AzurePortal\",\"text\":\"Azure\"},{\"operator\":\"==\",\"thresholdValue\":\"ResourceApps\",\"representation\":\"Connect\",\"text\":\"Resource Apps\"},{\"operator\":\"==\",\"thresholdValue\":\"DeviceManagement\",\"representation\":\"Tools\",\"text\":\"Device Management\"},{\"operator\":\"==\",\"thresholdValue\":\"EntraID\",\"representation\":\"Key\",\"text\":\"Entra ID\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Question\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AdminTierLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Unclassified\",\"representation\":\"Line\",\"text\":\"Unclassified\"},{\"operator\":\"==\",\"thresholdValue\":\"ControlPlane\",\"representation\":\"Sev0\",\"text\":\"Control Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"ManagementPlane\",\"representation\":\"Sev3\",\"text\":\"Management Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"UserAccess\",\"representation\":\"Sev4\",\"text\":\"User Access\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Line\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"RoleDefinitionName\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"RoleAssignmentType\",\"formatter\":0,\"tooltipFormat\":{\"tooltip\":\"[\\\"TransitiveByObjectDisplayName\\\"]\"}},{\"columnMatch\":\"Service\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"RoleAssignmentId\",\"formatter\":5},{\"columnMatch\":\"RoleAssignmentScopeId\",\"formatter\":5,\"tooltipFormat\":{\"tooltip\":\"[\\\"RoleAssignmentScopeName\\\"]\"}}]},\"sortBy\":[]},\"name\":\"Related privileged role assignments\"}],\"isLocked\":false,\"fallbackResourceIds\":[\"privilegedeam\"]}", "version": "1.0", "sourceId": "[parameters('workbookSourceId')]", "category": "[parameters('workbookType')]" diff --git a/Workbooks/EntraOps Privileged EAM - Overview.workbook b/Workbooks/EntraOps Privileged EAM - Overview.workbook index 2c24094..8997a34 100644 --- a/Workbooks/EntraOps Privileged EAM - Overview.workbook +++ b/Workbooks/EntraOps Privileged EAM - Overview.workbook @@ -224,7 +224,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "PrivilegedEAM\r\n| where OnPremSynchronized == iff('{SyncSource}' == \"Cloud-Only\",false,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\r\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\r\n| extend Roles = parse_json(RoleAssignments)\r\n| extend Classification = parse_json(Classification)\r\n| mv-expand Classification\r\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\r\n| where Classification.Service in ({Service}) or '*' in ({Service})\r\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\r\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \"\"\r\n| extend RestrictedManagement = iff(RestrictedManagementByAadRole == true or RestrictedManagementByRAG == true or RestrictedManagementByRMAU == true,\"Protected\",\"Unprotected\")\r\n| extend RestrictedManagement = iff((ObjectType != \"serviceprincipal\"), tostring(RestrictedManagement), \"Non applicable\")\r\n| distinct ObjectId, RestrictedManagement\r\n| summarize Count = count() by RestrictedManagement\r\n\r\n", + "query": "PrivilegedEAM\r\n| where OnPremSynchronized == iff('*' == \"Cloud-Only\", false, true)\r\n or '*' == '*'\r\n or '*' == 'All Privileged Identities'\r\n| where RoleSystem in ('*') or '*' in ('*')\r\n| extend Roles = parse_json(RoleAssignments)\r\n| extend Classification = parse_json(Classification)\r\n| mv-expand Classification\r\n| where Classification.AdminTierLevelName in ('*') or '*' in ('*')\r\n| where Classification.Service in ('*') or '*' in ('*')\r\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \"\"\r\n| where ObjectType in ('*') or '*' in ('*')\r\n| where ObjectDisplayName contains '' or '' == \"\"\r\n| extend RestrictedAssignments = bag_pack_columns(RestrictedManagementByAadRole, RestrictedManagementByRAG, RestrictedManagementByRMAU)\r\n| extend RestrictedManagement = case(\r\n ObjectType == \"serviceprincipal\", \"Not available\", \r\n ObjectType == \"group\" and ObjectSubType == \"Role-assignable\" and parse_json(RestrictedAssignments).RestrictedManagementByRMAU == \"True\", \"Conflict\",\r\n ObjectType == \"group\" and ObjectSubType != \"Role-assignable\" and RestrictedManagementByRMAU == True, \"Applied\", \r\n ObjectType == \"group\" and ObjectSubType == \"security\" and RestrictedManagementByRMAU == True, \"Applied\",\r\n ObjectType == \"user\" and RestrictedManagementByAadRole == True or RestrictedManagementByRMAU == True, \"Applied\", \r\n ObjectType == \"user\" and RestrictedManagementByAadRole == True or RestrictedManagementByRAG == True, \"Applied\", \r\n ObjectType == \"user\" and RestrictedManagementByAadRole == True and parse_json(Roles).PIMAssignmentType == \"Permanent\", \"Applied\", \r\n ObjectType == \"user\" and RestrictedManagementByRAG == True and RestrictedManagementByRMAU == True, \"Applied\", \r\n ObjectType == \"user\" and RestrictedManagementByAadRole == True and RestrictedManagementByRMAU == True, \"Applied\", \r\n \"Not applied\")\r\n| distinct ObjectId, RestrictedManagement\r\n| summarize Count = count() by RestrictedManagement", "size": 4, "title": "Restricted management of privileged identities", "timeContext": { @@ -296,7 +296,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "PrivilegedEAM\r\n| where OnPremSynchronized == iff('{SyncSource}' == \"Cloud-Only\",false,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\r\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\r\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\r\n| where Classification contains ({Service}) or '*' in ({Service})\r\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\r\n| mv-expand parse_json(RoleAssignments)\r\n| extend AssignmentType = strcat(RoleAssignments.RoleAssignmentType, \" \", RoleAssignments.PIMAssignmentType)\r\n| summarize count() by AssignmentType\r\n| sort by count_", + "query": "PrivilegedEAM\r\n| where OnPremSynchronized == iff('{SyncSource}' == \"Cloud-Only\",false,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\r\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\r\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\r\n| where Classification contains ({Service}) or '*' in ({Service})\r\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \"\"\r\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\r\n| mv-expand parse_json(RoleAssignments)\r\n| extend AssignmentType = strcat(RoleAssignments.RoleAssignmentType, \" \", RoleAssignments.PIMAssignmentType)\r\n| summarize count() by AssignmentType\r\n| sort by count_", "size": 4, "title": "Assignments of privileged roles", "timeContext": { @@ -368,7 +368,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "PrivilegedEAM\r\n| where ObjectType != \"group\"\r\n| summarize arg_max(TimeGenerated, *) by ObjectId, RoleSystem\r\n| where OnPremSynchronized == iff('{SyncSource}' == \"Cloud-Only\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\r\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\r\n| extend Roles = parse_json(RoleAssignments)\r\n| extend Classification = parse_json(Classification)\r\n| mv-expand Classification\r\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\r\n| where Classification.Service in ({Service}) or '*' in ({Service})\r\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\r\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \"\"\r\n| distinct ObjectId, ObjectAdminTierLevelName\r\n| summarize Count = count() by ObjectAdminTierLevelName\r\n| join kind = fullouter (datatable(ObjectAdminTierLevelName:string)['ControlPlane', 'ManagementPlane','WorkloadPlane','UserAccess','Unclassified']) on ObjectAdminTierLevelName\r\n| project ObjectAdminTierLevelName = iff(ObjectAdminTierLevelName == '', ObjectAdminTierLevelName1, ObjectAdminTierLevelName), Count = iff(ObjectAdminTierLevelName == '', 0, Count)\r\n| sort by ObjectAdminTierLevelName asc", + "query": "PrivilegedEAM\r\n| where ObjectType != \"group\"\r\n| summarize arg_max(TimeGenerated, *) by ObjectId, RoleSystem\r\n| where OnPremSynchronized == iff('{SyncSource}' == \"Cloud-Only\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\r\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\r\n| extend Roles = parse_json(RoleAssignments)\r\n| extend Classification = parse_json(Classification)\r\n| mv-expand Classification\r\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\r\n| where Classification.Service in ({Service}) or '*' in ({Service})\r\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\r\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \"\"\r\n| distinct ObjectId, ObjectAdminTierLevelName\r\n| summarize Count = count() by ObjectAdminTierLevelName\r\n| join kind = fullouter (datatable(ObjectAdminTierLevelName:string)['ControlPlane', 'ManagementPlane','WorkloadPlane','UserAccess','Unclassified']) on ObjectAdminTierLevelName\r\n| project ObjectAdminTierLevelName = iff(ObjectAdminTierLevelName == '', ObjectAdminTierLevelName1, ObjectAdminTierLevelName), Count = iff(ObjectAdminTierLevelName == '', 0, Count)\r\n| extend SortOrder = case(\r\n ObjectAdminTierLevelName == \"ControlPlane\", 1,\r\n ObjectAdminTierLevelName == \"ManagementPlane\", 2,\r\n ObjectAdminTierLevelName == \"WorkloadPlane\", 3,\r\n ObjectAdminTierLevelName == \"UserAccess\", 4,\r\n 5) // Default value for any other entries\r\n| order by SortOrder asc\r\n| project-away SortOrder", "size": 4, "title": "Classification of privileged identities", "timeContext": { @@ -441,7 +441,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "PrivilegedEAM\r\n| where OnPremSynchronized == iff('{SyncSource}' == \"Cloud-Only\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\r\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\r\n| extend Roles = parse_json(RoleAssignments)\r\n| extend Classification = parse_json(Classification)\r\n| mv-expand Classification\r\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\r\n| where Classification.Service in ({Service}) or '*' in ({Service})\r\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\r\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \"\"\r\n| where ObjectAdminTierLevelName contains '{ObjectAdminTierLevelName}' or '{ObjectAdminTierLevelName}' == \"*\"\r\n| sort by ObjectAdminTierLevelName asc\r\n| distinct ObjectId, RoleClassificationAdminTierLevelName = tostring(Classification.AdminTierLevelName)\r\n| summarize Count = count() by RoleClassificationAdminTierLevelName\r\n| join kind = fullouter (datatable(RoleClassificationAdminTierLevelName:string)['ControlPlane', 'ManagementPlane','WorkloadPlane','UserAccess','Unclassified']) on RoleClassificationAdminTierLevelName\r\n| project RoleClassificationAdminTierLevelName = iff(RoleClassificationAdminTierLevelName == '', RoleClassificationAdminTierLevelName1, RoleClassificationAdminTierLevelName), Count = iff(RoleClassificationAdminTierLevelName == '', 0, Count)", + "query": "PrivilegedEAM\r\n| where OnPremSynchronized == iff('{SyncSource}' == \"Cloud-Only\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\r\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\r\n| extend Roles = parse_json(RoleAssignments)\r\n| extend Classification = parse_json(Classification)\r\n| mv-expand Classification\r\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\r\n| where Classification.Service in ({Service}) or '*' in ({Service})\r\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\r\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \"\"\r\n| where ObjectAdminTierLevelName contains '{ObjectAdminTierLevelName}' or '{ObjectAdminTierLevelName}' == \"*\"\r\n| sort by ObjectAdminTierLevelName asc\r\n| distinct ObjectId, RoleClassificationAdminTierLevelName = tostring(Classification.AdminTierLevelName)\r\n| summarize Count = count() by RoleClassificationAdminTierLevelName\r\n| join kind = fullouter (datatable(RoleClassificationAdminTierLevelName:string)['ControlPlane', 'ManagementPlane','WorkloadPlane','UserAccess','Unclassified']) on RoleClassificationAdminTierLevelName\r\n| project RoleClassificationAdminTierLevelName = iff(RoleClassificationAdminTierLevelName == '', RoleClassificationAdminTierLevelName1, RoleClassificationAdminTierLevelName), Count = iff(RoleClassificationAdminTierLevelName == '', 0, Count)\r\n| extend SortOrder = case(\r\n RoleClassificationAdminTierLevelName == \"ControlPlane\", 1,\r\n RoleClassificationAdminTierLevelName == \"ManagementPlane\", 2,\r\n RoleClassificationAdminTierLevelName == \"WorkloadPlane\", 3,\r\n RoleClassificationAdminTierLevelName == \"UserAccess\", 4,\r\n 5) // Default value for any other entries\r\n| order by SortOrder asc\r\n| project-away SortOrder", "size": 4, "title": "Classification of privileged access", "timeContext": { @@ -514,7 +514,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "PrivilegedEAM\r\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\r\n| extend Roles = parse_json(RoleAssignments)\r\n| extend Classification = parse_json(Classification)\r\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \"\"\r\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\r\n| where Classification contains ({Service}) or '*' in ({Service})\r\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\r\n| where OnPremSynchronized == iff('{SyncSource}' == \"Cloud-Only\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\r\n| extend OnPremSynchronized = iff(OnPremSynchronized == \"False\",\"Cloud-Only\",\"Hybrid\")\r\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\r\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\r\n| extend RestrictedManagement = bag_pack_columns(RestrictedManagementByAadRole, RestrictedManagementByRAG, RestrictedManagementByRMAU)\r\n| summarize RoleSystem = make_set(RoleSystem) by ObjectId, ObjectType, ObjectSubType, ObjectDisplayName, ObjectAdminTierLevelName, OnPremSynchronized, AssignedAdministrativeUnits, tostring(RestrictedManagement)\r\n| sort by ObjectDisplayName", + "query": "PrivilegedEAM\r\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\r\n| extend Roles = parse_json(RoleAssignments)\r\n| extend Classification = parse_json(Classification)\r\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \"\"\r\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\r\n| where Classification contains ({Service}) or '*' in ({Service})\r\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\r\n| where OnPremSynchronized == iff('{SyncSource}' == \"Cloud-Only\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\r\n| extend OnPremSynchronized = iff(OnPremSynchronized == \"False\",\"Cloud-Only\",\"Hybrid\")\r\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\r\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\r\n| extend RestrictedAssignments = bag_pack_columns(RestrictedManagementByAadRole, RestrictedManagementByRAG, RestrictedManagementByRMAU)\r\n| extend RestrictedManagement = case(\r\n ObjectType == \"serviceprincipal\", \"Not available\", \r\n ObjectType == \"group\" and ObjectSubType == \"Role-assignable\" and parse_json(RestrictedAssignments).RestrictedManagementByRMAU == \"True\", \"Conflict\",\r\n ObjectType == \"group\" and ObjectSubType != \"Role-assignable\" and RestrictedManagementByRMAU == True, \"Applied\", \r\n ObjectType == \"group\" and ObjectSubType == \"security\" and RestrictedManagementByRMAU == True, \"Applied\",\r\n ObjectType == \"user\" and RestrictedManagementByAadRole == True or RestrictedManagementByRMAU == True, \"Applied\", \r\n ObjectType == \"user\" and RestrictedManagementByAadRole == True or RestrictedManagementByRAG == True, \"Applied\", \r\n ObjectType == \"user\" and RestrictedManagementByAadRole == True and parse_json(Roles).PIMAssignmentType == \"Permanent\", \"Applied\", \r\n ObjectType == \"user\" and RestrictedManagementByRAG == True and RestrictedManagementByRMAU == True, \"Applied\", \r\n ObjectType == \"user\" and RestrictedManagementByAadRole == True and RestrictedManagementByRMAU == True, \"Applied\", \r\n \"Not applied\")\r\n| summarize RoleSystem = make_set(RoleSystem) by ObjectId, ObjectType, ObjectSubType, ObjectDisplayName, ObjectAdminTierLevelName, OnPremSynchronized, RestrictedManagement, AssignedAdministrativeUnits, tostring(RestrictedAssignments)\r\n| sort by ObjectDisplayName", "size": 0, "title": "List of Privileged Accounts ", "timeContext": { @@ -530,6 +530,39 @@ ], "gridSettings": { "formatters": [ + { + "columnMatch": "ObjectType", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "user", + "representation": "Person", + "text": "User" + }, + { + "operator": "==", + "thresholdValue": "serviceprincipal", + "representation": "Capture", + "text": "Service Principal" + }, + { + "operator": "==", + "thresholdValue": "group", + "representation": "PersonWithFriend", + "text": "Group" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "Question", + "text": "unknown" + } + ] + } + }, { "columnMatch": "ObjectDisplayName", "formatter": 0, @@ -537,6 +570,167 @@ "tooltip": "{ObjectUserPrincipalName}" } }, + { + "columnMatch": "ObjectAdminTierLevelName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "ControlPlane", + "representation": "Sev0", + "text": "Control Plane" + }, + { + "operator": "==", + "thresholdValue": "ManagementPlane", + "representation": "Sev3", + "text": "Management Plane" + }, + { + "operator": "==", + "thresholdValue": "UserAccess", + "representation": "Sev4", + "text": "User Access" + }, + { + "operator": "==", + "thresholdValue": "Unclassified", + "representation": "Line", + "text": "Unclassified" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "Line", + "text": "Unknown" + } + ] + } + }, + { + "columnMatch": "RestrictedManagement", + "formatter": 18, + "formatOptions": { + "linkColumn": "RestrictedAssignments", + "linkTarget": "CellDetails", + "linkIsContextBlade": true, + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Applied", + "representation": "success", + "text": "Applied" + }, + { + "operator": "==", + "thresholdValue": "Conflict", + "representation": "2", + "text": "Conflict" + }, + { + "operator": "==", + "thresholdValue": "Not applied", + "representation": "4", + "text": "Not applied" + }, + { + "operator": "==", + "thresholdValue": "Not available", + "representation": "cancelled", + "text": "Not available" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] + } + }, + { + "columnMatch": "AssignedAdministrativeUnits", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkLabel": "", + "linkIsContextBlade": true + } + }, + { + "columnMatch": "RestrictedAssignments", + "formatter": 5, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true + } + }, + { + "columnMatch": "Restricted Management", + "formatter": 18, + "formatOptions": { + "linkColumn": "RestrictedAssignments", + "linkTarget": "CellDetails", + "linkIsContextBlade": true, + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Applied", + "representation": "success", + "text": "{0}{1}", + "tooltipFormat": { + "tooltip": "Restricted Management applied by RMAU, Role-Assingable Group or Directory Role Assignment" + } + }, + { + "operator": "==", + "thresholdValue": "Not available", + "representation": "Normal", + "text": "{0}{1}", + "tooltipFormat": { + "tooltip": "No restricted management for object type available" + } + }, + { + "operator": "==", + "thresholdValue": "Not applied", + "representation": "4", + "text": "{0}{1}", + "tooltipFormat": { + "tooltip": "No assignment for restricted assignment" + } + }, + { + "operator": "==", + "thresholdValue": "Conflict", + "representation": "2", + "text": "{0}{1}", + "tooltipFormat": { + "tooltip": "Assignment to two or more restricted management capabilities which are not compatible" + } + }, + { + "operator": "==", + "thresholdValue": "Applied", + "representation": "success", + "text": "{0}{1}", + "tooltipFormat": { + "tooltip": "Strong restricted management by RMAU and Role-Assignable Group" + } + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] + } + }, { "columnMatch": "Group", "formatter": 1 @@ -577,14 +771,14 @@ ], "sortBy": [ { - "itemKey": "ObjectId", + "itemKey": "$gen_thresholds_RestrictedManagement_6", "sortOrder": 1 } ] }, "sortBy": [ { - "itemKey": "ObjectId", + "itemKey": "$gen_thresholds_RestrictedManagement_6", "sortOrder": 1 } ] @@ -595,7 +789,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "PrivilegedEAM\r\n| where ObjectId == '{ObjectId}' or '{ObjectId}' == '*'\r\n| where RoleSystem contains ({RoleSystem}) or '*' in ({RoleSystem})\r\n| extend Roles = parse_json(RoleAssignments)\r\n| extend Classification = parse_json(Classification)\r\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \"\"\r\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\r\n| where Classification contains ({Service}) or '*' in ({Service})\r\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\r\n| where OnPremSynchronized == iff('{SyncSource}' == \"Cloud-Only\",False,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\r\n| extend OnPremSynchronized = iff(OnPremSynchronized == \"False\",\"Cloud-Only\",\"Hybrid\")\r\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\r\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\r\n| mv-expand RoleAssignments\r\n| project RoleAssignments, RoleSystem\r\n| evaluate bag_unpack(RoleAssignments)\r\n| extend Classification = column_ifexists(\"Classification\",\"\")\r\n| mv-expand parse_json(Classification)\r\n| extend AdminTierLevel = Classification.AdminTierLevelName\r\n| extend Service = Classification.Service\r\n| extend TaggedBy = Classification.TaggedBy\r\n| where Service contains ('*') or '*' in ('*')\r\n| extend TransitiveBy = column_ifexists(\"TransitiveByObjectDisplayName\", \"\")\r\n| summarize AdminTierLevels = make_set(AdminTierLevel), Service = make_set(Service) by\r\n RoleSystem,\r\n tostring(RoleAssignmentId),\r\n RoleDefinitionName,\r\n tostring(RoleAssignmentScopeId),\r\n RoleAssignmentScopeName,\r\n PIMManagedRole,\r\n PIMAssignmentType,\r\n RoleAssignmentType,\r\n TransitiveBy,\r\n tostring(TaggedBy)\r\n| extend AdminTierLevel = iff(isnotempty(AdminTierLevels[0]), AdminTierLevels[0], \"Unclassified\")\r\n| sort by tostring(AdminTierLevel) asc, tostring(RoleAssignmentScopeId) asc, RoleDefinitionName asc\r\n| project-reorder RoleSystem, AdminTierLevel, RoleDefinitionName, RoleAssignmentScopeName, PIMAssignmentType, RoleAssignmentType, TransitiveBy, PIMManagedRole, Service", + "query": "PrivilegedEAM\r\n| where ObjectId == '{ObjectId}' or '{ObjectId}' == '*'\r\n| where RoleSystem contains ({RoleSystem}) or '*' in ({RoleSystem})\r\n| extend Roles = parse_json(RoleAssignments)\r\n| extend Classification = parse_json(Classification)\r\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \"\"\r\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\r\n| where Classification contains ({Service}) or '*' in ({Service})\r\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\r\n| where OnPremSynchronized == iff('{SyncSource}' == \"Cloud-Only\",False,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\r\n| extend OnPremSynchronized = iff(OnPremSynchronized == \"False\",\"Cloud-Only\",\"Hybrid\")\r\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\r\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\r\n| mv-expand RoleAssignments\r\n| project RoleAssignments, RoleSystem\r\n| evaluate bag_unpack(RoleAssignments)\r\n| extend Classification = column_ifexists(\"Classification\",\"\")\r\n| mv-expand parse_json(Classification)\r\n| extend AdminTierLevel = Classification.AdminTierLevelName\r\n| extend Service = Classification.Service\r\n| extend TaggedBy = Classification.TaggedBy\r\n| where Service contains ('*') or '*' in ('*')\r\n| extend TransitiveBy = column_ifexists(\"TransitiveByObjectDisplayName\", \"\")\r\n| summarize AdminTierLevels = make_set(AdminTierLevel), Service = make_set(Service), TaggedBy = make_set(TaggedBy) by\r\n RoleSystem,\r\n tostring(RoleAssignmentId),\r\n RoleDefinitionName,\r\n tostring(RoleAssignmentScopeId),\r\n RoleAssignmentScopeName,\r\n PIMAssignmentType,\r\n RoleAssignmentType,\r\n TransitiveBy,\r\n TransitiveByAssignment = RoleAssignmentSubType,\r\n EligibilityBy\r\n| extend AdminTierLevel = iff(isnotempty(AdminTierLevels[0]), AdminTierLevels[0], \"Unclassified\")\r\n| sort by tostring(AdminTierLevel) asc, tostring(RoleAssignmentScopeId) asc, RoleDefinitionName asc\r\n| project-reorder RoleSystem, AdminTierLevel, RoleDefinitionName, RoleAssignmentScopeName, PIMAssignmentType, RoleAssignmentType, TransitiveBy, TransitiveByAssignment, EligibilityBy, Service\r\n| project-away AdminTierLevels", "size": 0, "title": "Related privileged role assignments", "timeContext": { @@ -608,6 +802,98 @@ ], "gridSettings": { "formatters": [ + { + "columnMatch": "RoleSystem", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "IdentityGovernance", + "representation": "Share", + "text": "Identity Governance" + }, + { + "operator": "==", + "thresholdValue": "Azure", + "representation": "AzurePortal", + "text": "Azure" + }, + { + "operator": "==", + "thresholdValue": "ResourceApps", + "representation": "Connect", + "text": "Resource Apps" + }, + { + "operator": "==", + "thresholdValue": "DeviceManagement", + "representation": "Tools", + "text": "Device Management" + }, + { + "operator": "==", + "thresholdValue": "EntraID", + "representation": "Key", + "text": "Entra ID" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "Question", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AdminTierLevel", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Unclassified", + "representation": "Line", + "text": "Unclassified" + }, + { + "operator": "==", + "thresholdValue": "ControlPlane", + "representation": "Sev0", + "text": "Control Plane" + }, + { + "operator": "==", + "thresholdValue": "ManagementPlane", + "representation": "Sev3", + "text": "Management Plane" + }, + { + "operator": "==", + "thresholdValue": "UserAccess", + "representation": "Sev4", + "text": "User Access" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "Line", + "text": "Unknown" + } + ] + } + }, + { + "columnMatch": "RoleDefinitionName", + "formatter": 7, + "formatOptions": { + "linkTarget": "GenericDetails", + "linkIsContextBlade": true + } + }, { "columnMatch": "RoleAssignmentType", "formatter": 0, @@ -615,33 +901,34 @@ "tooltip": "[\"TransitiveByObjectDisplayName\"]" } }, + { + "columnMatch": "Service", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true + } + }, + { + "columnMatch": "RoleAssignmentId", + "formatter": 5 + }, { "columnMatch": "RoleAssignmentScopeId", - "formatter": 0, + "formatter": 5, "tooltipFormat": { "tooltip": "[\"RoleAssignmentScopeName\"]" } } - ], - "sortBy": [ - { - "itemKey": "RoleSystem", - "sortOrder": 1 - } ] }, - "sortBy": [ - { - "itemKey": "RoleSystem", - "sortOrder": 1 - } - ] + "sortBy": [] }, "name": "Related privileged role assignments" } ], "fallbackResourceIds": [ - "PrivilegedEAM" + "privilegedeam" ], "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" } \ No newline at end of file From 9a021d88cce0d05d5e3a1824af691f0c9e76a2a7 Mon Sep 17 00:00:00 2001 From: Thomas Naunheim Date: Sat, 2 Nov 2024 16:08:42 +0100 Subject: [PATCH 02/15] Bug fixes on Control Plane scope updates --- ...raOpsClassificationControlPlaneObjects.ps1 | 2 +- ...ntraOpsClassificationControlPlaneScope.ps1 | 33 +++++++++---------- 2 files changed, 17 insertions(+), 18 deletions(-) diff --git a/EntraOps/Public/PrivilegedAccess/Get-EntraOpsClassificationControlPlaneObjects.ps1 b/EntraOps/Public/PrivilegedAccess/Get-EntraOpsClassificationControlPlaneObjects.ps1 index 68e6667..a199841 100644 --- a/EntraOps/Public/PrivilegedAccess/Get-EntraOpsClassificationControlPlaneObjects.ps1 +++ b/EntraOps/Public/PrivilegedAccess/Get-EntraOpsClassificationControlPlaneObjects.ps1 @@ -87,7 +87,7 @@ function Get-EntraOpsClassificationControlPlaneObjects { [object]$AzureHighPrivilegedRoles = ("Owner", "Role Based Access Control Administrator", "User Access Administrator") , [Parameter(Mandatory = $false)] - [string]$AzureHighPrivilegedScopes = "*" + [object]$AzureHighPrivilegedScopes = "*" , [Parameter(Mandatory = $false)] [string]$ExposureCriticalityLevel = "<1" diff --git a/EntraOps/Public/PrivilegedAccess/Update-EntraOpsClassificationControlPlaneScope.ps1 b/EntraOps/Public/PrivilegedAccess/Update-EntraOpsClassificationControlPlaneScope.ps1 index fc7ea97..2ed4786 100644 --- a/EntraOps/Public/PrivilegedAccess/Update-EntraOpsClassificationControlPlaneScope.ps1 +++ b/EntraOps/Public/PrivilegedAccess/Update-EntraOpsClassificationControlPlaneScope.ps1 @@ -89,7 +89,7 @@ function Update-EntraOpsClassificationControlPlaneScope { [object]$AzureHighPrivilegedRoles = ("Owner", "Role Based Access Control Administrator", "User Access Administrator") , [Parameter(Mandatory = $false)] - [string]$AzureHighPrivilegedScopes = "*" + [object]$AzureHighPrivilegedScopes = ("*") , [Parameter(Mandatory = $false)] [string]$ExposureCriticalityLevel = "<1" @@ -127,22 +127,24 @@ function Update-EntraOpsClassificationControlPlaneScope { #region Privileged User Write-Output "Identify directory role scope of privileged users..." $PrivilegedUsersWithoutProtection = $PrivilegedObjects | Where-Object { $_.ObjectType -eq "user" -and ($_.RestrictedManagementByRAG -eq $false -and $_.RestrictedManagementByAadRole -eq $False -and $RestrictedManagementByRMAU -eq $False) } - $PrivilegedUserWithRMAU = $PrivilegedObjects | Where-Object { $_.ObjectType -eq "user" -and $_.RestrictedManagementByRMAU -eq $True } - $ScopeNamePrivilegedUsers = $PrivilegedUserWithRMAU.AssignedAdministrativeUnits | Select-Object -Unique id | ForEach-Object { "/administrativeUnits/$($_.id)" } + + # Include all Administrative Units because of Privileged Authentication Admin role assignment on (RM)AU level + $PrivilegedUserWithAU = $PrivilegedObjects | Where-Object { $_.ObjectType -eq "user" -and $null -ne $_.AssignedAdministrativeUnits } + $ScopeNamePrivilegedUsers = $PrivilegedUserWithAU.AssignedAdministrativeUnits | Select-Object -Unique id | ForEach-Object { "/administrativeUnits/$($_.id)" } if ($PrivilegedUsersWithoutProtection -gt "0") { Write-Warning "Control Plane user without any protection, requires to avoid directory role assignments for user management!" Write-Host $PrivilegedUsersWithoutProtection $ScopeNamePrivilegedUsers += $DirectoryLevelAssignmentScope } + if ($null -ne $ScopeNamePrivilegedUsers) { $ScopeNamePrivilegedUsersJSON = $ScopeNamePrivilegedUsers | Sort-Object | ConvertTo-Json $ScopeNamePrivilegedUsersJSON = $ScopeNamePrivilegedUsersJSON.Replace('[', '').Replace(']', '') $ScopeNamePrivilegedUsersJSON = $ScopeNamePrivilegedUsersJSON -creplace '\s+', ' ' $EntraIdRoleClassification = $EntraIdRoleClassification.replace('', $ScopeNamePrivilegedUsersJSON) - } - else { - Write-Warning "No privileged user in scope of classification!" - $EntraIdRoleClassification = $EntraIdRoleClassification.replace('', '"/"') + } else { + Write-Warning "No privileged user in scope of classification because of applied protections or restricted management! No requirement to set scope of Privileged User Management." + $EntraIdRoleClassification = $EntraIdRoleClassification.replace('', '') } #endregion @@ -165,10 +167,9 @@ function Update-EntraOpsClassificationControlPlaneScope { $ScopeNamePrivilegedDevicesJSON = $ScopeNamePrivilegedDevicesJSON.Replace('[', '').Replace(']', '') $ScopeNamePrivilegedDevicesJSON = $ScopeNamePrivilegedDevicesJSON -creplace '\s+', ' ' $EntraIdRoleClassification = $EntraIdRoleClassification.replace('', $ScopeNamePrivilegedDevicesJSON) - } - else { - Write-Warning "No privileged device in scope of classification!" - $EntraIdRoleClassification = $EntraIdRoleClassification.replace('', '"/"') + } else { + Write-Warning "No privileged device in scope of classification! It seems no privileged devices exists in this tenant. No requirement to set scope of Privileged Device Management." + $EntraIdRoleClassification = $EntraIdRoleClassification.replace('', '') } #endregion @@ -186,10 +187,9 @@ function Update-EntraOpsClassificationControlPlaneScope { $ScopeNamePrivilegedGroupsJSON = $ScopeNamePrivilegedGroupsJSON.Replace('[', '').Replace(']', '') $ScopeNamePrivilegedGroupsJSON = $ScopeNamePrivilegedGroupsJSON -creplace '\s+', ' ' $EntraIdRoleClassification = $EntraIdRoleClassification.replace('', $ScopeNamePrivilegedGroupsJSON) - } - else { - Write-Warning "No privileged groups in scope of classification!" - $EntraIdRoleClassification = $EntraIdRoleClassification.replace('', '"/"') + } else { + Write-Warning "No privileged group in scope of classification because of applied protections or restricted management! No requirement to set scope of Privileged Group Management." + $EntraIdRoleClassification = $EntraIdRoleClassification.replace('', '') } #endregion @@ -216,8 +216,7 @@ function Update-EntraOpsClassificationControlPlaneScope { # Always add also directory level assignment scope becuase of missing protection of service principal by RAG, AAD Role or RMAU assignment $ScopeNamePrivilegedServicePrincipals = $ScopeNameServicePrincipalObject + $ScopeNameApplicationObject + $DirectoryLevelAssignmentScope - } - else { + } else { Write-Warning "No privileged applications found! It's still recommended to avoid (Cloud) Application on directory scope..." $EntraIdRoleClassification = $EntraIdRoleClassification.replace('', '"/"') } From 1f8d01e70a9bb8d593ef833d8d6502595d0420bf Mon Sep 17 00:00:00 2001 From: Thomas Naunheim Date: Sat, 2 Nov 2024 16:09:14 +0100 Subject: [PATCH 03/15] Batch processing for Ingest API --- ...traOpsPrivilegedEAMInsightsCustomTable.ps1 | 34 +++++++++++++++---- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/EntraOps/Public/PrivilegedAccess/Save-EntraOpsPrivilegedEAMInsightsCustomTable.ps1 b/EntraOps/Public/PrivilegedAccess/Save-EntraOpsPrivilegedEAMInsightsCustomTable.ps1 index 889ed9d..18b2b15 100644 --- a/EntraOps/Public/PrivilegedAccess/Save-EntraOpsPrivilegedEAMInsightsCustomTable.ps1 +++ b/EntraOps/Public/PrivilegedAccess/Save-EntraOpsPrivilegedEAMInsightsCustomTable.ps1 @@ -77,18 +77,38 @@ function Save-EntraOpsPrivilegedEAMInsightsCustomTable { try { $EamFiles = (Get-ChildItem -Path "$($ImportPath)\$($RbacSystem)\$($ObjectType)" -Filter "*.json").FullName - } - catch { + } catch { Write-Warning "No $($RbacSystem).json found!" } + if ($EamFiles.Count -gt 0) { Write-Host "Upload classification data for object type: $($ObjectType)" - $EamSummary = @() - $EamSummary += $EamFiles | ForEach-Object { - Get-Content $_ | ConvertFrom-Json -Depth 10 + + # Loop through files in batches of 50 to avoid errors hitting the 1Mb file limit for DCRs + for ($i = 0; $i -lt $EamFiles.Count; $i += 50) { + # Select the current batch of 50 files + $Batch = $EamFiles[$i..([math]::Min($i + 49, $EamFiles.Count - 1))] + + # Process the batch + $EamSummary = @() + $EamSummary += $Batch | ForEach-Object { + # Check that each item is indeed a file before processing + if (Test-Path $_ -PathType Leaf) { + Get-Content $_ | ConvertFrom-Json -Depth 10 + } else { + Write-Warning "Skipped non-file item: $_" + } + } + + if ($EamSummary.Count -ne 0) { + $Json = $EamSummary | ConvertTo-Json -Depth 10 + + # Send the batch to the API + Push-EntraOpsLogsIngestionAPI -TableName $TableName -JsonContent $json -DataCollectionRuleName $DataCollectionRuleName -DataCollectionResourceGroupName $DataCollectionResourceGroupName -DataCollectionRuleSubscriptionId $DataCollectionRuleSubscriptionId + } + + Write-Host "Processed batch of $($EamSummary.Count) files starting at index $i." } - $Json = $EamSummary | ConvertTo-Json -Depth 10 - Push-EntraOpsLogsIngestionAPI -TableName $TableName -JsonContent $json -DataCollectionRuleName $DataCollectionRuleName -DataCollectionResourceGroupName $DataCollectionResourceGroupName -DataCollectionRuleSubscriptionId $DataCollectionRuleSubscriptionId } } } From 50dd589d0c7641a49c45a7bab1045a021ae165bf Mon Sep 17 00:00:00 2001 From: Thomas Naunheim Date: Sat, 2 Nov 2024 16:10:11 +0100 Subject: [PATCH 04/15] Support to identify Privileged Auth Admin as Control Plane --- .../Get-EntraOpsPrivilegedEAMEntraId.ps1 | 49 ++++++++++--------- 1 file changed, 26 insertions(+), 23 deletions(-) diff --git a/EntraOps/Public/PrivilegedAccess/Get-EntraOpsPrivilegedEAMEntraId.ps1 b/EntraOps/Public/PrivilegedAccess/Get-EntraOpsPrivilegedEAMEntraId.ps1 index 911d68e..f2e31bb 100644 --- a/EntraOps/Public/PrivilegedAccess/Get-EntraOpsPrivilegedEAMEntraId.ps1 +++ b/EntraOps/Public/PrivilegedAccess/Get-EntraOpsPrivilegedEAMEntraId.ps1 @@ -51,6 +51,10 @@ function Get-EntraOpsPrivilegedEamEntraId { "RoleId" = "9f06204d-73c1-4d4c-880a-6edb90606fd8" # Azure AD Joined Device Local Administrator "Service" = 'Global Endpoint Management' } + $ControlPlaneRolesWithoutRoleActions += New-Object PSObject -Property @{ + "RoleId" = "7be44c8a-adaf-4e2a-84d6-ab2649e08a13" # Privileged Authentication Administrator + "Service" = 'Privileged User Management' + } #endregion @@ -58,11 +62,9 @@ function Get-EntraOpsPrivilegedEamEntraId { $ClassificationFileName = "Classification_AadResources.json" if (Test-Path -Path "$($DefaultFolderClassification)/$($TenantNameContext)/$($ClassificationFileName)") { $AadClassificationFilePath = "$($DefaultFolderClassification)/$($TenantNameContext)/$($ClassificationFileName)" - } - elseif (Test-Path -Path "$($DefaultFolderClassification)/Templates/$($ClassificationFileName)") { + } elseif (Test-Path -Path "$($DefaultFolderClassification)/Templates/$($ClassificationFileName)") { $AadClassificationFilePath = "$($DefaultFolderClassification)/Templates/$($ClassificationFileName)" - } - else { + } else { Write-Error "Classification file $($ClassificationFileName) not found in $($DefaultFolderClassification). Please run Update-EntraOpsClassificationFiles to download the latest classification files from AzurePrivilegedIAM repository." } #endregion @@ -70,15 +72,13 @@ function Get-EntraOpsPrivilegedEamEntraId { #region Get all role assignments and global exclusions if ($SampleMode -eq $True) { $AadRbacAssignments = get-content -Path "$EntraOpsBaseFolder/Samples/AadRoleManagementAssignments.json" | ConvertFrom-Json -Depth 10 - } - else { + } else { $AadRbacAssignments = Get-EntraOpsPrivilegedEntraIdRoles -TenantId $TenantId } if ($GlobalExclusion -eq $true) { $GlobalExclusionList = (Get-Content -Path "$DefaultFolderClassification/Global.json" | ConvertFrom-Json -Depth 10).ExcludedPrincipalId - } - else { + } else { $GlobalExclusionList = $null } #endregion @@ -88,16 +88,6 @@ function Get-EntraOpsPrivilegedEamEntraId { $AadRbacClassifications = foreach ($AadRbacAssignment in $AadRbacAssignments) { $Classification = $AadRbacEamScope | Where-Object { $_.ResourceId -eq $CurrentRoleAssignmentScope } | select-object AdminTierLevel, AdminTierLevelName, Service, TaggedBy | Sort-Object AdminTierLevel, AdminTierLevelName, Service - if ($ControlPlaneRolesWithoutRoleActions.RoleId -contains $AadRbacAssignment.RoleId) { - $Classification = $ControlPlaneRolesWithoutRoleActions | Where-Object { $_.RoleId -contains $AadRbacAssignment.RoleId } - $Classification = [PSCustomObject]@{ - 'AdminTierLevel' = "0" - 'AdminTierLevelName' = "ControlPlane" - 'Service' = $Classification.Service - 'TaggedBy' = "ControlPlaneRolesWithoutRoleActions" - } - } - [PSCustomObject]@{ 'RoleAssignmentId' = $AadRbacAssignment.RoleAssignmentId 'RoleAssignmentScopeId' = $AadRbacAssignment.RoleAssignmentScopeId @@ -124,8 +114,7 @@ function Get-EntraOpsPrivilegedEamEntraId { # Get all role actions for Entra ID roles, role actions are defined tenant wide if ($SampleMode -eq $True) { $AllAadRoleActions = get-content -Path "$EntraOpsBaseFolder/Samples/AadRoleManagementRoleDefinitions.json" | ConvertFrom-Json -Depth 10 - } - else { + } else { $AllAadRoleActions = (Invoke-EntraOpsMsGraphQuery -Method Get -Uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions" -OutputType PSObject) } #endregion @@ -151,13 +140,26 @@ function Get-EntraOpsPrivilegedEamEntraId { $MatchedClassificationByScope | Where-Object { $_.RoleDefinitionActions -Contains $Action -and $Classification.ExcludedRoleDefinitionActions -notcontains $_.RoleDefinitionActions } } + $CurrentAadRbacClassification.Classification = New-Object System.Collections.ArrayList + + if ($ControlPlaneRolesWithoutRoleActions.RoleId -contains $CurrentAadRbacClassification.RoleDefinitionId) { + Write-Warning "Apply classification for role $($CurrentAadRbacClassification.RoleDefinitionName) without role actions..." + $Classification = $ControlPlaneRolesWithoutRoleActions | Where-Object { $_.RoleId -contains $CurrentAadRbacClassification.RoleDefinitionId } + $ClassifiedAadRbacRoleWithoutActions = [PSCustomObject]@{ + 'AdminTierLevel' = "0" + 'AdminTierLevelName' = "ControlPlane" + 'Service' = $Classification.Service + 'TaggedBy' = "ControlPlaneWithoutRoleActions" + } + $CurrentAadRbacClassification.Classification.Add( $ClassifiedAadRbacRoleWithoutActions ) | Out-Null + } + if (($AadRoleActionsInJsonDefinition.Count -gt 0)) { $ClassifiedAadRbacRoleWithActions = @() foreach ($AadRoleAction in $AadRoleActions.rolePermissions.allowedResourceActions) { $ClassifiedAadRbacRoleWithActions += $AadRoleActionsInJsonDefinition | Where-Object { $AadRoleAction -in $_.RoleDefinitionActions } } $ClassifiedAadRbacRoleWithActions = $ClassifiedAadRbacRoleWithActions | select-object -Unique EAMTierLevelName, EAMTierLevelTagValue, Service | Sort-Object EAMTierLevelTagValue, Service - $CurrentAadRbacClassification.Classification = New-Object System.Collections.ArrayList $ClassifiedAadRbacRoleWithActions | ForEach-Object { $ClassifiedRoleAction = [PSCustomObject]@{ 'AdminTierLevel' = $_.EAMTierLevelTagValue @@ -167,8 +169,9 @@ function Get-EntraOpsPrivilegedEamEntraId { } $CurrentAadRbacClassification.Classification.Add( $ClassifiedRoleAction ) | Out-Null } - } - $CurrentAadRbacClassification | sort-object AdminTierLevel, AdminTierLevelName, Service + } + + $CurrentAadRbacClassification } #endregion From 1fe38035cc986a93481db372c8fbc259bd44f64b Mon Sep 17 00:00:00 2001 From: Thomas Naunheim Date: Sat, 2 Nov 2024 16:10:41 +0100 Subject: [PATCH 05/15] Added support for EligibilityBy and enhanced PIM for Groups support --- Parsers/PrivilegedEAM_WatchLists.yaml | 54 ++++++++++++++++----------- 1 file changed, 32 insertions(+), 22 deletions(-) diff --git a/Parsers/PrivilegedEAM_WatchLists.yaml b/Parsers/PrivilegedEAM_WatchLists.yaml index 6fcb050..4e2c505 100644 --- a/Parsers/PrivilegedEAM_WatchLists.yaml +++ b/Parsers/PrivilegedEAM_WatchLists.yaml @@ -11,27 +11,37 @@ Description: | This parser is used to have a standarized schema of EntraOps classification of Privileged EAM. ParserName: PrivilegedEAM ParserQuery: | - _GetWatchlist('EntraOps_Principals') - | join kind=inner ( _GetWatchlist('EntraOps_RoleAssignments') - | extend RoleAssignment = bag_pack_columns( - Classification, - ObjectId, - ObjectType, - PIMAssignmentType, - PIMManagedRole, - RoleAssignmentId, - RoleAssignmentScopeId, - RoleAssignmentScopeName, - RoleAssignmentType, - RoleDefinitionId, - RoleDefinitionName, - RoleIsPrivileged, - RoleType, - TransitiveByObjectDisplayName, - TransitiveByObjectId - ) - | summarize RoleAssignments = make_set(RoleAssignment) by ObjectId, RoleSystem - ) on ObjectId, RoleSystem + _GetWatchlist('EntraOpsBeta_Principals') + | join kind=inner ( + _GetWatchlist('EntraOpsBeta_RoleAssignments') + | extend EligibilityBy = case( + RoleSystem == "EntraID" and PIMAssignmentType == "Eligible", "PIM for Entra ID Roles", + RoleSystem == "EntraID" and PIMAssignmentType == "Eligible" and (RoleAssignmentSubType == "Nested Eligible member" or RoleAssignmentSubType == "Eligible member"), "PIM for Entra ID Roles and Groups", + RoleAssignmentSubType == "Nested Eligible group member" or RoleAssignmentSubType == "Eligible member", "PIM for Groups", + "N/A") + | extend TransitiveByPim = iff((RoleAssignmentSubType == "Nested Eligible member" or RoleAssignmentSubType == "Eligible member"), true, false) + | extend RoleAssignment = bag_pack_columns( + Classification, + ObjectId, + ObjectType, + EligibilityBy, + PIMAssignmentType, + PIMManagedRole, + RoleAssignmentId, + RoleAssignmentScopeId, + RoleAssignmentScopeName, + RoleAssignmentType, + RoleAssignmentSubType, + RoleDefinitionId, + RoleDefinitionName, + RoleIsPrivileged, + RoleType, + TransitiveByPim, + TransitiveByObjectDisplayName, + TransitiveByObjectId + ) + | summarize RoleAssignments = make_set(RoleAssignment) by ObjectId, RoleSystem + ) on ObjectId, RoleSystem | extend Type = "EntraOps_WatchLists" | project-rename TimeGenerated = LastUpdatedTimeUTC | project-away _DTItemId, SearchKey, ObjectId1, RoleSystem1, Tags, UniqueId @@ -57,4 +67,4 @@ ParserQuery: | OwnedDevices, AssociatedWorkAccount, AssociatedPawDevice, - Type \ No newline at end of file + Type From ae8cf17957bbd367cd331116d03ca32993297683 Mon Sep 17 00:00:00 2001 From: Thomas Naunheim Date: Sat, 2 Nov 2024 16:10:48 +0100 Subject: [PATCH 06/15] Update version to 0.3.3 --- EntraOps/EntraOps.psd1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EntraOps/EntraOps.psd1 b/EntraOps/EntraOps.psd1 index 48a950e..32ebf18 100644 --- a/EntraOps/EntraOps.psd1 +++ b/EntraOps/EntraOps.psd1 @@ -12,7 +12,7 @@ RootModule = 'EntraOps.psm1' # Version number of this module. - ModuleVersion = '0.3.2' + ModuleVersion = '0.3.3' # Supported PSEditions CompatiblePSEditions = 'Core', 'Desktop' From a64e724d2c8e3af0c41ebf2d51519ee27c4e1504 Mon Sep 17 00:00:00 2001 From: Thomas Naunheim Date: Sat, 2 Nov 2024 16:12:41 +0100 Subject: [PATCH 07/15] Adding tenant root group as default for high privileged scopes --- .../Configuration/New-EntraOpsConfigFile.ps1 | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/EntraOps/Public/Configuration/New-EntraOpsConfigFile.ps1 b/EntraOps/Public/Configuration/New-EntraOpsConfigFile.ps1 index f41bc6c..93f0445 100644 --- a/EntraOps/Public/Configuration/New-EntraOpsConfigFile.ps1 +++ b/EntraOps/Public/Configuration/New-EntraOpsConfigFile.ps1 @@ -99,8 +99,7 @@ function New-EntraOpsConfigFile { # Get TenantId try { $TenantId = (Invoke-RestMethod -Uri ("https://login.windows.net/$($TenantName)/.well-known/openid-configuration")).token_endpoint.split('/')[3] - } - catch { + } catch { Write-Error "Can't find tenant with name $TenantName. Error: $_" } @@ -109,15 +108,13 @@ function New-EntraOpsConfigFile { if ($AzContext.Tenant.Id -ne $TenantId) { Write-Verbose "Call Connect-AzAccount to $($TenantId)..." Connect-AzAccount -TenantId $TenantId - } - else { + } else { Write-Verbose "Already connected to $($AzContext.Tenant.Id)" } try { $TenantDetails = Get-AzTenant -TenantId $TenantId - } - catch { + } catch { Write-Error "Failed to get Tenant details for TenantId $TenantId. Error: $_" } #endregion @@ -140,7 +137,7 @@ function New-EntraOpsConfigFile { PrivilegedObjectClassificationSource = ("EntraOps", "PrivilegedRolesFromAzGraph", "PrivilegedEdgesFromExposureManagement") EntraOpsScopes = ("EntraID", "IdentityGovernance", "ResourceApps", "DeviceManagement") AzureHighPrivilegedRoles = ("Owner", "Role Based Access Control Administrator", "User Access Administrator") - AzureHighPrivilegedScopes = ("/") + AzureHighPrivilegedScopes = ("/", "/providers/microsoft.management/managementgroups/$($TenantId)") ExposureCriticalityLevel = "<1" } AutomatedClassificationUpdate = [ordered]@{ @@ -196,8 +193,7 @@ function New-EntraOpsConfigFile { try { Write-Output "Writing configuration file to $($ConfigFilePath)..." $EnvConfigSchema | ConvertTo-Json | Out-File -Path $($ConfigFilePath) - } - catch { + } catch { Write-Error "Failed to write configuration file to $($ConfigFilePath). Error: $_" } #endregion From 3b4ae5f0323477cd71749ca7c93a9d2c486f9be3 Mon Sep 17 00:00:00 2001 From: Thomas Naunheim Date: Sun, 3 Nov 2024 18:09:29 +0100 Subject: [PATCH 08/15] Fixed order of ResourceApps by tiered levels --- .../Get-EntraOpsPrivilegedEAMResourceApps.ps1 | 24 +++++++++---------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/EntraOps/Public/PrivilegedAccess/Get-EntraOpsPrivilegedEAMResourceApps.ps1 b/EntraOps/Public/PrivilegedAccess/Get-EntraOpsPrivilegedEAMResourceApps.ps1 index 4bdab2e..5474f9b 100644 --- a/EntraOps/Public/PrivilegedAccess/Get-EntraOpsPrivilegedEAMResourceApps.ps1 +++ b/EntraOps/Public/PrivilegedAccess/Get-EntraOpsPrivilegedEAMResourceApps.ps1 @@ -39,11 +39,9 @@ function Get-EntraOpsPrivilegedEamResourceApps { $ClassificationFileName = "Classification_AppRoles.json" if (Test-Path -Path "$($DefaultFolderClassification)/$($TenantNameContext)/$($ClassificationFileName)") { $ResourceAppsClassificationFilePath = "$($DefaultFolderClassification)/$($TenantNameContext)/$($ClassificationFileName)" - } - elseif (Test-Path -Path "$($DefaultFolderClassification)/Templates/$($ClassificationFileName)") { + } elseif (Test-Path -Path "$($DefaultFolderClassification)/Templates/$($ClassificationFileName)") { $ResourceAppsClassificationFilePath = "$($DefaultFolderClassification)/Templates/$($ClassificationFileName)" - } - else { + } else { Write-Error "Classification file $($ClassificationFileName) not found in $($DefaultFolderClassification). Please run Update-EntraOpsClassificationFiles to download the latest classification files from AzurePrivilegedIAM repository." } @@ -52,14 +50,12 @@ function Get-EntraOpsPrivilegedEamResourceApps { # Get all role assignments and global exclusions if ($SampleMode -ne $True) { $AppRoleAssignments = Get-EntraOpsPrivilegedAppRoles -TenantId $TenantId - } - else { + } else { Write-Warning "Currently not supported!" } if ($GlobalExclusion -eq $true) { $GlobalExclusionList = (Get-Content -Path "$DefaultFolderClassification/Global.json" | ConvertFrom-Json -Depth 10).ExcludedPrincipalId - } - else { + } else { $GlobalExclusionList = $null } #endregion @@ -78,7 +74,7 @@ function Get-EntraOpsPrivilegedEamResourceApps { $Classification = @() if (($AppRoleInJsonDefinition.Count -gt 0)) { $ClassifiedAppRole = @() - $ClassifiedAppRole += $AppRoleInJsonDefinition | select-object -Unique EAMTierLevelName, EAMTierLevelTagValue, Service + $ClassifiedAppRole += $AppRoleInJsonDefinition | select-object -Unique EAMTierLevelName, EAMTierLevelTagValue, Service | Sort-Object EAMTierLevelTagValue, EAMTierLevelName, Service $Classification += $ClassifiedAppRole | ForEach-Object { [PSCustomObject]@{ 'AdminTierLevel' = $_.EAMTierLevelTagValue @@ -87,8 +83,7 @@ function Get-EntraOpsPrivilegedEamResourceApps { 'TaggedBy' = "JSONwithAction" } } - } - else { + } else { $Classification += [PSCustomObject]@{ 'AdminTierLevel' = "Unclassified" 'AdminTierLevelName' = "Unclassified" @@ -102,6 +97,7 @@ function Get-EntraOpsPrivilegedEamResourceApps { 'Classification' = $Classification } } + $AppRoleClassificationsByJSON = $AppRoleClassificationsByJSON | sort-object -property @{e = { $_.Classification.AdminTierLevel } } #endregion #region Classify App Role Assignments @@ -109,11 +105,13 @@ function Get-EntraOpsPrivilegedEamResourceApps { $AppRoleAssignment = $AppRoleAssignment | Select-Object -ExcludeProperty Classification $Classification = @() $ClassificationCollection = ($AppRoleClassificationsByJSON | Where-Object { $_.RoleAssignmentScope -eq $AppRoleAssignment.RoleAssignmentScope -and $_.RoleDefinitionId -eq $AppRoleAssignment.RoleDefinitionId }) - $Classification += $ClassificationCollection.Classification | select-object -Unique AdminTierLevel, AdminTierLevelName, Service, TaggedBy | Sort-Object -Unique AdminTierLevel, AdminTierLevelName, Service, TaggedBy + $ClassificationCollection.Classification = $ClassificationCollection.Classification | Sort-Object AdminTierLevel, AdminTierLevelName, Service + $Classification += $ClassificationCollection.Classification | select-object -Unique AdminTierLevel, AdminTierLevelName, Service, TaggedBy $AppRoleAssignment | Add-Member -NotePropertyName "Classification" -NotePropertyValue $Classification -Force $AppRoleAssignment } #endregion + $AppRoleClassifications = $AppRoleClassifications | sort-object -property @{e = { $_.Classification.AdminTierLevel } }, RoleDefinitionName #region Add classification and details of Service Principals to output Write-Host "Classifiying of all assigned privileged app roles to service principals..." @@ -131,7 +129,7 @@ function Get-EntraOpsPrivilegedEamResourceApps { # Classification $Classification = @() - $Classification += $AppRoleClassification + $Classification += $AppRoleClassification | Sort-Object AdminTierLevel, AdminTierLevelName, Service if ($Classification.Count -eq 0) { $Classification += [PSCustomObject]@{ 'AdminTierLevel' = "Unclassified" From 59d628c3faac8a3402947ebfabb39ffa5f5f8e9b Mon Sep 17 00:00:00 2001 From: Thomas Naunheim Date: Mon, 4 Nov 2024 16:25:21 +0100 Subject: [PATCH 09/15] Fixed missing property error --- .../Get-EntraOpsPrivilegedEAMResourceApps.ps1 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/EntraOps/Public/PrivilegedAccess/Get-EntraOpsPrivilegedEAMResourceApps.ps1 b/EntraOps/Public/PrivilegedAccess/Get-EntraOpsPrivilegedEAMResourceApps.ps1 index 5474f9b..bc233b6 100644 --- a/EntraOps/Public/PrivilegedAccess/Get-EntraOpsPrivilegedEAMResourceApps.ps1 +++ b/EntraOps/Public/PrivilegedAccess/Get-EntraOpsPrivilegedEAMResourceApps.ps1 @@ -105,8 +105,10 @@ function Get-EntraOpsPrivilegedEamResourceApps { $AppRoleAssignment = $AppRoleAssignment | Select-Object -ExcludeProperty Classification $Classification = @() $ClassificationCollection = ($AppRoleClassificationsByJSON | Where-Object { $_.RoleAssignmentScope -eq $AppRoleAssignment.RoleAssignmentScope -and $_.RoleDefinitionId -eq $AppRoleAssignment.RoleDefinitionId }) - $ClassificationCollection.Classification = $ClassificationCollection.Classification | Sort-Object AdminTierLevel, AdminTierLevelName, Service - $Classification += $ClassificationCollection.Classification | select-object -Unique AdminTierLevel, AdminTierLevelName, Service, TaggedBy + if ($ClassificationCollection.Classification.Count -gt 0) { + $Classification += $ClassificationCollection.Classification | Sort-Object AdminTierLevel, AdminTierLevelName, Service + $Classification += $ClassificationCollection.Classification | select-object -Unique AdminTierLevel, AdminTierLevelName, Service, TaggedBy + } $AppRoleAssignment | Add-Member -NotePropertyName "Classification" -NotePropertyValue $Classification -Force $AppRoleAssignment } From d162441b031ea7f7da7cc624d7e527a17e5b355e Mon Sep 17 00:00:00 2001 From: Thomas Naunheim Date: Tue, 26 Nov 2024 07:07:27 +0100 Subject: [PATCH 10/15] Updated parser and workbook --- Parsers/PrivilegedEAM_CustomTable.json | 4 ++-- Parsers/PrivilegedEAM_CustomTable.yaml | 19 +++++++++++++++++-- Parsers/PrivilegedEAM_WatchLists.json | 4 ++-- Parsers/PrivilegedEAM_WatchLists.yaml | 6 +++--- .../EntraOps Privileged EAM - Overview.json | 2 +- ...ntraOps Privileged EAM - Overview.workbook | 4 ++-- 6 files changed, 27 insertions(+), 12 deletions(-) diff --git a/Parsers/PrivilegedEAM_CustomTable.json b/Parsers/PrivilegedEAM_CustomTable.json index e234767..d45786f 100644 --- a/Parsers/PrivilegedEAM_CustomTable.json +++ b/Parsers/PrivilegedEAM_CustomTable.json @@ -35,8 +35,8 @@ "displayName": "EntraOps Privileged EAM Parser for Custom Table", "category": "EntraOps", "FunctionAlias": "PrivilegedEAM", - "query": "PrivilegedEAM_CL\r\n| where TimeGenerated > ago(1d)\r\n| summarize arg_max(TimeGenerated, *) by ObjectId,RoleSystem\r\n| project-away TenantId\r\n| extend Type = \"EntraOps_CustomTable\"\r\n| project-reorder \r\n TimeGenerated,\r\n ObjectId,\r\n ObjectType,\r\n ObjectSubType,\r\n ObjectDisplayName,\r\n ObjectUserPrincipalName,\r\n ObjectAdminTierLevel,\r\n ObjectAdminTierLevelName,\r\n OnPremSynchronized,\r\n AssignedAdministrativeUnits,\r\n RestrictedManagementByRAG,\r\n RestrictedManagementByAadRole,\r\n RestrictedManagementByRMAU,\r\n RoleSystem,\r\n Classification,\r\n RoleAssignments,\r\n Owners,\r\n OwnedObjects,\r\n OwnedDevices,\r\n AssociatedWorkAccount,\r\n AssociatedPawDevice,\r\n Type", - "version": 1, + "query": "PrivilegedEAM_CL\r\n| where TimeGenerated > ago(1d)\r\n| summarize arg_max(TimeGenerated, *) by ObjectId,RoleSystem\r\n| project-away TenantId\r\n| extend Type = \"EntraOps_CustomTable\"\r\n| mv-apply RoleAssignments on\r\n(\r\n extend RoleAssignments = bag_merge(\r\n RoleAssignments,\r\n bag_pack(\r\n \"EligibilityBy\", case(\r\n RoleSystem == \"EntraID\" and RoleAssignments.PIMAssignmentType == \"Eligible\", \"PIM for Entra ID Roles\",\r\n RoleSystem == \"EntraID\" and RoleAssignments.PIMAssignmentType == \"Eligible\" and (RoleAssignments.RoleAssignmentSubType == \"Nested Eligible member\" or RoleAssignments.RoleAssignmentSubType == \"Eligible member\"), \"PIM for Entra ID Roles and Groups\",\r\n RoleAssignments.RoleAssignmentSubType == \"Nested Eligible group member\" or RoleAssignments.RoleAssignmentSubType == \"Eligible member\", \"PIM for Groups\",\r\n \"N/A\"),\r\n \"TransitiveByPim\", iff((RoleAssignments.RoleAssignmentSubType == \"Nested Eligible member\" or RoleAssignments.RoleAssignmentSubType == \"Eligible member\"), true, false)\r\n )\r\n )\r\n | summarize RoleAssignments = make_list(RoleAssignments)\r\n)\r\n| project-reorder \r\n TimeGenerated,\r\n ObjectId,\r\n ObjectType,\r\n ObjectSubType,\r\n ObjectDisplayName,\r\n ObjectUserPrincipalName,\r\n ObjectAdminTierLevel,\r\n ObjectAdminTierLevelName,\r\n OnPremSynchronized,\r\n AssignedAdministrativeUnits,\r\n RestrictedManagementByRAG,\r\n RestrictedManagementByAadRole,\r\n RestrictedManagementByRMAU,\r\n RoleSystem,\r\n Classification,\r\n RoleAssignments,\r\n Owners,\r\n OwnedObjects,\r\n OwnedDevices,\r\n AssociatedWorkAccount,\r\n AssociatedPawDevice,\r\n Type", + "version": 2, "functionParameters": "" } } diff --git a/Parsers/PrivilegedEAM_CustomTable.yaml b/Parsers/PrivilegedEAM_CustomTable.yaml index dab9a2d..8abd878 100644 --- a/Parsers/PrivilegedEAM_CustomTable.yaml +++ b/Parsers/PrivilegedEAM_CustomTable.yaml @@ -1,7 +1,7 @@ Parser: Title: PrivilegedEAM (Custom Table) - Version: 0.1 - LastUpdated: 2024-06-21 + Version: 0.2 + LastUpdated: 2024-11-26 Product: Name: EntraOps References: @@ -16,6 +16,21 @@ ParserQuery: | | summarize arg_max(TimeGenerated, *) by ObjectId,RoleSystem | project-away TenantId | extend Type = "EntraOps_CustomTable" + | mv-apply RoleAssignments on + ( + extend RoleAssignments = bag_merge( + RoleAssignments, + bag_pack( + "EligibilityBy", case( + RoleSystem == "EntraID" and RoleAssignments.PIMAssignmentType == "Eligible", "PIM for Entra ID Roles", + RoleSystem == "EntraID" and RoleAssignments.PIMAssignmentType == "Eligible" and (RoleAssignments.RoleAssignmentSubType == "Nested Eligible member" or RoleAssignments.RoleAssignmentSubType == "Eligible member"), "PIM for Entra ID Roles and Groups", + RoleAssignments.RoleAssignmentSubType == "Nested Eligible group member" or RoleAssignments.RoleAssignmentSubType == "Eligible member", "PIM for Groups", + "N/A"), + "TransitiveByPim", iff((RoleAssignments.RoleAssignmentSubType == "Nested Eligible member" or RoleAssignments.RoleAssignmentSubType == "Eligible member"), true, false) + ) + ) + | summarize RoleAssignments = make_list(RoleAssignments) + ) | project-reorder TimeGenerated, ObjectId, diff --git a/Parsers/PrivilegedEAM_WatchLists.json b/Parsers/PrivilegedEAM_WatchLists.json index 309fb7c..706d8fd 100644 --- a/Parsers/PrivilegedEAM_WatchLists.json +++ b/Parsers/PrivilegedEAM_WatchLists.json @@ -35,8 +35,8 @@ "displayName": "EntraOps Privileged EAM Parser for WatchLists", "category": "EntraOps", "FunctionAlias": "PrivilegedEAM", - "query": "_GetWatchlist('EntraOps_Principals')\n| join kind=inner ( _GetWatchlist('EntraOps_RoleAssignments')\n| extend RoleAssignment = bag_pack_columns(\n Classification,\n ObjectId,\n ObjectType,\n PIMAssignmentType,\n PIMManagedRole,\n RoleAssignmentId,\n RoleAssignmentScopeId,\n RoleAssignmentScopeName,\n RoleAssignmentType,\n RoleDefinitionId,\n RoleDefinitionName,\n RoleIsPrivileged,\n RoleType,\n TransitiveByObjectDisplayName,\n TransitiveByObjectId\n )\n| summarize RoleAssignments = make_set(RoleAssignment) by ObjectId, RoleSystem\n) on ObjectId, RoleSystem\n| extend Type = \"EntraOps_WatchLists\"\n| project-rename TimeGenerated = LastUpdatedTimeUTC\n| project-away _DTItemId, SearchKey, ObjectId1, RoleSystem1, Tags, UniqueId\n| project-reorder \n TimeGenerated,\n ObjectId,\n ObjectType,\n ObjectSubType,\n ObjectDisplayName,\n ObjectUserPrincipalName,\n ObjectAdminTierLevel,\n ObjectAdminTierLevelName,\n OnPremSynchronized,\n AssignedAdministrativeUnits,\n RestrictedManagementByRAG,\n RestrictedManagementByAadRole,\n RestrictedManagementByRMAU,\n RoleSystem,\n Classification,\n RoleAssignments,\n Owners,\n OwnedObjects,\n OwnedDevices,\n AssociatedWorkAccount,\n AssociatedPawDevice,\n Type", - "version": 1, + "query": "_GetWatchlist('EntraOps_Principals')\n| join kind=inner (\n _GetWatchlist('EntraOps_RoleAssignments')\n | project-rename PimAssignmentType = PIMAssignmentType, PimManagedRole = PIMManagedRole\n | extend EligibilityBy = case(\n RoleSystem == \"EntraID\" and PimAssignmentType == \"Eligible\", \"PIM for Entra ID Roles\",\n RoleSystem == \"EntraID\" and PimAssignmentType == \"Eligible\" and (RoleAssignmentSubType == \"Nested Eligible member\" or RoleAssignmentSubType == \"Eligible member\"), \"PIM for Entra ID Roles and Groups\",\n RoleAssignmentSubType == \"Nested Eligible member\" or RoleAssignmentSubType == \"Eligible member\", \"PIM for Groups\",\n \"N/A\") \n | extend TransitiveByPim = iff((RoleAssignmentSubType == \"Nested Eligible member\" or RoleAssignmentSubType == \"Eligible member\"), true, false)\n | extend RoleAssignment = bag_pack_columns(\n Classification,\n ObjectId,\n ObjectType,\n EligibilityBy,\n PimAssignmentType,\n PimManagedRole,\n RoleAssignmentId,\n RoleAssignmentScopeId,\n RoleAssignmentScopeName,\n RoleAssignmentType,\n RoleAssignmentSubType,\n RoleDefinitionId,\n RoleDefinitionName,\n RoleIsPrivileged,\n RoleType,\n TransitiveByPim,\n TransitiveByObjectDisplayName,\n TransitiveByObjectId\n )\n | summarize RoleAssignments = make_set(RoleAssignment) by ObjectId, RoleSystem\n ) on ObjectId, RoleSystem\n| extend Type = \"EntraOps_WatchLists\"\n| project-rename TimeGenerated = LastUpdatedTimeUTC\n| project-away _DTItemId, SearchKey, ObjectId1, RoleSystem1, Tags, UniqueId\n| project-reorder \n TimeGenerated,\n ObjectId,\n ObjectType,\n ObjectSubType,\n ObjectDisplayName,\n ObjectUserPrincipalName,\n ObjectAdminTierLevel,\n ObjectAdminTierLevelName,\n OnPremSynchronized,\n AssignedAdministrativeUnits,\n RestrictedManagementByRAG,\n RestrictedManagementByAadRole,\n RestrictedManagementByRMAU,\n RoleSystem,\n Classification,\n RoleAssignments,\n Owners,\n OwnedObjects,\n OwnedDevices,\n AssociatedWorkAccount,\n AssociatedPawDevice,\n Type", + "version": 2, "functionParameters": "" } } diff --git a/Parsers/PrivilegedEAM_WatchLists.yaml b/Parsers/PrivilegedEAM_WatchLists.yaml index 4e2c505..868421d 100644 --- a/Parsers/PrivilegedEAM_WatchLists.yaml +++ b/Parsers/PrivilegedEAM_WatchLists.yaml @@ -1,7 +1,7 @@ Parser: Title: PrivilegedEAM (WatchLists) Version: 0.1 - LastUpdated: 2024-06-21 + LastUpdated: 2024-11-26 Product: Name: EntraOps References: @@ -11,9 +11,9 @@ Description: | This parser is used to have a standarized schema of EntraOps classification of Privileged EAM. ParserName: PrivilegedEAM ParserQuery: | - _GetWatchlist('EntraOpsBeta_Principals') + _GetWatchlist('EntraOps_Principals') | join kind=inner ( - _GetWatchlist('EntraOpsBeta_RoleAssignments') + _GetWatchlist('EntraOps_RoleAssignments') | extend EligibilityBy = case( RoleSystem == "EntraID" and PIMAssignmentType == "Eligible", "PIM for Entra ID Roles", RoleSystem == "EntraID" and PIMAssignmentType == "Eligible" and (RoleAssignmentSubType == "Nested Eligible member" or RoleAssignmentSubType == "Eligible member"), "PIM for Entra ID Roles and Groups", diff --git a/Workbooks/EntraOps Privileged EAM - Overview.json b/Workbooks/EntraOps Privileged EAM - Overview.json index bd74cd7..d49c644 100644 --- a/Workbooks/EntraOps Privileged EAM - Overview.json +++ b/Workbooks/EntraOps Privileged EAM - Overview.json @@ -40,7 +40,7 @@ "kind": "shared", "properties": { "displayName": "[parameters('workbookDisplayName')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"parameters\":[{\"id\":\"4666895c-a22c-4fad-be1c-a8d31c4383d9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SelectLogAnalytics\",\"label\":\"Select Workspace\",\"type\":5,\"isRequired\":true,\"query\":\"resources\\r\\n| where type == \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| project id\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"/subscriptions/4d3e5b65-8a52-4b2f-b5cd-1670c700136b/resourceGroups/lab-mgmt/providers/Microsoft.OperationalInsights/workspaces/lab-la-4d3e5b65-8a52-4b2f-b5cd-1670c700136b\"},{\"id\":\"cd33301b-949e-4159-bd9d-daf07a2eea28\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleSystem\",\"label\":\"RBAC System\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| distinct RoleSystem\\r\\n| summarize Count = count() by RoleSystem\\r\\n| order by Count desc, RoleSystem asc\\r\\n| project Value = RoleSystem\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"fdb99e3a-478f-4382-b4f4-204c38bc81a9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AdminTierLevelName\",\"label\":\"RBAC Tier Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| mv-expand (parse_json(Classification))\\r\\n| where tostring(Classification.AdminTierLevel) != \\\"\\\" and tostring(Classification.AdminTierLevelName) != \\\"\\\"\\r\\n| distinct tostring(Classification.AdminTierLevel), tostring(Classification.AdminTierLevelName)\\r\\n| order by Classification_AdminTierLevel asc\\r\\n| project Value = Classification_AdminTierLevelName\\r\\n\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"899df38d-0db6-4aec-991f-f3d885c14677\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Service\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| extend Service = tostring(Classification.Service)\\r\\n| distinct Service\\r\\n| order by Service asc\\r\\n| project Value = tostring(Service)\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a7278d5a-1e2f-4eef-a7fc-8b9b4f97e2f8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ObjectType\",\"label\":\"Principal Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| distinct ObjectType\\r\\n| order by ObjectType asc\\r\\n| project Value = tostring(ObjectType)\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8eafa332-2a5b-43dd-90c6-b9d1d12ad033\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PrincipalDisplayName\",\"label\":\"Principal DisplayName\",\"type\":1,\"value\":\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| distinct ObjectId, ObjectType, OnPremSynchronized, ObjectDisplayName, TimeGenerated\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| extend SyncSource = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| summarize Count = count() by SyncSource\\r\\n| join kind = fullouter (datatable(SyncSource:string)['Cloud-Only', 'Hybrid']) on SyncSource\\r\\n| project SyncSource = iff(SyncSource == '', SyncSource1, SyncSource), Count = iff(SyncSource == '', 0, Count)\",\"size\":4,\"title\":\"Sync source of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"SyncSource\",\"exportParameterName\":\"SyncSource\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"sortBy\":[],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SyncSource\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":1},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"Synchronized Privileged Accounts\",\"styleSettings\":{\"maxWidth\":\"25\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('*' == \\\"Cloud-Only\\\", false, true)\\r\\n or '*' == '*'\\r\\n or '*' == 'All Privileged Identities'\\r\\n| where RoleSystem in ('*') or '*' in ('*')\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ('*') or '*' in ('*')\\r\\n| where Classification.Service in ('*') or '*' in ('*')\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where ObjectType in ('*') or '*' in ('*')\\r\\n| where ObjectDisplayName contains '' or '' == \\\"\\\"\\r\\n| extend RestrictedAssignments = bag_pack_columns(RestrictedManagementByAadRole, RestrictedManagementByRAG, RestrictedManagementByRMAU)\\r\\n| extend RestrictedManagement = case(\\r\\n ObjectType == \\\"serviceprincipal\\\", \\\"Not available\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"Role-assignable\\\" and parse_json(RestrictedAssignments).RestrictedManagementByRMAU == \\\"True\\\", \\\"Conflict\\\",\\r\\n ObjectType == \\\"group\\\" and ObjectSubType != \\\"Role-assignable\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"security\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\",\\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRAG == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and parse_json(Roles).PIMAssignmentType == \\\"Permanent\\\", \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByRAG == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n \\\"Not applied\\\")\\r\\n| distinct ObjectId, RestrictedManagement\\r\\n| summarize Count = count() by RestrictedManagement\",\"size\":4,\"title\":\"Restricted management of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"AssignmentType\",\"exportParameterName\":\"RestrictedManagement\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OnPremSynchronized\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"RestrictedManagement\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"25\",\"name\":\"Restricted Management\",\"styleSettings\":{\"maxWidth\":\"25\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",false,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| mv-expand parse_json(RoleAssignments)\\r\\n| extend AssignmentType = strcat(RoleAssignments.RoleAssignmentType, \\\" \\\", RoleAssignments.PIMAssignmentType)\\r\\n| summarize count() by AssignmentType\\r\\n| sort by count_\",\"size\":4,\"title\":\"Assignments of privileged roles\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"AssignmentType\",\"exportParameterName\":\"AssignmentType\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OnPremSynchronized\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"RestrictedManagement\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Role Assignments\",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where ObjectType != \\\"group\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by ObjectId, RoleSystem\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| distinct ObjectId, ObjectAdminTierLevelName\\r\\n| summarize Count = count() by ObjectAdminTierLevelName\\r\\n| join kind = fullouter (datatable(ObjectAdminTierLevelName:string)['ControlPlane', 'ManagementPlane','WorkloadPlane','UserAccess','Unclassified']) on ObjectAdminTierLevelName\\r\\n| project ObjectAdminTierLevelName = iff(ObjectAdminTierLevelName == '', ObjectAdminTierLevelName1, ObjectAdminTierLevelName), Count = iff(ObjectAdminTierLevelName == '', 0, Count)\\r\\n| extend SortOrder = case(\\r\\n ObjectAdminTierLevelName == \\\"ControlPlane\\\", 1,\\r\\n ObjectAdminTierLevelName == \\\"ManagementPlane\\\", 2,\\r\\n ObjectAdminTierLevelName == \\\"WorkloadPlane\\\", 3,\\r\\n ObjectAdminTierLevelName == \\\"UserAccess\\\", 4,\\r\\n 5) // Default value for any other entries\\r\\n| order by SortOrder asc\\r\\n| project-away SortOrder\",\"size\":4,\"title\":\"Classification of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"ObjectAdminTierLevelName\",\"exportParameterName\":\"ObjectAdminTierLevelName\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Classifications Privileged Accounts \",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where ObjectAdminTierLevelName contains '{ObjectAdminTierLevelName}' or '{ObjectAdminTierLevelName}' == \\\"*\\\"\\r\\n| sort by ObjectAdminTierLevelName asc\\r\\n| distinct ObjectId, RoleClassificationAdminTierLevelName = tostring(Classification.AdminTierLevelName)\\r\\n| summarize Count = count() by RoleClassificationAdminTierLevelName\\r\\n| join kind = fullouter (datatable(RoleClassificationAdminTierLevelName:string)['ControlPlane', 'ManagementPlane','WorkloadPlane','UserAccess','Unclassified']) on RoleClassificationAdminTierLevelName\\r\\n| project RoleClassificationAdminTierLevelName = iff(RoleClassificationAdminTierLevelName == '', RoleClassificationAdminTierLevelName1, RoleClassificationAdminTierLevelName), Count = iff(RoleClassificationAdminTierLevelName == '', 0, Count)\\r\\n| extend SortOrder = case(\\r\\n RoleClassificationAdminTierLevelName == \\\"ControlPlane\\\", 1,\\r\\n RoleClassificationAdminTierLevelName == \\\"ManagementPlane\\\", 2,\\r\\n RoleClassificationAdminTierLevelName == \\\"WorkloadPlane\\\", 3,\\r\\n RoleClassificationAdminTierLevelName == \\\"UserAccess\\\", 4,\\r\\n 5) // Default value for any other entries\\r\\n| order by SortOrder asc\\r\\n| project-away SortOrder\",\"size\":4,\"title\":\"Classification of privileged access\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"RoleClassificationAdminTierLevelName\",\"exportParameterName\":\"RoleClassificationAdminTierLevelName\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleClassificationAdminTierLevelName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Classifications Privileged Access\",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| extend OnPremSynchronized = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\\r\\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\\r\\n| extend RestrictedAssignments = bag_pack_columns(RestrictedManagementByAadRole, RestrictedManagementByRAG, RestrictedManagementByRMAU)\\r\\n| extend RestrictedManagement = case(\\r\\n ObjectType == \\\"serviceprincipal\\\", \\\"Not available\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"Role-assignable\\\" and parse_json(RestrictedAssignments).RestrictedManagementByRMAU == \\\"True\\\", \\\"Conflict\\\",\\r\\n ObjectType == \\\"group\\\" and ObjectSubType != \\\"Role-assignable\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"security\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\",\\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRAG == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and parse_json(Roles).PIMAssignmentType == \\\"Permanent\\\", \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByRAG == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n \\\"Not applied\\\")\\r\\n| summarize RoleSystem = make_set(RoleSystem) by ObjectId, ObjectType, ObjectSubType, ObjectDisplayName, ObjectAdminTierLevelName, OnPremSynchronized, RestrictedManagement, AssignedAdministrativeUnits, tostring(RestrictedAssignments)\\r\\n| sort by ObjectDisplayName\",\"size\":0,\"title\":\"List of Privileged Accounts \",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"ObjectId\",\"exportParameterName\":\"ObjectId\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ObjectType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"user\",\"representation\":\"Person\",\"text\":\"User\"},{\"operator\":\"==\",\"thresholdValue\":\"serviceprincipal\",\"representation\":\"Capture\",\"text\":\"Service Principal\"},{\"operator\":\"==\",\"thresholdValue\":\"group\",\"representation\":\"PersonWithFriend\",\"text\":\"Group\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Question\",\"text\":\"unknown\"}]}},{\"columnMatch\":\"ObjectDisplayName\",\"formatter\":0,\"tooltipFormat\":{\"tooltip\":\"{ObjectUserPrincipalName}\"}},{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"ControlPlane\",\"representation\":\"Sev0\",\"text\":\"Control Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"ManagementPlane\",\"representation\":\"Sev3\",\"text\":\"Management Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"UserAccess\",\"representation\":\"Sev4\",\"text\":\"User Access\"},{\"operator\":\"==\",\"thresholdValue\":\"Unclassified\",\"representation\":\"Line\",\"text\":\"Unclassified\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Line\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"RestrictedManagement\",\"formatter\":18,\"formatOptions\":{\"linkColumn\":\"RestrictedAssignments\",\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Applied\",\"representation\":\"success\",\"text\":\"Applied\"},{\"operator\":\"==\",\"thresholdValue\":\"Conflict\",\"representation\":\"2\",\"text\":\"Conflict\"},{\"operator\":\"==\",\"thresholdValue\":\"Not applied\",\"representation\":\"4\",\"text\":\"Not applied\"},{\"operator\":\"==\",\"thresholdValue\":\"Not available\",\"representation\":\"cancelled\",\"text\":\"Not available\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"AssignedAdministrativeUnits\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"RestrictedAssignments\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Restricted Management\",\"formatter\":18,\"formatOptions\":{\"linkColumn\":\"RestrictedAssignments\",\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Applied\",\"representation\":\"success\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"Restricted Management applied by RMAU, Role-Assingable Group or Directory Role Assignment\"}},{\"operator\":\"==\",\"thresholdValue\":\"Not available\",\"representation\":\"Normal\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"No restricted management for object type available\"}},{\"operator\":\"==\",\"thresholdValue\":\"Not applied\",\"representation\":\"4\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"No assignment for restricted assignment\"}},{\"operator\":\"==\",\"thresholdValue\":\"Conflict\",\"representation\":\"2\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"Assignment to two or more restricted management capabilities which are not compatible\"}},{\"operator\":\"==\",\"thresholdValue\":\"Applied\",\"representation\":\"success\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"Strong restricted management by RMAU and Role-Assignable Group\"}},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"Group\",\"formatter\":1},{\"columnMatch\":\"ObjectAdminTierLevel_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Unclassified\",\"representation\":\"1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"ControlPlane\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"ManagementPlane\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]}}],\"sortBy\":[{\"itemKey\":\"$gen_thresholds_RestrictedManagement_6\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_RestrictedManagement_6\",\"sortOrder\":1}]},\"name\":\"Related Privileged Accounts \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where ObjectId == '{ObjectId}' or '{ObjectId}' == '*'\\r\\n| where RoleSystem contains ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| extend OnPremSynchronized = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\\r\\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\\r\\n| mv-expand RoleAssignments\\r\\n| project RoleAssignments, RoleSystem\\r\\n| evaluate bag_unpack(RoleAssignments)\\r\\n| extend Classification = column_ifexists(\\\"Classification\\\",\\\"\\\")\\r\\n| mv-expand parse_json(Classification)\\r\\n| extend AdminTierLevel = Classification.AdminTierLevelName\\r\\n| extend Service = Classification.Service\\r\\n| extend TaggedBy = Classification.TaggedBy\\r\\n| where Service contains ('*') or '*' in ('*')\\r\\n| extend TransitiveBy = column_ifexists(\\\"TransitiveByObjectDisplayName\\\", \\\"\\\")\\r\\n| summarize AdminTierLevels = make_set(AdminTierLevel), Service = make_set(Service), TaggedBy = make_set(TaggedBy) by\\r\\n RoleSystem,\\r\\n tostring(RoleAssignmentId),\\r\\n RoleDefinitionName,\\r\\n tostring(RoleAssignmentScopeId),\\r\\n RoleAssignmentScopeName,\\r\\n PIMAssignmentType,\\r\\n RoleAssignmentType,\\r\\n TransitiveBy,\\r\\n TransitiveByAssignment = RoleAssignmentSubType,\\r\\n EligibilityBy\\r\\n| extend AdminTierLevel = iff(isnotempty(AdminTierLevels[0]), AdminTierLevels[0], \\\"Unclassified\\\")\\r\\n| sort by tostring(AdminTierLevel) asc, tostring(RoleAssignmentScopeId) asc, RoleDefinitionName asc\\r\\n| project-reorder RoleSystem, AdminTierLevel, RoleDefinitionName, RoleAssignmentScopeName, PIMAssignmentType, RoleAssignmentType, TransitiveBy, TransitiveByAssignment, EligibilityBy, Service\\r\\n| project-away AdminTierLevels\",\"size\":0,\"title\":\"Related privileged role assignments\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RoleSystem\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"IdentityGovernance\",\"representation\":\"Share\",\"text\":\"Identity Governance\"},{\"operator\":\"==\",\"thresholdValue\":\"Azure\",\"representation\":\"AzurePortal\",\"text\":\"Azure\"},{\"operator\":\"==\",\"thresholdValue\":\"ResourceApps\",\"representation\":\"Connect\",\"text\":\"Resource Apps\"},{\"operator\":\"==\",\"thresholdValue\":\"DeviceManagement\",\"representation\":\"Tools\",\"text\":\"Device Management\"},{\"operator\":\"==\",\"thresholdValue\":\"EntraID\",\"representation\":\"Key\",\"text\":\"Entra ID\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Question\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AdminTierLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Unclassified\",\"representation\":\"Line\",\"text\":\"Unclassified\"},{\"operator\":\"==\",\"thresholdValue\":\"ControlPlane\",\"representation\":\"Sev0\",\"text\":\"Control Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"ManagementPlane\",\"representation\":\"Sev3\",\"text\":\"Management Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"UserAccess\",\"representation\":\"Sev4\",\"text\":\"User Access\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Line\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"RoleDefinitionName\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"RoleAssignmentType\",\"formatter\":0,\"tooltipFormat\":{\"tooltip\":\"[\\\"TransitiveByObjectDisplayName\\\"]\"}},{\"columnMatch\":\"Service\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"RoleAssignmentId\",\"formatter\":5},{\"columnMatch\":\"RoleAssignmentScopeId\",\"formatter\":5,\"tooltipFormat\":{\"tooltip\":\"[\\\"RoleAssignmentScopeName\\\"]\"}}]},\"sortBy\":[]},\"name\":\"Related privileged role assignments\"}],\"isLocked\":false,\"fallbackResourceIds\":[\"privilegedeam\"]}", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"parameters\":[{\"id\":\"4666895c-a22c-4fad-be1c-a8d31c4383d9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SelectLogAnalytics\",\"label\":\"Select Workspace\",\"type\":5,\"isRequired\":true,\"query\":\"resources\\r\\n| where type == \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| project id\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\null},{\"id\":\"cd33301b-949e-4159-bd9d-daf07a2eea28\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleSystem\",\"label\":\"RBAC System\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| distinct RoleSystem\\r\\n| summarize Count = count() by RoleSystem\\r\\n| order by Count desc, RoleSystem asc\\r\\n| project Value = RoleSystem\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"fdb99e3a-478f-4382-b4f4-204c38bc81a9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AdminTierLevelName\",\"label\":\"RBAC Tier Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| mv-expand (parse_json(Classification))\\r\\n| where tostring(Classification.AdminTierLevel) != \\\"\\\" and tostring(Classification.AdminTierLevelName) != \\\"\\\"\\r\\n| distinct tostring(Classification.AdminTierLevel), tostring(Classification.AdminTierLevelName)\\r\\n| order by Classification_AdminTierLevel asc\\r\\n| project Value = Classification_AdminTierLevelName\\r\\n\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"899df38d-0db6-4aec-991f-f3d885c14677\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Service\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| extend Service = tostring(Classification.Service)\\r\\n| distinct Service\\r\\n| order by Service asc\\r\\n| project Value = tostring(Service)\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a7278d5a-1e2f-4eef-a7fc-8b9b4f97e2f8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ObjectType\",\"label\":\"Principal Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| distinct ObjectType\\r\\n| order by ObjectType asc\\r\\n| project Value = tostring(ObjectType)\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8eafa332-2a5b-43dd-90c6-b9d1d12ad033\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PrincipalDisplayName\",\"label\":\"Principal DisplayName\",\"type\":1,\"value\":\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| distinct ObjectId, ObjectType, OnPremSynchronized, ObjectDisplayName, TimeGenerated\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| extend SyncSource = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| summarize Count = count() by SyncSource\\r\\n| join kind = fullouter (datatable(SyncSource:string)['Cloud-Only', 'Hybrid']) on SyncSource\\r\\n| project SyncSource = iff(SyncSource == '', SyncSource1, SyncSource), Count = iff(SyncSource == '', 0, Count)\",\"size\":4,\"title\":\"Sync source of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"SyncSource\",\"exportParameterName\":\"SyncSource\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"sortBy\":[],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SyncSource\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":1},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"Synchronized Privileged Accounts\",\"styleSettings\":{\"maxWidth\":\"25\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('*' == \\\"Cloud-Only\\\", false, true)\\r\\n or '*' == '*'\\r\\n or '*' == 'All Privileged Identities'\\r\\n| where RoleSystem in ('*') or '*' in ('*')\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ('*') or '*' in ('*')\\r\\n| where Classification.Service in ('*') or '*' in ('*')\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where ObjectType in ('*') or '*' in ('*')\\r\\n| where ObjectDisplayName contains '' or '' == \\\"\\\"\\r\\n| extend RestrictedAssignments = bag_pack_columns(RestrictedManagementByAadRole, RestrictedManagementByRAG, RestrictedManagementByRMAU)\\r\\n| extend RestrictedManagement = case(\\r\\n ObjectType == \\\"serviceprincipal\\\", \\\"Not available\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"Role-assignable\\\" and parse_json(RestrictedAssignments).RestrictedManagementByRMAU == \\\"True\\\", \\\"Conflict\\\",\\r\\n ObjectType == \\\"group\\\" and ObjectSubType != \\\"Role-assignable\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"security\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\",\\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRAG == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and parse_json(Roles).PIMAssignmentType == \\\"Permanent\\\", \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByRAG == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n \\\"Not applied\\\")\\r\\n| distinct ObjectId, RestrictedManagement\\r\\n| summarize Count = count() by RestrictedManagement\",\"size\":4,\"title\":\"Restricted management of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"AssignmentType\",\"exportParameterName\":\"RestrictedManagement\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OnPremSynchronized\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"RestrictedManagement\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"25\",\"name\":\"Restricted Management\",\"styleSettings\":{\"maxWidth\":\"25\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",false,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| mv-expand parse_json(RoleAssignments)\\r\\n| extend AssignmentType = strcat(RoleAssignments.RoleAssignmentType, \\\" \\\", RoleAssignments.PIMAssignmentType)\\r\\n| summarize count() by AssignmentType\\r\\n| sort by count_\",\"size\":4,\"title\":\"Assignments of privileged roles\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"AssignmentType\",\"exportParameterName\":\"AssignmentType\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OnPremSynchronized\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"RestrictedManagement\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Role Assignments\",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where ObjectType != \\\"group\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by ObjectId, RoleSystem\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| distinct ObjectId, ObjectAdminTierLevelName\\r\\n| summarize Count = count() by ObjectAdminTierLevelName\\r\\n| join kind = fullouter (datatable(ObjectAdminTierLevelName:string)['ControlPlane', 'ManagementPlane','WorkloadPlane','UserAccess','Unclassified']) on ObjectAdminTierLevelName\\r\\n| project ObjectAdminTierLevelName = iff(ObjectAdminTierLevelName == '', ObjectAdminTierLevelName1, ObjectAdminTierLevelName), Count = iff(ObjectAdminTierLevelName == '', 0, Count)\\r\\n| extend SortOrder = case(\\r\\n ObjectAdminTierLevelName == \\\"ControlPlane\\\", 1,\\r\\n ObjectAdminTierLevelName == \\\"ManagementPlane\\\", 2,\\r\\n ObjectAdminTierLevelName == \\\"WorkloadPlane\\\", 3,\\r\\n ObjectAdminTierLevelName == \\\"UserAccess\\\", 4,\\r\\n 5) // Default value for any other entries\\r\\n| order by SortOrder asc\\r\\n| project-away SortOrder\",\"size\":4,\"title\":\"Classification of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"ObjectAdminTierLevelName\",\"exportParameterName\":\"ObjectAdminTierLevelName\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Classifications Privileged Accounts \",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where ObjectAdminTierLevelName contains '{ObjectAdminTierLevelName}' or '{ObjectAdminTierLevelName}' == \\\"*\\\"\\r\\n| sort by ObjectAdminTierLevelName asc\\r\\n| distinct ObjectId, RoleClassificationAdminTierLevelName = tostring(Classification.AdminTierLevelName)\\r\\n| summarize Count = count() by RoleClassificationAdminTierLevelName\\r\\n| join kind = fullouter (datatable(RoleClassificationAdminTierLevelName:string)['ControlPlane', 'ManagementPlane','WorkloadPlane','UserAccess','Unclassified']) on RoleClassificationAdminTierLevelName\\r\\n| project RoleClassificationAdminTierLevelName = iff(RoleClassificationAdminTierLevelName == '', RoleClassificationAdminTierLevelName1, RoleClassificationAdminTierLevelName), Count = iff(RoleClassificationAdminTierLevelName == '', 0, Count)\\r\\n| extend SortOrder = case(\\r\\n RoleClassificationAdminTierLevelName == \\\"ControlPlane\\\", 1,\\r\\n RoleClassificationAdminTierLevelName == \\\"ManagementPlane\\\", 2,\\r\\n RoleClassificationAdminTierLevelName == \\\"WorkloadPlane\\\", 3,\\r\\n RoleClassificationAdminTierLevelName == \\\"UserAccess\\\", 4,\\r\\n 5) // Default value for any other entries\\r\\n| order by SortOrder asc\\r\\n| project-away SortOrder\",\"size\":4,\"title\":\"Classification of privileged access\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"RoleClassificationAdminTierLevelName\",\"exportParameterName\":\"RoleClassificationAdminTierLevelName\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleClassificationAdminTierLevelName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Classifications Privileged Access\",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| extend OnPremSynchronized = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\\r\\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\\r\\n| extend RestrictedAssignments = bag_pack_columns(RestrictedManagementByAadRole, RestrictedManagementByRAG, RestrictedManagementByRMAU)\\r\\n| extend RestrictedManagement = case(\\r\\n ObjectType == \\\"serviceprincipal\\\", \\\"Not available\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"Role-assignable\\\" and parse_json(RestrictedAssignments).RestrictedManagementByRMAU == \\\"True\\\", \\\"Conflict\\\",\\r\\n ObjectType == \\\"group\\\" and ObjectSubType != \\\"Role-assignable\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"security\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\",\\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRAG == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and parse_json(Roles).PIMAssignmentType == \\\"Permanent\\\", \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByRAG == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n \\\"Not applied\\\")\\r\\n| summarize RoleSystem = make_set(RoleSystem) by ObjectId, ObjectType, ObjectSubType, ObjectDisplayName, ObjectAdminTierLevelName, OnPremSynchronized, RestrictedManagement, tostring(RestrictedAssignments), tostring(AssignedAdministrativeUnits)\\r\\n| sort by ObjectDisplayName\",\"size\":0,\"title\":\"List of Privileged Accounts \",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"ObjectId\",\"exportParameterName\":\"ObjectId\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ObjectType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"user\",\"representation\":\"Person\",\"text\":\"User\"},{\"operator\":\"==\",\"thresholdValue\":\"serviceprincipal\",\"representation\":\"Capture\",\"text\":\"Service Principal\"},{\"operator\":\"==\",\"thresholdValue\":\"group\",\"representation\":\"PersonWithFriend\",\"text\":\"Group\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Question\",\"text\":\"unknown\"}]}},{\"columnMatch\":\"ObjectDisplayName\",\"formatter\":0,\"tooltipFormat\":{\"tooltip\":\"{ObjectUserPrincipalName}\"}},{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"ControlPlane\",\"representation\":\"Sev0\",\"text\":\"Control Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"ManagementPlane\",\"representation\":\"Sev3\",\"text\":\"Management Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"UserAccess\",\"representation\":\"Sev4\",\"text\":\"User Access\"},{\"operator\":\"==\",\"thresholdValue\":\"Unclassified\",\"representation\":\"Line\",\"text\":\"Unclassified\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Line\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"RestrictedManagement\",\"formatter\":18,\"formatOptions\":{\"linkColumn\":\"RestrictedAssignments\",\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Applied\",\"representation\":\"success\",\"text\":\"Applied\"},{\"operator\":\"==\",\"thresholdValue\":\"Conflict\",\"representation\":\"2\",\"text\":\"Conflict\"},{\"operator\":\"==\",\"thresholdValue\":\"Not applied\",\"representation\":\"4\",\"text\":\"Not applied\"},{\"operator\":\"==\",\"thresholdValue\":\"Not available\",\"representation\":\"cancelled\",\"text\":\"Not available\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"AssignedAdministrativeUnits\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"RestrictedAssignments\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Restricted Management\",\"formatter\":18,\"formatOptions\":{\"linkColumn\":\"RestrictedAssignments\",\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Applied\",\"representation\":\"success\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"Restricted Management applied by RMAU, Role-Assingable Group or Directory Role Assignment\"}},{\"operator\":\"==\",\"thresholdValue\":\"Not available\",\"representation\":\"Normal\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"No restricted management for object type available\"}},{\"operator\":\"==\",\"thresholdValue\":\"Not applied\",\"representation\":\"4\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"No assignment for restricted assignment\"}},{\"operator\":\"==\",\"thresholdValue\":\"Conflict\",\"representation\":\"2\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"Assignment to two or more restricted management capabilities which are not compatible\"}},{\"operator\":\"==\",\"thresholdValue\":\"Applied\",\"representation\":\"success\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"Strong restricted management by RMAU and Role-Assignable Group\"}},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"Group\",\"formatter\":1},{\"columnMatch\":\"ObjectAdminTierLevel_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Unclassified\",\"representation\":\"1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"ControlPlane\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"ManagementPlane\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]}}],\"sortBy\":[{\"itemKey\":\"$gen_thresholds_RestrictedManagement_6\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_RestrictedManagement_6\",\"sortOrder\":1}]},\"name\":\"Related Privileged Accounts \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where ObjectId == '{ObjectId}' or '{ObjectId}' == '*'\\r\\n| where RoleSystem contains ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| extend OnPremSynchronized = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\\r\\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\\r\\n| mv-expand RoleAssignments\\r\\n| project RoleAssignments, RoleSystem\\r\\n| evaluate bag_unpack(RoleAssignments)\\r\\n| extend Classification = column_ifexists(\\\"Classification\\\",\\\"\\\")\\r\\n| mv-expand parse_json(Classification)\\r\\n| extend AdminTierLevel = Classification.AdminTierLevelName\\r\\n| extend Service = Classification.Service\\r\\n| extend TaggedBy = Classification.TaggedBy\\r\\n| where Service contains ('*') or '*' in ('*')\\r\\n| extend TransitiveBy = column_ifexists(\\\"TransitiveByObjectDisplayName\\\", \\\"\\\")\\r\\n| extend TransitiveByAssignment = column_ifexists(\\\"RoleAssignmentSubType\\\", \\\"\\\")\\r\\n| summarize AdminTierLevels = make_set(AdminTierLevel), Service = make_set(Service), TaggedBy = make_set(TaggedBy) by\\r\\n RoleSystem,\\r\\n tostring(RoleAssignmentId),\\r\\n RoleDefinitionName,\\r\\n tostring(RoleAssignmentScopeId),\\r\\n RoleAssignmentScopeName,\\r\\n PIMAssignmentType,\\r\\n RoleAssignmentType,\\r\\n TransitiveBy,\\r\\n TransitiveByAssignment,\\r\\n EligibilityBy\\r\\n| extend AdminTierLevel = iff(isnotempty(AdminTierLevels[0]), AdminTierLevels[0], \\\"Unclassified\\\")\\r\\n| sort by tostring(AdminTierLevel) asc, tostring(RoleAssignmentScopeId) asc, RoleDefinitionName asc\\r\\n| project-reorder RoleSystem, AdminTierLevel, RoleDefinitionName, RoleAssignmentScopeName, PIMAssignmentType, RoleAssignmentType, TransitiveBy, TransitiveByAssignment, EligibilityBy, Service\\r\\n| project-away AdminTierLevels\",\"size\":0,\"title\":\"Related privileged role assignments\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RoleSystem\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"IdentityGovernance\",\"representation\":\"Share\",\"text\":\"Identity Governance\"},{\"operator\":\"==\",\"thresholdValue\":\"Azure\",\"representation\":\"AzurePortal\",\"text\":\"Azure\"},{\"operator\":\"==\",\"thresholdValue\":\"ResourceApps\",\"representation\":\"Connect\",\"text\":\"Resource Apps\"},{\"operator\":\"==\",\"thresholdValue\":\"DeviceManagement\",\"representation\":\"Tools\",\"text\":\"Device Management\"},{\"operator\":\"==\",\"thresholdValue\":\"EntraID\",\"representation\":\"Key\",\"text\":\"Entra ID\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Question\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AdminTierLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Unclassified\",\"representation\":\"Line\",\"text\":\"Unclassified\"},{\"operator\":\"==\",\"thresholdValue\":\"ControlPlane\",\"representation\":\"Sev0\",\"text\":\"Control Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"ManagementPlane\",\"representation\":\"Sev3\",\"text\":\"Management Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"UserAccess\",\"representation\":\"Sev4\",\"text\":\"User Access\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Line\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"RoleDefinitionName\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"RoleAssignmentType\",\"formatter\":0,\"tooltipFormat\":{\"tooltip\":\"[\\\"TransitiveByObjectDisplayName\\\"]\"}},{\"columnMatch\":\"Service\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"RoleAssignmentId\",\"formatter\":5},{\"columnMatch\":\"RoleAssignmentScopeId\",\"formatter\":5,\"tooltipFormat\":{\"tooltip\":\"[\\\"RoleAssignmentScopeName\\\"]\"}}]},\"sortBy\":[]},\"name\":\"Related privileged role assignments\"}],\"isLocked\":false,\"fallbackResourceIds\":[\"azure active directory\"]}", "version": "1.0", "sourceId": "[parameters('workbookSourceId')]", "category": "[parameters('workbookType')]" diff --git a/Workbooks/EntraOps Privileged EAM - Overview.workbook b/Workbooks/EntraOps Privileged EAM - Overview.workbook index 8997a34..0e44cf0 100644 --- a/Workbooks/EntraOps Privileged EAM - Overview.workbook +++ b/Workbooks/EntraOps Privileged EAM - Overview.workbook @@ -514,7 +514,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "PrivilegedEAM\r\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\r\n| extend Roles = parse_json(RoleAssignments)\r\n| extend Classification = parse_json(Classification)\r\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \"\"\r\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\r\n| where Classification contains ({Service}) or '*' in ({Service})\r\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\r\n| where OnPremSynchronized == iff('{SyncSource}' == \"Cloud-Only\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\r\n| extend OnPremSynchronized = iff(OnPremSynchronized == \"False\",\"Cloud-Only\",\"Hybrid\")\r\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\r\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\r\n| extend RestrictedAssignments = bag_pack_columns(RestrictedManagementByAadRole, RestrictedManagementByRAG, RestrictedManagementByRMAU)\r\n| extend RestrictedManagement = case(\r\n ObjectType == \"serviceprincipal\", \"Not available\", \r\n ObjectType == \"group\" and ObjectSubType == \"Role-assignable\" and parse_json(RestrictedAssignments).RestrictedManagementByRMAU == \"True\", \"Conflict\",\r\n ObjectType == \"group\" and ObjectSubType != \"Role-assignable\" and RestrictedManagementByRMAU == True, \"Applied\", \r\n ObjectType == \"group\" and ObjectSubType == \"security\" and RestrictedManagementByRMAU == True, \"Applied\",\r\n ObjectType == \"user\" and RestrictedManagementByAadRole == True or RestrictedManagementByRMAU == True, \"Applied\", \r\n ObjectType == \"user\" and RestrictedManagementByAadRole == True or RestrictedManagementByRAG == True, \"Applied\", \r\n ObjectType == \"user\" and RestrictedManagementByAadRole == True and parse_json(Roles).PIMAssignmentType == \"Permanent\", \"Applied\", \r\n ObjectType == \"user\" and RestrictedManagementByRAG == True and RestrictedManagementByRMAU == True, \"Applied\", \r\n ObjectType == \"user\" and RestrictedManagementByAadRole == True and RestrictedManagementByRMAU == True, \"Applied\", \r\n \"Not applied\")\r\n| summarize RoleSystem = make_set(RoleSystem) by ObjectId, ObjectType, ObjectSubType, ObjectDisplayName, ObjectAdminTierLevelName, OnPremSynchronized, RestrictedManagement, AssignedAdministrativeUnits, tostring(RestrictedAssignments)\r\n| sort by ObjectDisplayName", + "query": "PrivilegedEAM\r\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\r\n| extend Roles = parse_json(RoleAssignments)\r\n| extend Classification = parse_json(Classification)\r\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \"\"\r\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\r\n| where Classification contains ({Service}) or '*' in ({Service})\r\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\r\n| where OnPremSynchronized == iff('{SyncSource}' == \"Cloud-Only\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\r\n| extend OnPremSynchronized = iff(OnPremSynchronized == \"False\",\"Cloud-Only\",\"Hybrid\")\r\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\r\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\r\n| extend RestrictedAssignments = bag_pack_columns(RestrictedManagementByAadRole, RestrictedManagementByRAG, RestrictedManagementByRMAU)\r\n| extend RestrictedManagement = case(\r\n ObjectType == \"serviceprincipal\", \"Not available\", \r\n ObjectType == \"group\" and ObjectSubType == \"Role-assignable\" and parse_json(RestrictedAssignments).RestrictedManagementByRMAU == \"True\", \"Conflict\",\r\n ObjectType == \"group\" and ObjectSubType != \"Role-assignable\" and RestrictedManagementByRMAU == True, \"Applied\", \r\n ObjectType == \"group\" and ObjectSubType == \"security\" and RestrictedManagementByRMAU == True, \"Applied\",\r\n ObjectType == \"user\" and RestrictedManagementByAadRole == True or RestrictedManagementByRMAU == True, \"Applied\", \r\n ObjectType == \"user\" and RestrictedManagementByAadRole == True or RestrictedManagementByRAG == True, \"Applied\", \r\n ObjectType == \"user\" and RestrictedManagementByAadRole == True and parse_json(Roles).PIMAssignmentType == \"Permanent\", \"Applied\", \r\n ObjectType == \"user\" and RestrictedManagementByRAG == True and RestrictedManagementByRMAU == True, \"Applied\", \r\n ObjectType == \"user\" and RestrictedManagementByAadRole == True and RestrictedManagementByRMAU == True, \"Applied\", \r\n \"Not applied\")\r\n| summarize RoleSystem = make_set(RoleSystem) by ObjectId, ObjectType, ObjectSubType, ObjectDisplayName, ObjectAdminTierLevelName, OnPremSynchronized, RestrictedManagement, tostring(AssignedAdministrativeUnits), tostring(RestrictedAssignments)\r\n| sort by ObjectDisplayName", "size": 0, "title": "List of Privileged Accounts ", "timeContext": { @@ -789,7 +789,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "PrivilegedEAM\r\n| where ObjectId == '{ObjectId}' or '{ObjectId}' == '*'\r\n| where RoleSystem contains ({RoleSystem}) or '*' in ({RoleSystem})\r\n| extend Roles = parse_json(RoleAssignments)\r\n| extend Classification = parse_json(Classification)\r\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \"\"\r\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\r\n| where Classification contains ({Service}) or '*' in ({Service})\r\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\r\n| where OnPremSynchronized == iff('{SyncSource}' == \"Cloud-Only\",False,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\r\n| extend OnPremSynchronized = iff(OnPremSynchronized == \"False\",\"Cloud-Only\",\"Hybrid\")\r\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\r\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\r\n| mv-expand RoleAssignments\r\n| project RoleAssignments, RoleSystem\r\n| evaluate bag_unpack(RoleAssignments)\r\n| extend Classification = column_ifexists(\"Classification\",\"\")\r\n| mv-expand parse_json(Classification)\r\n| extend AdminTierLevel = Classification.AdminTierLevelName\r\n| extend Service = Classification.Service\r\n| extend TaggedBy = Classification.TaggedBy\r\n| where Service contains ('*') or '*' in ('*')\r\n| extend TransitiveBy = column_ifexists(\"TransitiveByObjectDisplayName\", \"\")\r\n| summarize AdminTierLevels = make_set(AdminTierLevel), Service = make_set(Service), TaggedBy = make_set(TaggedBy) by\r\n RoleSystem,\r\n tostring(RoleAssignmentId),\r\n RoleDefinitionName,\r\n tostring(RoleAssignmentScopeId),\r\n RoleAssignmentScopeName,\r\n PIMAssignmentType,\r\n RoleAssignmentType,\r\n TransitiveBy,\r\n TransitiveByAssignment = RoleAssignmentSubType,\r\n EligibilityBy\r\n| extend AdminTierLevel = iff(isnotempty(AdminTierLevels[0]), AdminTierLevels[0], \"Unclassified\")\r\n| sort by tostring(AdminTierLevel) asc, tostring(RoleAssignmentScopeId) asc, RoleDefinitionName asc\r\n| project-reorder RoleSystem, AdminTierLevel, RoleDefinitionName, RoleAssignmentScopeName, PIMAssignmentType, RoleAssignmentType, TransitiveBy, TransitiveByAssignment, EligibilityBy, Service\r\n| project-away AdminTierLevels", + "query": "PrivilegedEAM\r\n| where ObjectId == '{ObjectId}' or '{ObjectId}' == '*'\r\n| where RoleSystem contains ({RoleSystem}) or '*' in ({RoleSystem})\r\n| extend Roles = parse_json(RoleAssignments)\r\n| extend Classification = parse_json(Classification)\r\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \"\"\r\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\r\n| where Classification contains ({Service}) or '*' in ({Service})\r\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\r\n| where OnPremSynchronized == iff('{SyncSource}' == \"Cloud-Only\",False,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\r\n| extend OnPremSynchronized = iff(OnPremSynchronized == \"False\",\"Cloud-Only\",\"Hybrid\")\r\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\r\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\r\n| mv-expand RoleAssignments\r\n| project RoleAssignments, RoleSystem\r\n| evaluate bag_unpack(RoleAssignments)\r\n| extend Classification = column_ifexists(\"Classification\",\"\")\r\n| mv-expand parse_json(Classification)\r\n| extend AdminTierLevel = Classification.AdminTierLevelName\r\n| extend Service = Classification.Service\r\n| extend TaggedBy = Classification.TaggedBy\r\n| where Service contains ('*') or '*' in ('*')\r\n| extend TransitiveBy = column_ifexists(\"TransitiveByObjectDisplayName\", \"\")\r\n| extend TransitiveByAssignment = column_ifexists(\"RoleAssignmentSubType\", \"\")\r\n| summarize AdminTierLevels = make_set(AdminTierLevel), Service = make_set(Service), TaggedBy = make_set(TaggedBy) by\r\n RoleSystem,\r\n tostring(RoleAssignmentId),\r\n RoleDefinitionName,\r\n tostring(RoleAssignmentScopeId),\r\n RoleAssignmentScopeName,\r\n PIMAssignmentType,\r\n RoleAssignmentType,\r\n TransitiveBy,\r\n TransitiveByAssignment,\r\n EligibilityBy\r\n| extend AdminTierLevel = iff(isnotempty(AdminTierLevels[0]), AdminTierLevels[0], \"Unclassified\")\r\n| sort by tostring(AdminTierLevel) asc, tostring(RoleAssignmentScopeId) asc, RoleDefinitionName asc\r\n| project-reorder RoleSystem, AdminTierLevel, RoleDefinitionName, RoleAssignmentScopeName, PIMAssignmentType, RoleAssignmentType, TransitiveBy, TransitiveByAssignment, EligibilityBy, Service\r\n| project-away AdminTierLevels", "size": 0, "title": "Related privileged role assignments", "timeContext": { From 0b240d54e034a5847286cc83b698a6e06c1ffe66 Mon Sep 17 00:00:00 2001 From: Thomas Naunheim Date: Tue, 26 Nov 2024 07:07:38 +0100 Subject: [PATCH 11/15] Added changelog for V0.3.3 --- CHANGELOG.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bd1c570..0e60822 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,21 @@ # Change Log All essential changes on EntraOps will be documented in this changelog. +## [0.3.3] - 2024-11-26 + +### Added +- Status of Restricted Management in Privileged EAM Workbook [#28](https://github.com/Cloud-Architekt/EntraOps/issues/28) +- Support to identify Privileged Auth Admin as Control Plane +- Added support for EligibilityBy and enhanced PIM for Groups support + +### Changed +- Added tenant root group as default for high privileged scopes + +### Fixed +- Order of ResourceApps by tiered levels +- Improvements to Ingest API processing (fix by [weskroesbergen](https://github.com/weskroesbergen)) + - Process files in batches of 50 to avoid errors hitting the 1Mb file limit for DCRs + ## [0.3.2] - 2024-10-26 ### Fixed From e2aec8bfa9ac841a21d989a59d13452cdab0e6e0 Mon Sep 17 00:00:00 2001 From: Thomas Naunheim <47817884+Cloud-Architekt@users.noreply.github.com> Date: Tue, 26 Nov 2024 08:31:13 +0100 Subject: [PATCH 12/15] Fixed wrong spelled column name --- Parsers/PrivilegedEAM_WatchLists.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/PrivilegedEAM_WatchLists.json b/Parsers/PrivilegedEAM_WatchLists.json index 706d8fd..3612748 100644 --- a/Parsers/PrivilegedEAM_WatchLists.json +++ b/Parsers/PrivilegedEAM_WatchLists.json @@ -35,7 +35,7 @@ "displayName": "EntraOps Privileged EAM Parser for WatchLists", "category": "EntraOps", "FunctionAlias": "PrivilegedEAM", - "query": "_GetWatchlist('EntraOps_Principals')\n| join kind=inner (\n _GetWatchlist('EntraOps_RoleAssignments')\n | project-rename PimAssignmentType = PIMAssignmentType, PimManagedRole = PIMManagedRole\n | extend EligibilityBy = case(\n RoleSystem == \"EntraID\" and PimAssignmentType == \"Eligible\", \"PIM for Entra ID Roles\",\n RoleSystem == \"EntraID\" and PimAssignmentType == \"Eligible\" and (RoleAssignmentSubType == \"Nested Eligible member\" or RoleAssignmentSubType == \"Eligible member\"), \"PIM for Entra ID Roles and Groups\",\n RoleAssignmentSubType == \"Nested Eligible member\" or RoleAssignmentSubType == \"Eligible member\", \"PIM for Groups\",\n \"N/A\") \n | extend TransitiveByPim = iff((RoleAssignmentSubType == \"Nested Eligible member\" or RoleAssignmentSubType == \"Eligible member\"), true, false)\n | extend RoleAssignment = bag_pack_columns(\n Classification,\n ObjectId,\n ObjectType,\n EligibilityBy,\n PimAssignmentType,\n PimManagedRole,\n RoleAssignmentId,\n RoleAssignmentScopeId,\n RoleAssignmentScopeName,\n RoleAssignmentType,\n RoleAssignmentSubType,\n RoleDefinitionId,\n RoleDefinitionName,\n RoleIsPrivileged,\n RoleType,\n TransitiveByPim,\n TransitiveByObjectDisplayName,\n TransitiveByObjectId\n )\n | summarize RoleAssignments = make_set(RoleAssignment) by ObjectId, RoleSystem\n ) on ObjectId, RoleSystem\n| extend Type = \"EntraOps_WatchLists\"\n| project-rename TimeGenerated = LastUpdatedTimeUTC\n| project-away _DTItemId, SearchKey, ObjectId1, RoleSystem1, Tags, UniqueId\n| project-reorder \n TimeGenerated,\n ObjectId,\n ObjectType,\n ObjectSubType,\n ObjectDisplayName,\n ObjectUserPrincipalName,\n ObjectAdminTierLevel,\n ObjectAdminTierLevelName,\n OnPremSynchronized,\n AssignedAdministrativeUnits,\n RestrictedManagementByRAG,\n RestrictedManagementByAadRole,\n RestrictedManagementByRMAU,\n RoleSystem,\n Classification,\n RoleAssignments,\n Owners,\n OwnedObjects,\n OwnedDevices,\n AssociatedWorkAccount,\n AssociatedPawDevice,\n Type", + "query": "_GetWatchlist('EntraOps_Principals')\n| join kind=inner (\n _GetWatchlist('EntraOps_RoleAssignments')\n | extend EligibilityBy = case(\n RoleSystem == \"EntraID\" and PIMAssignmentType == \"Eligible\", \"PIM for Entra ID Roles\",\n RoleSystem == \"EntraID\" and PIMAssignmentType == \"Eligible\" and (RoleAssignmentSubType == \"Nested Eligible member\" or RoleAssignmentSubType == \"Eligible member\"), \"PIM for Entra ID Roles and Groups\",\n RoleAssignmentSubType == \"Nested Eligible group member\" or RoleAssignmentSubType == \"Eligible member\", \"PIM for Groups\",\n \"N/A\") \n | extend TransitiveByPim = iff((RoleAssignmentSubType == \"Nested Eligible member\" or RoleAssignmentSubType == \"Eligible member\"), true, false)\n | extend RoleAssignment = bag_pack_columns(\n Classification,\n ObjectId,\n ObjectType,\n EligibilityBy,\n PIMAssignmentType,\n PIMManagedRole,\n RoleAssignmentId,\n RoleAssignmentScopeId,\n RoleAssignmentScopeName,\n RoleAssignmentType,\n RoleAssignmentSubType,\n RoleDefinitionId,\n RoleDefinitionName,\n RoleIsPrivileged,\n RoleType,\n TransitiveByPim,\n TransitiveByObjectDisplayName,\n TransitiveByObjectId\n )\n | summarize RoleAssignments = make_set(RoleAssignment) by ObjectId, RoleSystem\n ) on ObjectId, RoleSystem\n| extend Type = \"EntraOps_WatchLists\"\n| project-rename TimeGenerated = LastUpdatedTimeUTC\n| project-away _DTItemId, SearchKey, ObjectId1, RoleSystem1, Tags, UniqueId\n| project-reorder \n TimeGenerated,\n ObjectId,\n ObjectType,\n ObjectSubType,\n ObjectDisplayName,\n ObjectUserPrincipalName,\n ObjectAdminTierLevel,\n ObjectAdminTierLevelName,\n OnPremSynchronized,\n AssignedAdministrativeUnits,\n RestrictedManagementByRAG,\n RestrictedManagementByAadRole,\n RestrictedManagementByRMAU,\n RoleSystem,\n Classification,\n RoleAssignments,\n Owners,\n OwnedObjects,\n OwnedDevices,\n AssociatedWorkAccount,\n AssociatedPawDevice,\n Type", "version": 2, "functionParameters": "" } From faa26c7c78a8bdfee9a83a6097ab99c69293bb3a Mon Sep 17 00:00:00 2001 From: Thomas Naunheim <47817884+Cloud-Architekt@users.noreply.github.com> Date: Tue, 26 Nov 2024 08:37:44 +0100 Subject: [PATCH 13/15] Fixed workbook parameter --- Workbooks/EntraOps Privileged EAM - Overview.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Workbooks/EntraOps Privileged EAM - Overview.json b/Workbooks/EntraOps Privileged EAM - Overview.json index d49c644..8c5466f 100644 --- a/Workbooks/EntraOps Privileged EAM - Overview.json +++ b/Workbooks/EntraOps Privileged EAM - Overview.json @@ -40,7 +40,7 @@ "kind": "shared", "properties": { "displayName": "[parameters('workbookDisplayName')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"parameters\":[{\"id\":\"4666895c-a22c-4fad-be1c-a8d31c4383d9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SelectLogAnalytics\",\"label\":\"Select Workspace\",\"type\":5,\"isRequired\":true,\"query\":\"resources\\r\\n| where type == \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| project id\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\null},{\"id\":\"cd33301b-949e-4159-bd9d-daf07a2eea28\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleSystem\",\"label\":\"RBAC System\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| distinct RoleSystem\\r\\n| summarize Count = count() by RoleSystem\\r\\n| order by Count desc, RoleSystem asc\\r\\n| project Value = RoleSystem\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"fdb99e3a-478f-4382-b4f4-204c38bc81a9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AdminTierLevelName\",\"label\":\"RBAC Tier Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| mv-expand (parse_json(Classification))\\r\\n| where tostring(Classification.AdminTierLevel) != \\\"\\\" and tostring(Classification.AdminTierLevelName) != \\\"\\\"\\r\\n| distinct tostring(Classification.AdminTierLevel), tostring(Classification.AdminTierLevelName)\\r\\n| order by Classification_AdminTierLevel asc\\r\\n| project Value = Classification_AdminTierLevelName\\r\\n\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"899df38d-0db6-4aec-991f-f3d885c14677\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Service\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| extend Service = tostring(Classification.Service)\\r\\n| distinct Service\\r\\n| order by Service asc\\r\\n| project Value = tostring(Service)\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a7278d5a-1e2f-4eef-a7fc-8b9b4f97e2f8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ObjectType\",\"label\":\"Principal Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| distinct ObjectType\\r\\n| order by ObjectType asc\\r\\n| project Value = tostring(ObjectType)\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8eafa332-2a5b-43dd-90c6-b9d1d12ad033\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PrincipalDisplayName\",\"label\":\"Principal DisplayName\",\"type\":1,\"value\":\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| distinct ObjectId, ObjectType, OnPremSynchronized, ObjectDisplayName, TimeGenerated\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| extend SyncSource = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| summarize Count = count() by SyncSource\\r\\n| join kind = fullouter (datatable(SyncSource:string)['Cloud-Only', 'Hybrid']) on SyncSource\\r\\n| project SyncSource = iff(SyncSource == '', SyncSource1, SyncSource), Count = iff(SyncSource == '', 0, Count)\",\"size\":4,\"title\":\"Sync source of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"SyncSource\",\"exportParameterName\":\"SyncSource\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"sortBy\":[],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SyncSource\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":1},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"Synchronized Privileged Accounts\",\"styleSettings\":{\"maxWidth\":\"25\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('*' == \\\"Cloud-Only\\\", false, true)\\r\\n or '*' == '*'\\r\\n or '*' == 'All Privileged Identities'\\r\\n| where RoleSystem in ('*') or '*' in ('*')\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ('*') or '*' in ('*')\\r\\n| where Classification.Service in ('*') or '*' in ('*')\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where ObjectType in ('*') or '*' in ('*')\\r\\n| where ObjectDisplayName contains '' or '' == \\\"\\\"\\r\\n| extend RestrictedAssignments = bag_pack_columns(RestrictedManagementByAadRole, RestrictedManagementByRAG, RestrictedManagementByRMAU)\\r\\n| extend RestrictedManagement = case(\\r\\n ObjectType == \\\"serviceprincipal\\\", \\\"Not available\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"Role-assignable\\\" and parse_json(RestrictedAssignments).RestrictedManagementByRMAU == \\\"True\\\", \\\"Conflict\\\",\\r\\n ObjectType == \\\"group\\\" and ObjectSubType != \\\"Role-assignable\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"security\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\",\\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRAG == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and parse_json(Roles).PIMAssignmentType == \\\"Permanent\\\", \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByRAG == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n \\\"Not applied\\\")\\r\\n| distinct ObjectId, RestrictedManagement\\r\\n| summarize Count = count() by RestrictedManagement\",\"size\":4,\"title\":\"Restricted management of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"AssignmentType\",\"exportParameterName\":\"RestrictedManagement\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OnPremSynchronized\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"RestrictedManagement\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"25\",\"name\":\"Restricted Management\",\"styleSettings\":{\"maxWidth\":\"25\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",false,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| mv-expand parse_json(RoleAssignments)\\r\\n| extend AssignmentType = strcat(RoleAssignments.RoleAssignmentType, \\\" \\\", RoleAssignments.PIMAssignmentType)\\r\\n| summarize count() by AssignmentType\\r\\n| sort by count_\",\"size\":4,\"title\":\"Assignments of privileged roles\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"AssignmentType\",\"exportParameterName\":\"AssignmentType\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OnPremSynchronized\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"RestrictedManagement\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Role Assignments\",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where ObjectType != \\\"group\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by ObjectId, RoleSystem\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| distinct ObjectId, ObjectAdminTierLevelName\\r\\n| summarize Count = count() by ObjectAdminTierLevelName\\r\\n| join kind = fullouter (datatable(ObjectAdminTierLevelName:string)['ControlPlane', 'ManagementPlane','WorkloadPlane','UserAccess','Unclassified']) on ObjectAdminTierLevelName\\r\\n| project ObjectAdminTierLevelName = iff(ObjectAdminTierLevelName == '', ObjectAdminTierLevelName1, ObjectAdminTierLevelName), Count = iff(ObjectAdminTierLevelName == '', 0, Count)\\r\\n| extend SortOrder = case(\\r\\n ObjectAdminTierLevelName == \\\"ControlPlane\\\", 1,\\r\\n ObjectAdminTierLevelName == \\\"ManagementPlane\\\", 2,\\r\\n ObjectAdminTierLevelName == \\\"WorkloadPlane\\\", 3,\\r\\n ObjectAdminTierLevelName == \\\"UserAccess\\\", 4,\\r\\n 5) // Default value for any other entries\\r\\n| order by SortOrder asc\\r\\n| project-away SortOrder\",\"size\":4,\"title\":\"Classification of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"ObjectAdminTierLevelName\",\"exportParameterName\":\"ObjectAdminTierLevelName\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Classifications Privileged Accounts \",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where ObjectAdminTierLevelName contains '{ObjectAdminTierLevelName}' or '{ObjectAdminTierLevelName}' == \\\"*\\\"\\r\\n| sort by ObjectAdminTierLevelName asc\\r\\n| distinct ObjectId, RoleClassificationAdminTierLevelName = tostring(Classification.AdminTierLevelName)\\r\\n| summarize Count = count() by RoleClassificationAdminTierLevelName\\r\\n| join kind = fullouter (datatable(RoleClassificationAdminTierLevelName:string)['ControlPlane', 'ManagementPlane','WorkloadPlane','UserAccess','Unclassified']) on RoleClassificationAdminTierLevelName\\r\\n| project RoleClassificationAdminTierLevelName = iff(RoleClassificationAdminTierLevelName == '', RoleClassificationAdminTierLevelName1, RoleClassificationAdminTierLevelName), Count = iff(RoleClassificationAdminTierLevelName == '', 0, Count)\\r\\n| extend SortOrder = case(\\r\\n RoleClassificationAdminTierLevelName == \\\"ControlPlane\\\", 1,\\r\\n RoleClassificationAdminTierLevelName == \\\"ManagementPlane\\\", 2,\\r\\n RoleClassificationAdminTierLevelName == \\\"WorkloadPlane\\\", 3,\\r\\n RoleClassificationAdminTierLevelName == \\\"UserAccess\\\", 4,\\r\\n 5) // Default value for any other entries\\r\\n| order by SortOrder asc\\r\\n| project-away SortOrder\",\"size\":4,\"title\":\"Classification of privileged access\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"RoleClassificationAdminTierLevelName\",\"exportParameterName\":\"RoleClassificationAdminTierLevelName\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleClassificationAdminTierLevelName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Classifications Privileged Access\",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| extend OnPremSynchronized = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\\r\\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\\r\\n| extend RestrictedAssignments = bag_pack_columns(RestrictedManagementByAadRole, RestrictedManagementByRAG, RestrictedManagementByRMAU)\\r\\n| extend RestrictedManagement = case(\\r\\n ObjectType == \\\"serviceprincipal\\\", \\\"Not available\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"Role-assignable\\\" and parse_json(RestrictedAssignments).RestrictedManagementByRMAU == \\\"True\\\", \\\"Conflict\\\",\\r\\n ObjectType == \\\"group\\\" and ObjectSubType != \\\"Role-assignable\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"security\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\",\\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRAG == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and parse_json(Roles).PIMAssignmentType == \\\"Permanent\\\", \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByRAG == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n \\\"Not applied\\\")\\r\\n| summarize RoleSystem = make_set(RoleSystem) by ObjectId, ObjectType, ObjectSubType, ObjectDisplayName, ObjectAdminTierLevelName, OnPremSynchronized, RestrictedManagement, tostring(RestrictedAssignments), tostring(AssignedAdministrativeUnits)\\r\\n| sort by ObjectDisplayName\",\"size\":0,\"title\":\"List of Privileged Accounts \",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"ObjectId\",\"exportParameterName\":\"ObjectId\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ObjectType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"user\",\"representation\":\"Person\",\"text\":\"User\"},{\"operator\":\"==\",\"thresholdValue\":\"serviceprincipal\",\"representation\":\"Capture\",\"text\":\"Service Principal\"},{\"operator\":\"==\",\"thresholdValue\":\"group\",\"representation\":\"PersonWithFriend\",\"text\":\"Group\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Question\",\"text\":\"unknown\"}]}},{\"columnMatch\":\"ObjectDisplayName\",\"formatter\":0,\"tooltipFormat\":{\"tooltip\":\"{ObjectUserPrincipalName}\"}},{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"ControlPlane\",\"representation\":\"Sev0\",\"text\":\"Control Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"ManagementPlane\",\"representation\":\"Sev3\",\"text\":\"Management Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"UserAccess\",\"representation\":\"Sev4\",\"text\":\"User Access\"},{\"operator\":\"==\",\"thresholdValue\":\"Unclassified\",\"representation\":\"Line\",\"text\":\"Unclassified\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Line\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"RestrictedManagement\",\"formatter\":18,\"formatOptions\":{\"linkColumn\":\"RestrictedAssignments\",\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Applied\",\"representation\":\"success\",\"text\":\"Applied\"},{\"operator\":\"==\",\"thresholdValue\":\"Conflict\",\"representation\":\"2\",\"text\":\"Conflict\"},{\"operator\":\"==\",\"thresholdValue\":\"Not applied\",\"representation\":\"4\",\"text\":\"Not applied\"},{\"operator\":\"==\",\"thresholdValue\":\"Not available\",\"representation\":\"cancelled\",\"text\":\"Not available\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"AssignedAdministrativeUnits\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"RestrictedAssignments\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Restricted Management\",\"formatter\":18,\"formatOptions\":{\"linkColumn\":\"RestrictedAssignments\",\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Applied\",\"representation\":\"success\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"Restricted Management applied by RMAU, Role-Assingable Group or Directory Role Assignment\"}},{\"operator\":\"==\",\"thresholdValue\":\"Not available\",\"representation\":\"Normal\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"No restricted management for object type available\"}},{\"operator\":\"==\",\"thresholdValue\":\"Not applied\",\"representation\":\"4\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"No assignment for restricted assignment\"}},{\"operator\":\"==\",\"thresholdValue\":\"Conflict\",\"representation\":\"2\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"Assignment to two or more restricted management capabilities which are not compatible\"}},{\"operator\":\"==\",\"thresholdValue\":\"Applied\",\"representation\":\"success\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"Strong restricted management by RMAU and Role-Assignable Group\"}},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"Group\",\"formatter\":1},{\"columnMatch\":\"ObjectAdminTierLevel_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Unclassified\",\"representation\":\"1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"ControlPlane\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"ManagementPlane\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]}}],\"sortBy\":[{\"itemKey\":\"$gen_thresholds_RestrictedManagement_6\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_RestrictedManagement_6\",\"sortOrder\":1}]},\"name\":\"Related Privileged Accounts \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where ObjectId == '{ObjectId}' or '{ObjectId}' == '*'\\r\\n| where RoleSystem contains ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| extend OnPremSynchronized = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\\r\\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\\r\\n| mv-expand RoleAssignments\\r\\n| project RoleAssignments, RoleSystem\\r\\n| evaluate bag_unpack(RoleAssignments)\\r\\n| extend Classification = column_ifexists(\\\"Classification\\\",\\\"\\\")\\r\\n| mv-expand parse_json(Classification)\\r\\n| extend AdminTierLevel = Classification.AdminTierLevelName\\r\\n| extend Service = Classification.Service\\r\\n| extend TaggedBy = Classification.TaggedBy\\r\\n| where Service contains ('*') or '*' in ('*')\\r\\n| extend TransitiveBy = column_ifexists(\\\"TransitiveByObjectDisplayName\\\", \\\"\\\")\\r\\n| extend TransitiveByAssignment = column_ifexists(\\\"RoleAssignmentSubType\\\", \\\"\\\")\\r\\n| summarize AdminTierLevels = make_set(AdminTierLevel), Service = make_set(Service), TaggedBy = make_set(TaggedBy) by\\r\\n RoleSystem,\\r\\n tostring(RoleAssignmentId),\\r\\n RoleDefinitionName,\\r\\n tostring(RoleAssignmentScopeId),\\r\\n RoleAssignmentScopeName,\\r\\n PIMAssignmentType,\\r\\n RoleAssignmentType,\\r\\n TransitiveBy,\\r\\n TransitiveByAssignment,\\r\\n EligibilityBy\\r\\n| extend AdminTierLevel = iff(isnotempty(AdminTierLevels[0]), AdminTierLevels[0], \\\"Unclassified\\\")\\r\\n| sort by tostring(AdminTierLevel) asc, tostring(RoleAssignmentScopeId) asc, RoleDefinitionName asc\\r\\n| project-reorder RoleSystem, AdminTierLevel, RoleDefinitionName, RoleAssignmentScopeName, PIMAssignmentType, RoleAssignmentType, TransitiveBy, TransitiveByAssignment, EligibilityBy, Service\\r\\n| project-away AdminTierLevels\",\"size\":0,\"title\":\"Related privileged role assignments\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RoleSystem\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"IdentityGovernance\",\"representation\":\"Share\",\"text\":\"Identity Governance\"},{\"operator\":\"==\",\"thresholdValue\":\"Azure\",\"representation\":\"AzurePortal\",\"text\":\"Azure\"},{\"operator\":\"==\",\"thresholdValue\":\"ResourceApps\",\"representation\":\"Connect\",\"text\":\"Resource Apps\"},{\"operator\":\"==\",\"thresholdValue\":\"DeviceManagement\",\"representation\":\"Tools\",\"text\":\"Device Management\"},{\"operator\":\"==\",\"thresholdValue\":\"EntraID\",\"representation\":\"Key\",\"text\":\"Entra ID\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Question\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AdminTierLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Unclassified\",\"representation\":\"Line\",\"text\":\"Unclassified\"},{\"operator\":\"==\",\"thresholdValue\":\"ControlPlane\",\"representation\":\"Sev0\",\"text\":\"Control Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"ManagementPlane\",\"representation\":\"Sev3\",\"text\":\"Management Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"UserAccess\",\"representation\":\"Sev4\",\"text\":\"User Access\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Line\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"RoleDefinitionName\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"RoleAssignmentType\",\"formatter\":0,\"tooltipFormat\":{\"tooltip\":\"[\\\"TransitiveByObjectDisplayName\\\"]\"}},{\"columnMatch\":\"Service\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"RoleAssignmentId\",\"formatter\":5},{\"columnMatch\":\"RoleAssignmentScopeId\",\"formatter\":5,\"tooltipFormat\":{\"tooltip\":\"[\\\"RoleAssignmentScopeName\\\"]\"}}]},\"sortBy\":[]},\"name\":\"Related privileged role assignments\"}],\"isLocked\":false,\"fallbackResourceIds\":[\"azure active directory\"]}", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"parameters\":[{\"id\":\"4666895c-a22c-4fad-be1c-a8d31c4383d9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SelectLogAnalytics\",\"label\":\"Select Workspace\",\"type\":5,\"isRequired\":true,\"query\":\"resources\\r\\n| where type == \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| project id\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":null,},{\"id\":\"cd33301b-949e-4159-bd9d-daf07a2eea28\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleSystem\",\"label\":\"RBAC System\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| distinct RoleSystem\\r\\n| summarize Count = count() by RoleSystem\\r\\n| order by Count desc, RoleSystem asc\\r\\n| project Value = RoleSystem\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"fdb99e3a-478f-4382-b4f4-204c38bc81a9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AdminTierLevelName\",\"label\":\"RBAC Tier Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| mv-expand (parse_json(Classification))\\r\\n| where tostring(Classification.AdminTierLevel) != \\\"\\\" and tostring(Classification.AdminTierLevelName) != \\\"\\\"\\r\\n| distinct tostring(Classification.AdminTierLevel), tostring(Classification.AdminTierLevelName)\\r\\n| order by Classification_AdminTierLevel asc\\r\\n| project Value = Classification_AdminTierLevelName\\r\\n\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"899df38d-0db6-4aec-991f-f3d885c14677\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Service\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| extend Service = tostring(Classification.Service)\\r\\n| distinct Service\\r\\n| order by Service asc\\r\\n| project Value = tostring(Service)\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a7278d5a-1e2f-4eef-a7fc-8b9b4f97e2f8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ObjectType\",\"label\":\"Principal Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| distinct ObjectType\\r\\n| order by ObjectType asc\\r\\n| project Value = tostring(ObjectType)\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8eafa332-2a5b-43dd-90c6-b9d1d12ad033\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PrincipalDisplayName\",\"label\":\"Principal DisplayName\",\"type\":1,\"value\":\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| distinct ObjectId, ObjectType, OnPremSynchronized, ObjectDisplayName, TimeGenerated\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| extend SyncSource = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| summarize Count = count() by SyncSource\\r\\n| join kind = fullouter (datatable(SyncSource:string)['Cloud-Only', 'Hybrid']) on SyncSource\\r\\n| project SyncSource = iff(SyncSource == '', SyncSource1, SyncSource), Count = iff(SyncSource == '', 0, Count)\",\"size\":4,\"title\":\"Sync source of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"SyncSource\",\"exportParameterName\":\"SyncSource\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"sortBy\":[],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SyncSource\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":1},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"Synchronized Privileged Accounts\",\"styleSettings\":{\"maxWidth\":\"25\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('*' == \\\"Cloud-Only\\\", false, true)\\r\\n or '*' == '*'\\r\\n or '*' == 'All Privileged Identities'\\r\\n| where RoleSystem in ('*') or '*' in ('*')\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ('*') or '*' in ('*')\\r\\n| where Classification.Service in ('*') or '*' in ('*')\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where ObjectType in ('*') or '*' in ('*')\\r\\n| where ObjectDisplayName contains '' or '' == \\\"\\\"\\r\\n| extend RestrictedAssignments = bag_pack_columns(RestrictedManagementByAadRole, RestrictedManagementByRAG, RestrictedManagementByRMAU)\\r\\n| extend RestrictedManagement = case(\\r\\n ObjectType == \\\"serviceprincipal\\\", \\\"Not available\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"Role-assignable\\\" and parse_json(RestrictedAssignments).RestrictedManagementByRMAU == \\\"True\\\", \\\"Conflict\\\",\\r\\n ObjectType == \\\"group\\\" and ObjectSubType != \\\"Role-assignable\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"security\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\",\\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRAG == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and parse_json(Roles).PIMAssignmentType == \\\"Permanent\\\", \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByRAG == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n \\\"Not applied\\\")\\r\\n| distinct ObjectId, RestrictedManagement\\r\\n| summarize Count = count() by RestrictedManagement\",\"size\":4,\"title\":\"Restricted management of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"AssignmentType\",\"exportParameterName\":\"RestrictedManagement\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OnPremSynchronized\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"RestrictedManagement\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"25\",\"name\":\"Restricted Management\",\"styleSettings\":{\"maxWidth\":\"25\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",false,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| mv-expand parse_json(RoleAssignments)\\r\\n| extend AssignmentType = strcat(RoleAssignments.RoleAssignmentType, \\\" \\\", RoleAssignments.PIMAssignmentType)\\r\\n| summarize count() by AssignmentType\\r\\n| sort by count_\",\"size\":4,\"title\":\"Assignments of privileged roles\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"AssignmentType\",\"exportParameterName\":\"AssignmentType\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OnPremSynchronized\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"RestrictedManagement\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Role Assignments\",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where ObjectType != \\\"group\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by ObjectId, RoleSystem\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| distinct ObjectId, ObjectAdminTierLevelName\\r\\n| summarize Count = count() by ObjectAdminTierLevelName\\r\\n| join kind = fullouter (datatable(ObjectAdminTierLevelName:string)['ControlPlane', 'ManagementPlane','WorkloadPlane','UserAccess','Unclassified']) on ObjectAdminTierLevelName\\r\\n| project ObjectAdminTierLevelName = iff(ObjectAdminTierLevelName == '', ObjectAdminTierLevelName1, ObjectAdminTierLevelName), Count = iff(ObjectAdminTierLevelName == '', 0, Count)\\r\\n| extend SortOrder = case(\\r\\n ObjectAdminTierLevelName == \\\"ControlPlane\\\", 1,\\r\\n ObjectAdminTierLevelName == \\\"ManagementPlane\\\", 2,\\r\\n ObjectAdminTierLevelName == \\\"WorkloadPlane\\\", 3,\\r\\n ObjectAdminTierLevelName == \\\"UserAccess\\\", 4,\\r\\n 5) // Default value for any other entries\\r\\n| order by SortOrder asc\\r\\n| project-away SortOrder\",\"size\":4,\"title\":\"Classification of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"ObjectAdminTierLevelName\",\"exportParameterName\":\"ObjectAdminTierLevelName\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Classifications Privileged Accounts \",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where ObjectAdminTierLevelName contains '{ObjectAdminTierLevelName}' or '{ObjectAdminTierLevelName}' == \\\"*\\\"\\r\\n| sort by ObjectAdminTierLevelName asc\\r\\n| distinct ObjectId, RoleClassificationAdminTierLevelName = tostring(Classification.AdminTierLevelName)\\r\\n| summarize Count = count() by RoleClassificationAdminTierLevelName\\r\\n| join kind = fullouter (datatable(RoleClassificationAdminTierLevelName:string)['ControlPlane', 'ManagementPlane','WorkloadPlane','UserAccess','Unclassified']) on RoleClassificationAdminTierLevelName\\r\\n| project RoleClassificationAdminTierLevelName = iff(RoleClassificationAdminTierLevelName == '', RoleClassificationAdminTierLevelName1, RoleClassificationAdminTierLevelName), Count = iff(RoleClassificationAdminTierLevelName == '', 0, Count)\\r\\n| extend SortOrder = case(\\r\\n RoleClassificationAdminTierLevelName == \\\"ControlPlane\\\", 1,\\r\\n RoleClassificationAdminTierLevelName == \\\"ManagementPlane\\\", 2,\\r\\n RoleClassificationAdminTierLevelName == \\\"WorkloadPlane\\\", 3,\\r\\n RoleClassificationAdminTierLevelName == \\\"UserAccess\\\", 4,\\r\\n 5) // Default value for any other entries\\r\\n| order by SortOrder asc\\r\\n| project-away SortOrder\",\"size\":4,\"title\":\"Classification of privileged access\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"RoleClassificationAdminTierLevelName\",\"exportParameterName\":\"RoleClassificationAdminTierLevelName\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleClassificationAdminTierLevelName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Classifications Privileged Access\",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| extend OnPremSynchronized = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\\r\\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\\r\\n| extend RestrictedAssignments = bag_pack_columns(RestrictedManagementByAadRole, RestrictedManagementByRAG, RestrictedManagementByRMAU)\\r\\n| extend RestrictedManagement = case(\\r\\n ObjectType == \\\"serviceprincipal\\\", \\\"Not available\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"Role-assignable\\\" and parse_json(RestrictedAssignments).RestrictedManagementByRMAU == \\\"True\\\", \\\"Conflict\\\",\\r\\n ObjectType == \\\"group\\\" and ObjectSubType != \\\"Role-assignable\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"security\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\",\\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRAG == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and parse_json(Roles).PIMAssignmentType == \\\"Permanent\\\", \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByRAG == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n \\\"Not applied\\\")\\r\\n| summarize RoleSystem = make_set(RoleSystem) by ObjectId, ObjectType, ObjectSubType, ObjectDisplayName, ObjectAdminTierLevelName, OnPremSynchronized, RestrictedManagement, tostring(RestrictedAssignments), tostring(AssignedAdministrativeUnits)\\r\\n| sort by ObjectDisplayName\",\"size\":0,\"title\":\"List of Privileged Accounts \",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"ObjectId\",\"exportParameterName\":\"ObjectId\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ObjectType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"user\",\"representation\":\"Person\",\"text\":\"User\"},{\"operator\":\"==\",\"thresholdValue\":\"serviceprincipal\",\"representation\":\"Capture\",\"text\":\"Service Principal\"},{\"operator\":\"==\",\"thresholdValue\":\"group\",\"representation\":\"PersonWithFriend\",\"text\":\"Group\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Question\",\"text\":\"unknown\"}]}},{\"columnMatch\":\"ObjectDisplayName\",\"formatter\":0,\"tooltipFormat\":{\"tooltip\":\"{ObjectUserPrincipalName}\"}},{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"ControlPlane\",\"representation\":\"Sev0\",\"text\":\"Control Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"ManagementPlane\",\"representation\":\"Sev3\",\"text\":\"Management Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"UserAccess\",\"representation\":\"Sev4\",\"text\":\"User Access\"},{\"operator\":\"==\",\"thresholdValue\":\"Unclassified\",\"representation\":\"Line\",\"text\":\"Unclassified\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Line\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"RestrictedManagement\",\"formatter\":18,\"formatOptions\":{\"linkColumn\":\"RestrictedAssignments\",\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Applied\",\"representation\":\"success\",\"text\":\"Applied\"},{\"operator\":\"==\",\"thresholdValue\":\"Conflict\",\"representation\":\"2\",\"text\":\"Conflict\"},{\"operator\":\"==\",\"thresholdValue\":\"Not applied\",\"representation\":\"4\",\"text\":\"Not applied\"},{\"operator\":\"==\",\"thresholdValue\":\"Not available\",\"representation\":\"cancelled\",\"text\":\"Not available\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"AssignedAdministrativeUnits\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"RestrictedAssignments\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Restricted Management\",\"formatter\":18,\"formatOptions\":{\"linkColumn\":\"RestrictedAssignments\",\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Applied\",\"representation\":\"success\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"Restricted Management applied by RMAU, Role-Assingable Group or Directory Role Assignment\"}},{\"operator\":\"==\",\"thresholdValue\":\"Not available\",\"representation\":\"Normal\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"No restricted management for object type available\"}},{\"operator\":\"==\",\"thresholdValue\":\"Not applied\",\"representation\":\"4\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"No assignment for restricted assignment\"}},{\"operator\":\"==\",\"thresholdValue\":\"Conflict\",\"representation\":\"2\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"Assignment to two or more restricted management capabilities which are not compatible\"}},{\"operator\":\"==\",\"thresholdValue\":\"Applied\",\"representation\":\"success\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"Strong restricted management by RMAU and Role-Assignable Group\"}},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"Group\",\"formatter\":1},{\"columnMatch\":\"ObjectAdminTierLevel_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Unclassified\",\"representation\":\"1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"ControlPlane\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"ManagementPlane\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]}}],\"sortBy\":[{\"itemKey\":\"$gen_thresholds_RestrictedManagement_6\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_RestrictedManagement_6\",\"sortOrder\":1}]},\"name\":\"Related Privileged Accounts \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where ObjectId == '{ObjectId}' or '{ObjectId}' == '*'\\r\\n| where RoleSystem contains ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| extend OnPremSynchronized = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\\r\\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\\r\\n| mv-expand RoleAssignments\\r\\n| project RoleAssignments, RoleSystem\\r\\n| evaluate bag_unpack(RoleAssignments)\\r\\n| extend Classification = column_ifexists(\\\"Classification\\\",\\\"\\\")\\r\\n| mv-expand parse_json(Classification)\\r\\n| extend AdminTierLevel = Classification.AdminTierLevelName\\r\\n| extend Service = Classification.Service\\r\\n| extend TaggedBy = Classification.TaggedBy\\r\\n| where Service contains ('*') or '*' in ('*')\\r\\n| extend TransitiveBy = column_ifexists(\\\"TransitiveByObjectDisplayName\\\", \\\"\\\")\\r\\n| extend TransitiveByAssignment = column_ifexists(\\\"RoleAssignmentSubType\\\", \\\"\\\")\\r\\n| summarize AdminTierLevels = make_set(AdminTierLevel), Service = make_set(Service), TaggedBy = make_set(TaggedBy) by\\r\\n RoleSystem,\\r\\n tostring(RoleAssignmentId),\\r\\n RoleDefinitionName,\\r\\n tostring(RoleAssignmentScopeId),\\r\\n RoleAssignmentScopeName,\\r\\n PIMAssignmentType,\\r\\n RoleAssignmentType,\\r\\n TransitiveBy,\\r\\n TransitiveByAssignment,\\r\\n EligibilityBy\\r\\n| extend AdminTierLevel = iff(isnotempty(AdminTierLevels[0]), AdminTierLevels[0], \\\"Unclassified\\\")\\r\\n| sort by tostring(AdminTierLevel) asc, tostring(RoleAssignmentScopeId) asc, RoleDefinitionName asc\\r\\n| project-reorder RoleSystem, AdminTierLevel, RoleDefinitionName, RoleAssignmentScopeName, PIMAssignmentType, RoleAssignmentType, TransitiveBy, TransitiveByAssignment, EligibilityBy, Service\\r\\n| project-away AdminTierLevels\",\"size\":0,\"title\":\"Related privileged role assignments\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RoleSystem\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"IdentityGovernance\",\"representation\":\"Share\",\"text\":\"Identity Governance\"},{\"operator\":\"==\",\"thresholdValue\":\"Azure\",\"representation\":\"AzurePortal\",\"text\":\"Azure\"},{\"operator\":\"==\",\"thresholdValue\":\"ResourceApps\",\"representation\":\"Connect\",\"text\":\"Resource Apps\"},{\"operator\":\"==\",\"thresholdValue\":\"DeviceManagement\",\"representation\":\"Tools\",\"text\":\"Device Management\"},{\"operator\":\"==\",\"thresholdValue\":\"EntraID\",\"representation\":\"Key\",\"text\":\"Entra ID\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Question\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AdminTierLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Unclassified\",\"representation\":\"Line\",\"text\":\"Unclassified\"},{\"operator\":\"==\",\"thresholdValue\":\"ControlPlane\",\"representation\":\"Sev0\",\"text\":\"Control Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"ManagementPlane\",\"representation\":\"Sev3\",\"text\":\"Management Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"UserAccess\",\"representation\":\"Sev4\",\"text\":\"User Access\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Line\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"RoleDefinitionName\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"RoleAssignmentType\",\"formatter\":0,\"tooltipFormat\":{\"tooltip\":\"[\\\"TransitiveByObjectDisplayName\\\"]\"}},{\"columnMatch\":\"Service\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"RoleAssignmentId\",\"formatter\":5},{\"columnMatch\":\"RoleAssignmentScopeId\",\"formatter\":5,\"tooltipFormat\":{\"tooltip\":\"[\\\"RoleAssignmentScopeName\\\"]\"}}]},\"sortBy\":[]},\"name\":\"Related privileged role assignments\"}],\"isLocked\":false,\"fallbackResourceIds\":[\"azure active directory\"]}", "version": "1.0", "sourceId": "[parameters('workbookSourceId')]", "category": "[parameters('workbookType')]" From 8e86845e058c4bdf08aa86ac034adca08ed7aeae Mon Sep 17 00:00:00 2001 From: Thomas Naunheim <47817884+Cloud-Architekt@users.noreply.github.com> Date: Tue, 26 Nov 2024 08:55:59 +0100 Subject: [PATCH 14/15] Fixed syntax error in workbook --- Workbooks/EntraOps Privileged EAM - Overview.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Workbooks/EntraOps Privileged EAM - Overview.json b/Workbooks/EntraOps Privileged EAM - Overview.json index 8c5466f..ede39f5 100644 --- a/Workbooks/EntraOps Privileged EAM - Overview.json +++ b/Workbooks/EntraOps Privileged EAM - Overview.json @@ -40,7 +40,7 @@ "kind": "shared", "properties": { "displayName": "[parameters('workbookDisplayName')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"parameters\":[{\"id\":\"4666895c-a22c-4fad-be1c-a8d31c4383d9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SelectLogAnalytics\",\"label\":\"Select Workspace\",\"type\":5,\"isRequired\":true,\"query\":\"resources\\r\\n| where type == \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| project id\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":null,},{\"id\":\"cd33301b-949e-4159-bd9d-daf07a2eea28\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleSystem\",\"label\":\"RBAC System\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| distinct RoleSystem\\r\\n| summarize Count = count() by RoleSystem\\r\\n| order by Count desc, RoleSystem asc\\r\\n| project Value = RoleSystem\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"fdb99e3a-478f-4382-b4f4-204c38bc81a9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AdminTierLevelName\",\"label\":\"RBAC Tier Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| mv-expand (parse_json(Classification))\\r\\n| where tostring(Classification.AdminTierLevel) != \\\"\\\" and tostring(Classification.AdminTierLevelName) != \\\"\\\"\\r\\n| distinct tostring(Classification.AdminTierLevel), tostring(Classification.AdminTierLevelName)\\r\\n| order by Classification_AdminTierLevel asc\\r\\n| project Value = Classification_AdminTierLevelName\\r\\n\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"899df38d-0db6-4aec-991f-f3d885c14677\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Service\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| extend Service = tostring(Classification.Service)\\r\\n| distinct Service\\r\\n| order by Service asc\\r\\n| project Value = tostring(Service)\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a7278d5a-1e2f-4eef-a7fc-8b9b4f97e2f8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ObjectType\",\"label\":\"Principal Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| distinct ObjectType\\r\\n| order by ObjectType asc\\r\\n| project Value = tostring(ObjectType)\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8eafa332-2a5b-43dd-90c6-b9d1d12ad033\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PrincipalDisplayName\",\"label\":\"Principal DisplayName\",\"type\":1,\"value\":\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| distinct ObjectId, ObjectType, OnPremSynchronized, ObjectDisplayName, TimeGenerated\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| extend SyncSource = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| summarize Count = count() by SyncSource\\r\\n| join kind = fullouter (datatable(SyncSource:string)['Cloud-Only', 'Hybrid']) on SyncSource\\r\\n| project SyncSource = iff(SyncSource == '', SyncSource1, SyncSource), Count = iff(SyncSource == '', 0, Count)\",\"size\":4,\"title\":\"Sync source of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"SyncSource\",\"exportParameterName\":\"SyncSource\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"sortBy\":[],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SyncSource\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":1},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"Synchronized Privileged Accounts\",\"styleSettings\":{\"maxWidth\":\"25\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('*' == \\\"Cloud-Only\\\", false, true)\\r\\n or '*' == '*'\\r\\n or '*' == 'All Privileged Identities'\\r\\n| where RoleSystem in ('*') or '*' in ('*')\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ('*') or '*' in ('*')\\r\\n| where Classification.Service in ('*') or '*' in ('*')\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where ObjectType in ('*') or '*' in ('*')\\r\\n| where ObjectDisplayName contains '' or '' == \\\"\\\"\\r\\n| extend RestrictedAssignments = bag_pack_columns(RestrictedManagementByAadRole, RestrictedManagementByRAG, RestrictedManagementByRMAU)\\r\\n| extend RestrictedManagement = case(\\r\\n ObjectType == \\\"serviceprincipal\\\", \\\"Not available\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"Role-assignable\\\" and parse_json(RestrictedAssignments).RestrictedManagementByRMAU == \\\"True\\\", \\\"Conflict\\\",\\r\\n ObjectType == \\\"group\\\" and ObjectSubType != \\\"Role-assignable\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"security\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\",\\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRAG == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and parse_json(Roles).PIMAssignmentType == \\\"Permanent\\\", \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByRAG == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n \\\"Not applied\\\")\\r\\n| distinct ObjectId, RestrictedManagement\\r\\n| summarize Count = count() by RestrictedManagement\",\"size\":4,\"title\":\"Restricted management of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"AssignmentType\",\"exportParameterName\":\"RestrictedManagement\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OnPremSynchronized\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"RestrictedManagement\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"25\",\"name\":\"Restricted Management\",\"styleSettings\":{\"maxWidth\":\"25\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",false,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| mv-expand parse_json(RoleAssignments)\\r\\n| extend AssignmentType = strcat(RoleAssignments.RoleAssignmentType, \\\" \\\", RoleAssignments.PIMAssignmentType)\\r\\n| summarize count() by AssignmentType\\r\\n| sort by count_\",\"size\":4,\"title\":\"Assignments of privileged roles\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"AssignmentType\",\"exportParameterName\":\"AssignmentType\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OnPremSynchronized\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"RestrictedManagement\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Role Assignments\",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where ObjectType != \\\"group\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by ObjectId, RoleSystem\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| distinct ObjectId, ObjectAdminTierLevelName\\r\\n| summarize Count = count() by ObjectAdminTierLevelName\\r\\n| join kind = fullouter (datatable(ObjectAdminTierLevelName:string)['ControlPlane', 'ManagementPlane','WorkloadPlane','UserAccess','Unclassified']) on ObjectAdminTierLevelName\\r\\n| project ObjectAdminTierLevelName = iff(ObjectAdminTierLevelName == '', ObjectAdminTierLevelName1, ObjectAdminTierLevelName), Count = iff(ObjectAdminTierLevelName == '', 0, Count)\\r\\n| extend SortOrder = case(\\r\\n ObjectAdminTierLevelName == \\\"ControlPlane\\\", 1,\\r\\n ObjectAdminTierLevelName == \\\"ManagementPlane\\\", 2,\\r\\n ObjectAdminTierLevelName == \\\"WorkloadPlane\\\", 3,\\r\\n ObjectAdminTierLevelName == \\\"UserAccess\\\", 4,\\r\\n 5) // Default value for any other entries\\r\\n| order by SortOrder asc\\r\\n| project-away SortOrder\",\"size\":4,\"title\":\"Classification of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"ObjectAdminTierLevelName\",\"exportParameterName\":\"ObjectAdminTierLevelName\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Classifications Privileged Accounts \",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where ObjectAdminTierLevelName contains '{ObjectAdminTierLevelName}' or '{ObjectAdminTierLevelName}' == \\\"*\\\"\\r\\n| sort by ObjectAdminTierLevelName asc\\r\\n| distinct ObjectId, RoleClassificationAdminTierLevelName = tostring(Classification.AdminTierLevelName)\\r\\n| summarize Count = count() by RoleClassificationAdminTierLevelName\\r\\n| join kind = fullouter (datatable(RoleClassificationAdminTierLevelName:string)['ControlPlane', 'ManagementPlane','WorkloadPlane','UserAccess','Unclassified']) on RoleClassificationAdminTierLevelName\\r\\n| project RoleClassificationAdminTierLevelName = iff(RoleClassificationAdminTierLevelName == '', RoleClassificationAdminTierLevelName1, RoleClassificationAdminTierLevelName), Count = iff(RoleClassificationAdminTierLevelName == '', 0, Count)\\r\\n| extend SortOrder = case(\\r\\n RoleClassificationAdminTierLevelName == \\\"ControlPlane\\\", 1,\\r\\n RoleClassificationAdminTierLevelName == \\\"ManagementPlane\\\", 2,\\r\\n RoleClassificationAdminTierLevelName == \\\"WorkloadPlane\\\", 3,\\r\\n RoleClassificationAdminTierLevelName == \\\"UserAccess\\\", 4,\\r\\n 5) // Default value for any other entries\\r\\n| order by SortOrder asc\\r\\n| project-away SortOrder\",\"size\":4,\"title\":\"Classification of privileged access\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"RoleClassificationAdminTierLevelName\",\"exportParameterName\":\"RoleClassificationAdminTierLevelName\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleClassificationAdminTierLevelName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Classifications Privileged Access\",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| extend OnPremSynchronized = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\\r\\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\\r\\n| extend RestrictedAssignments = bag_pack_columns(RestrictedManagementByAadRole, RestrictedManagementByRAG, RestrictedManagementByRMAU)\\r\\n| extend RestrictedManagement = case(\\r\\n ObjectType == \\\"serviceprincipal\\\", \\\"Not available\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"Role-assignable\\\" and parse_json(RestrictedAssignments).RestrictedManagementByRMAU == \\\"True\\\", \\\"Conflict\\\",\\r\\n ObjectType == \\\"group\\\" and ObjectSubType != \\\"Role-assignable\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"security\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\",\\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRAG == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and parse_json(Roles).PIMAssignmentType == \\\"Permanent\\\", \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByRAG == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n \\\"Not applied\\\")\\r\\n| summarize RoleSystem = make_set(RoleSystem) by ObjectId, ObjectType, ObjectSubType, ObjectDisplayName, ObjectAdminTierLevelName, OnPremSynchronized, RestrictedManagement, tostring(RestrictedAssignments), tostring(AssignedAdministrativeUnits)\\r\\n| sort by ObjectDisplayName\",\"size\":0,\"title\":\"List of Privileged Accounts \",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"ObjectId\",\"exportParameterName\":\"ObjectId\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ObjectType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"user\",\"representation\":\"Person\",\"text\":\"User\"},{\"operator\":\"==\",\"thresholdValue\":\"serviceprincipal\",\"representation\":\"Capture\",\"text\":\"Service Principal\"},{\"operator\":\"==\",\"thresholdValue\":\"group\",\"representation\":\"PersonWithFriend\",\"text\":\"Group\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Question\",\"text\":\"unknown\"}]}},{\"columnMatch\":\"ObjectDisplayName\",\"formatter\":0,\"tooltipFormat\":{\"tooltip\":\"{ObjectUserPrincipalName}\"}},{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"ControlPlane\",\"representation\":\"Sev0\",\"text\":\"Control Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"ManagementPlane\",\"representation\":\"Sev3\",\"text\":\"Management Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"UserAccess\",\"representation\":\"Sev4\",\"text\":\"User Access\"},{\"operator\":\"==\",\"thresholdValue\":\"Unclassified\",\"representation\":\"Line\",\"text\":\"Unclassified\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Line\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"RestrictedManagement\",\"formatter\":18,\"formatOptions\":{\"linkColumn\":\"RestrictedAssignments\",\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Applied\",\"representation\":\"success\",\"text\":\"Applied\"},{\"operator\":\"==\",\"thresholdValue\":\"Conflict\",\"representation\":\"2\",\"text\":\"Conflict\"},{\"operator\":\"==\",\"thresholdValue\":\"Not applied\",\"representation\":\"4\",\"text\":\"Not applied\"},{\"operator\":\"==\",\"thresholdValue\":\"Not available\",\"representation\":\"cancelled\",\"text\":\"Not available\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"AssignedAdministrativeUnits\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"RestrictedAssignments\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Restricted Management\",\"formatter\":18,\"formatOptions\":{\"linkColumn\":\"RestrictedAssignments\",\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Applied\",\"representation\":\"success\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"Restricted Management applied by RMAU, Role-Assingable Group or Directory Role Assignment\"}},{\"operator\":\"==\",\"thresholdValue\":\"Not available\",\"representation\":\"Normal\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"No restricted management for object type available\"}},{\"operator\":\"==\",\"thresholdValue\":\"Not applied\",\"representation\":\"4\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"No assignment for restricted assignment\"}},{\"operator\":\"==\",\"thresholdValue\":\"Conflict\",\"representation\":\"2\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"Assignment to two or more restricted management capabilities which are not compatible\"}},{\"operator\":\"==\",\"thresholdValue\":\"Applied\",\"representation\":\"success\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"Strong restricted management by RMAU and Role-Assignable Group\"}},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"Group\",\"formatter\":1},{\"columnMatch\":\"ObjectAdminTierLevel_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Unclassified\",\"representation\":\"1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"ControlPlane\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"ManagementPlane\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]}}],\"sortBy\":[{\"itemKey\":\"$gen_thresholds_RestrictedManagement_6\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_RestrictedManagement_6\",\"sortOrder\":1}]},\"name\":\"Related Privileged Accounts \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where ObjectId == '{ObjectId}' or '{ObjectId}' == '*'\\r\\n| where RoleSystem contains ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| extend OnPremSynchronized = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\\r\\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\\r\\n| mv-expand RoleAssignments\\r\\n| project RoleAssignments, RoleSystem\\r\\n| evaluate bag_unpack(RoleAssignments)\\r\\n| extend Classification = column_ifexists(\\\"Classification\\\",\\\"\\\")\\r\\n| mv-expand parse_json(Classification)\\r\\n| extend AdminTierLevel = Classification.AdminTierLevelName\\r\\n| extend Service = Classification.Service\\r\\n| extend TaggedBy = Classification.TaggedBy\\r\\n| where Service contains ('*') or '*' in ('*')\\r\\n| extend TransitiveBy = column_ifexists(\\\"TransitiveByObjectDisplayName\\\", \\\"\\\")\\r\\n| extend TransitiveByAssignment = column_ifexists(\\\"RoleAssignmentSubType\\\", \\\"\\\")\\r\\n| summarize AdminTierLevels = make_set(AdminTierLevel), Service = make_set(Service), TaggedBy = make_set(TaggedBy) by\\r\\n RoleSystem,\\r\\n tostring(RoleAssignmentId),\\r\\n RoleDefinitionName,\\r\\n tostring(RoleAssignmentScopeId),\\r\\n RoleAssignmentScopeName,\\r\\n PIMAssignmentType,\\r\\n RoleAssignmentType,\\r\\n TransitiveBy,\\r\\n TransitiveByAssignment,\\r\\n EligibilityBy\\r\\n| extend AdminTierLevel = iff(isnotempty(AdminTierLevels[0]), AdminTierLevels[0], \\\"Unclassified\\\")\\r\\n| sort by tostring(AdminTierLevel) asc, tostring(RoleAssignmentScopeId) asc, RoleDefinitionName asc\\r\\n| project-reorder RoleSystem, AdminTierLevel, RoleDefinitionName, RoleAssignmentScopeName, PIMAssignmentType, RoleAssignmentType, TransitiveBy, TransitiveByAssignment, EligibilityBy, Service\\r\\n| project-away AdminTierLevels\",\"size\":0,\"title\":\"Related privileged role assignments\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RoleSystem\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"IdentityGovernance\",\"representation\":\"Share\",\"text\":\"Identity Governance\"},{\"operator\":\"==\",\"thresholdValue\":\"Azure\",\"representation\":\"AzurePortal\",\"text\":\"Azure\"},{\"operator\":\"==\",\"thresholdValue\":\"ResourceApps\",\"representation\":\"Connect\",\"text\":\"Resource Apps\"},{\"operator\":\"==\",\"thresholdValue\":\"DeviceManagement\",\"representation\":\"Tools\",\"text\":\"Device Management\"},{\"operator\":\"==\",\"thresholdValue\":\"EntraID\",\"representation\":\"Key\",\"text\":\"Entra ID\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Question\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AdminTierLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Unclassified\",\"representation\":\"Line\",\"text\":\"Unclassified\"},{\"operator\":\"==\",\"thresholdValue\":\"ControlPlane\",\"representation\":\"Sev0\",\"text\":\"Control Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"ManagementPlane\",\"representation\":\"Sev3\",\"text\":\"Management Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"UserAccess\",\"representation\":\"Sev4\",\"text\":\"User Access\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Line\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"RoleDefinitionName\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"RoleAssignmentType\",\"formatter\":0,\"tooltipFormat\":{\"tooltip\":\"[\\\"TransitiveByObjectDisplayName\\\"]\"}},{\"columnMatch\":\"Service\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"RoleAssignmentId\",\"formatter\":5},{\"columnMatch\":\"RoleAssignmentScopeId\",\"formatter\":5,\"tooltipFormat\":{\"tooltip\":\"[\\\"RoleAssignmentScopeName\\\"]\"}}]},\"sortBy\":[]},\"name\":\"Related privileged role assignments\"}],\"isLocked\":false,\"fallbackResourceIds\":[\"azure active directory\"]}", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"parameters\":[{\"id\":\"4666895c-a22c-4fad-be1c-a8d31c4383d9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SelectLogAnalytics\",\"label\":\"Select Workspace\",\"type\":5,\"isRequired\":true,\"query\":\"resources\\r\\n| where type == \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| project id\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":null},{\"id\":\"cd33301b-949e-4159-bd9d-daf07a2eea28\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleSystem\",\"label\":\"RBAC System\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| distinct RoleSystem\\r\\n| summarize Count = count() by RoleSystem\\r\\n| order by Count desc, RoleSystem asc\\r\\n| project Value = RoleSystem\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"fdb99e3a-478f-4382-b4f4-204c38bc81a9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AdminTierLevelName\",\"label\":\"RBAC Tier Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| mv-expand (parse_json(Classification))\\r\\n| where tostring(Classification.AdminTierLevel) != \\\"\\\" and tostring(Classification.AdminTierLevelName) != \\\"\\\"\\r\\n| distinct tostring(Classification.AdminTierLevel), tostring(Classification.AdminTierLevelName)\\r\\n| order by Classification_AdminTierLevel asc\\r\\n| project Value = Classification_AdminTierLevelName\\r\\n\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"899df38d-0db6-4aec-991f-f3d885c14677\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Service\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| extend Service = tostring(Classification.Service)\\r\\n| distinct Service\\r\\n| order by Service asc\\r\\n| project Value = tostring(Service)\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a7278d5a-1e2f-4eef-a7fc-8b9b4f97e2f8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ObjectType\",\"label\":\"Principal Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| distinct ObjectType\\r\\n| order by ObjectType asc\\r\\n| project Value = tostring(ObjectType)\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8eafa332-2a5b-43dd-90c6-b9d1d12ad033\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PrincipalDisplayName\",\"label\":\"Principal DisplayName\",\"type\":1,\"value\":\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| distinct ObjectId, ObjectType, OnPremSynchronized, ObjectDisplayName, TimeGenerated\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| extend SyncSource = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| summarize Count = count() by SyncSource\\r\\n| join kind = fullouter (datatable(SyncSource:string)['Cloud-Only', 'Hybrid']) on SyncSource\\r\\n| project SyncSource = iff(SyncSource == '', SyncSource1, SyncSource), Count = iff(SyncSource == '', 0, Count)\",\"size\":4,\"title\":\"Sync source of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"SyncSource\",\"exportParameterName\":\"SyncSource\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"sortBy\":[],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SyncSource\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":1},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"Synchronized Privileged Accounts\",\"styleSettings\":{\"maxWidth\":\"25\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('*' == \\\"Cloud-Only\\\", false, true)\\r\\n or '*' == '*'\\r\\n or '*' == 'All Privileged Identities'\\r\\n| where RoleSystem in ('*') or '*' in ('*')\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ('*') or '*' in ('*')\\r\\n| where Classification.Service in ('*') or '*' in ('*')\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where ObjectType in ('*') or '*' in ('*')\\r\\n| where ObjectDisplayName contains '' or '' == \\\"\\\"\\r\\n| extend RestrictedAssignments = bag_pack_columns(RestrictedManagementByAadRole, RestrictedManagementByRAG, RestrictedManagementByRMAU)\\r\\n| extend RestrictedManagement = case(\\r\\n ObjectType == \\\"serviceprincipal\\\", \\\"Not available\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"Role-assignable\\\" and parse_json(RestrictedAssignments).RestrictedManagementByRMAU == \\\"True\\\", \\\"Conflict\\\",\\r\\n ObjectType == \\\"group\\\" and ObjectSubType != \\\"Role-assignable\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"security\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\",\\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRAG == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and parse_json(Roles).PIMAssignmentType == \\\"Permanent\\\", \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByRAG == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n \\\"Not applied\\\")\\r\\n| distinct ObjectId, RestrictedManagement\\r\\n| summarize Count = count() by RestrictedManagement\",\"size\":4,\"title\":\"Restricted management of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"AssignmentType\",\"exportParameterName\":\"RestrictedManagement\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OnPremSynchronized\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"RestrictedManagement\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"25\",\"name\":\"Restricted Management\",\"styleSettings\":{\"maxWidth\":\"25\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",false,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| mv-expand parse_json(RoleAssignments)\\r\\n| extend AssignmentType = strcat(RoleAssignments.RoleAssignmentType, \\\" \\\", RoleAssignments.PIMAssignmentType)\\r\\n| summarize count() by AssignmentType\\r\\n| sort by count_\",\"size\":4,\"title\":\"Assignments of privileged roles\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"AssignmentType\",\"exportParameterName\":\"AssignmentType\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OnPremSynchronized\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"RestrictedManagement\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Role Assignments\",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where ObjectType != \\\"group\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by ObjectId, RoleSystem\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| distinct ObjectId, ObjectAdminTierLevelName\\r\\n| summarize Count = count() by ObjectAdminTierLevelName\\r\\n| join kind = fullouter (datatable(ObjectAdminTierLevelName:string)['ControlPlane', 'ManagementPlane','WorkloadPlane','UserAccess','Unclassified']) on ObjectAdminTierLevelName\\r\\n| project ObjectAdminTierLevelName = iff(ObjectAdminTierLevelName == '', ObjectAdminTierLevelName1, ObjectAdminTierLevelName), Count = iff(ObjectAdminTierLevelName == '', 0, Count)\\r\\n| extend SortOrder = case(\\r\\n ObjectAdminTierLevelName == \\\"ControlPlane\\\", 1,\\r\\n ObjectAdminTierLevelName == \\\"ManagementPlane\\\", 2,\\r\\n ObjectAdminTierLevelName == \\\"WorkloadPlane\\\", 3,\\r\\n ObjectAdminTierLevelName == \\\"UserAccess\\\", 4,\\r\\n 5) // Default value for any other entries\\r\\n| order by SortOrder asc\\r\\n| project-away SortOrder\",\"size\":4,\"title\":\"Classification of privileged identities\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"ObjectAdminTierLevelName\",\"exportParameterName\":\"ObjectAdminTierLevelName\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Classifications Privileged Accounts \",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| mv-expand Classification\\r\\n| where Classification.AdminTierLevelName in ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification.Service in ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where ObjectAdminTierLevelName contains '{ObjectAdminTierLevelName}' or '{ObjectAdminTierLevelName}' == \\\"*\\\"\\r\\n| sort by ObjectAdminTierLevelName asc\\r\\n| distinct ObjectId, RoleClassificationAdminTierLevelName = tostring(Classification.AdminTierLevelName)\\r\\n| summarize Count = count() by RoleClassificationAdminTierLevelName\\r\\n| join kind = fullouter (datatable(RoleClassificationAdminTierLevelName:string)['ControlPlane', 'ManagementPlane','WorkloadPlane','UserAccess','Unclassified']) on RoleClassificationAdminTierLevelName\\r\\n| project RoleClassificationAdminTierLevelName = iff(RoleClassificationAdminTierLevelName == '', RoleClassificationAdminTierLevelName1, RoleClassificationAdminTierLevelName), Count = iff(RoleClassificationAdminTierLevelName == '', 0, Count)\\r\\n| extend SortOrder = case(\\r\\n RoleClassificationAdminTierLevelName == \\\"ControlPlane\\\", 1,\\r\\n RoleClassificationAdminTierLevelName == \\\"ManagementPlane\\\", 2,\\r\\n RoleClassificationAdminTierLevelName == \\\"WorkloadPlane\\\", 3,\\r\\n RoleClassificationAdminTierLevelName == \\\"UserAccess\\\", 4,\\r\\n 5) // Default value for any other entries\\r\\n| order by SortOrder asc\\r\\n| project-away SortOrder\",\"size\":4,\"title\":\"Classification of privileged access\",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"RoleClassificationAdminTierLevelName\",\"exportParameterName\":\"RoleClassificationAdminTierLevelName\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleClassificationAdminTierLevelName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Classifications Privileged Access\",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where RoleSystem in ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,True) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| extend OnPremSynchronized = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\\r\\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\\r\\n| extend RestrictedAssignments = bag_pack_columns(RestrictedManagementByAadRole, RestrictedManagementByRAG, RestrictedManagementByRMAU)\\r\\n| extend RestrictedManagement = case(\\r\\n ObjectType == \\\"serviceprincipal\\\", \\\"Not available\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"Role-assignable\\\" and parse_json(RestrictedAssignments).RestrictedManagementByRMAU == \\\"True\\\", \\\"Conflict\\\",\\r\\n ObjectType == \\\"group\\\" and ObjectSubType != \\\"Role-assignable\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"group\\\" and ObjectSubType == \\\"security\\\" and RestrictedManagementByRMAU == True, \\\"Applied\\\",\\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True or RestrictedManagementByRAG == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and parse_json(Roles).PIMAssignmentType == \\\"Permanent\\\", \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByRAG == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n ObjectType == \\\"user\\\" and RestrictedManagementByAadRole == True and RestrictedManagementByRMAU == True, \\\"Applied\\\", \\r\\n \\\"Not applied\\\")\\r\\n| summarize RoleSystem = make_set(RoleSystem) by ObjectId, ObjectType, ObjectSubType, ObjectDisplayName, ObjectAdminTierLevelName, OnPremSynchronized, RestrictedManagement, tostring(RestrictedAssignments), tostring(AssignedAdministrativeUnits)\\r\\n| sort by ObjectDisplayName\",\"size\":0,\"title\":\"List of Privileged Accounts \",\"timeContext\":{\"durationMs\":604800000},\"exportFieldName\":\"ObjectId\",\"exportParameterName\":\"ObjectId\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ObjectType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"user\",\"representation\":\"Person\",\"text\":\"User\"},{\"operator\":\"==\",\"thresholdValue\":\"serviceprincipal\",\"representation\":\"Capture\",\"text\":\"Service Principal\"},{\"operator\":\"==\",\"thresholdValue\":\"group\",\"representation\":\"PersonWithFriend\",\"text\":\"Group\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Question\",\"text\":\"unknown\"}]}},{\"columnMatch\":\"ObjectDisplayName\",\"formatter\":0,\"tooltipFormat\":{\"tooltip\":\"{ObjectUserPrincipalName}\"}},{\"columnMatch\":\"ObjectAdminTierLevelName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"ControlPlane\",\"representation\":\"Sev0\",\"text\":\"Control Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"ManagementPlane\",\"representation\":\"Sev3\",\"text\":\"Management Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"UserAccess\",\"representation\":\"Sev4\",\"text\":\"User Access\"},{\"operator\":\"==\",\"thresholdValue\":\"Unclassified\",\"representation\":\"Line\",\"text\":\"Unclassified\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Line\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"RestrictedManagement\",\"formatter\":18,\"formatOptions\":{\"linkColumn\":\"RestrictedAssignments\",\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Applied\",\"representation\":\"success\",\"text\":\"Applied\"},{\"operator\":\"==\",\"thresholdValue\":\"Conflict\",\"representation\":\"2\",\"text\":\"Conflict\"},{\"operator\":\"==\",\"thresholdValue\":\"Not applied\",\"representation\":\"4\",\"text\":\"Not applied\"},{\"operator\":\"==\",\"thresholdValue\":\"Not available\",\"representation\":\"cancelled\",\"text\":\"Not available\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"AssignedAdministrativeUnits\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"RestrictedAssignments\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Restricted Management\",\"formatter\":18,\"formatOptions\":{\"linkColumn\":\"RestrictedAssignments\",\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Applied\",\"representation\":\"success\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"Restricted Management applied by RMAU, Role-Assingable Group or Directory Role Assignment\"}},{\"operator\":\"==\",\"thresholdValue\":\"Not available\",\"representation\":\"Normal\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"No restricted management for object type available\"}},{\"operator\":\"==\",\"thresholdValue\":\"Not applied\",\"representation\":\"4\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"No assignment for restricted assignment\"}},{\"operator\":\"==\",\"thresholdValue\":\"Conflict\",\"representation\":\"2\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"Assignment to two or more restricted management capabilities which are not compatible\"}},{\"operator\":\"==\",\"thresholdValue\":\"Applied\",\"representation\":\"success\",\"text\":\"{0}{1}\",\"tooltipFormat\":{\"tooltip\":\"Strong restricted management by RMAU and Role-Assignable Group\"}},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"Group\",\"formatter\":1},{\"columnMatch\":\"ObjectAdminTierLevel_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Unclassified\",\"representation\":\"1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"ControlPlane\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"ManagementPlane\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]}}],\"sortBy\":[{\"itemKey\":\"$gen_thresholds_RestrictedManagement_6\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_RestrictedManagement_6\",\"sortOrder\":1}]},\"name\":\"Related Privileged Accounts \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PrivilegedEAM\\r\\n| where ObjectId == '{ObjectId}' or '{ObjectId}' == '*'\\r\\n| where RoleSystem contains ({RoleSystem}) or '*' in ({RoleSystem})\\r\\n| extend Roles = parse_json(RoleAssignments)\\r\\n| extend Classification = parse_json(Classification)\\r\\n| where ObjectDisplayName contains '{PrincipalDisplayName}' or '{PrincipalDisplayName}' == \\\"\\\"\\r\\n| where Classification contains ({AdminTierLevelName}) or '*' in ({AdminTierLevelName})\\r\\n| where Classification contains ({Service}) or '*' in ({Service})\\r\\n| where ObjectType in ({ObjectType}) or '*' in ({ObjectType})\\r\\n| where OnPremSynchronized == iff('{SyncSource}' == \\\"Cloud-Only\\\",False,true) or '{SyncSource}' == '*' or '{SyncSource}' == 'All Privileged Identities'\\r\\n| extend OnPremSynchronized = iff(OnPremSynchronized == \\\"False\\\",\\\"Cloud-Only\\\",\\\"Hybrid\\\")\\r\\n| where ObjectAdminTierLevelName == '{ObjectAdminTierLevelName}' or '*' == '{ObjectAdminTierLevelName}'\\r\\n| where parse_json(Classification) contains '{RoleClassificationAdminTierLevelName}' or '*' == '{RoleClassificationAdminTierLevelName}'\\r\\n| mv-expand RoleAssignments\\r\\n| project RoleAssignments, RoleSystem\\r\\n| evaluate bag_unpack(RoleAssignments)\\r\\n| extend Classification = column_ifexists(\\\"Classification\\\",\\\"\\\")\\r\\n| mv-expand parse_json(Classification)\\r\\n| extend AdminTierLevel = Classification.AdminTierLevelName\\r\\n| extend Service = Classification.Service\\r\\n| extend TaggedBy = Classification.TaggedBy\\r\\n| where Service contains ('*') or '*' in ('*')\\r\\n| extend TransitiveBy = column_ifexists(\\\"TransitiveByObjectDisplayName\\\", \\\"\\\")\\r\\n| extend TransitiveByAssignment = column_ifexists(\\\"RoleAssignmentSubType\\\", \\\"\\\")\\r\\n| summarize AdminTierLevels = make_set(AdminTierLevel), Service = make_set(Service), TaggedBy = make_set(TaggedBy) by\\r\\n RoleSystem,\\r\\n tostring(RoleAssignmentId),\\r\\n RoleDefinitionName,\\r\\n tostring(RoleAssignmentScopeId),\\r\\n RoleAssignmentScopeName,\\r\\n PIMAssignmentType,\\r\\n RoleAssignmentType,\\r\\n TransitiveBy,\\r\\n TransitiveByAssignment,\\r\\n EligibilityBy\\r\\n| extend AdminTierLevel = iff(isnotempty(AdminTierLevels[0]), AdminTierLevels[0], \\\"Unclassified\\\")\\r\\n| sort by tostring(AdminTierLevel) asc, tostring(RoleAssignmentScopeId) asc, RoleDefinitionName asc\\r\\n| project-reorder RoleSystem, AdminTierLevel, RoleDefinitionName, RoleAssignmentScopeName, PIMAssignmentType, RoleAssignmentType, TransitiveBy, TransitiveByAssignment, EligibilityBy, Service\\r\\n| project-away AdminTierLevels\",\"size\":0,\"title\":\"Related privileged role assignments\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{SelectLogAnalytics}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RoleSystem\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"IdentityGovernance\",\"representation\":\"Share\",\"text\":\"Identity Governance\"},{\"operator\":\"==\",\"thresholdValue\":\"Azure\",\"representation\":\"AzurePortal\",\"text\":\"Azure\"},{\"operator\":\"==\",\"thresholdValue\":\"ResourceApps\",\"representation\":\"Connect\",\"text\":\"Resource Apps\"},{\"operator\":\"==\",\"thresholdValue\":\"DeviceManagement\",\"representation\":\"Tools\",\"text\":\"Device Management\"},{\"operator\":\"==\",\"thresholdValue\":\"EntraID\",\"representation\":\"Key\",\"text\":\"Entra ID\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Question\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AdminTierLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Unclassified\",\"representation\":\"Line\",\"text\":\"Unclassified\"},{\"operator\":\"==\",\"thresholdValue\":\"ControlPlane\",\"representation\":\"Sev0\",\"text\":\"Control Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"ManagementPlane\",\"representation\":\"Sev3\",\"text\":\"Management Plane\"},{\"operator\":\"==\",\"thresholdValue\":\"UserAccess\",\"representation\":\"Sev4\",\"text\":\"User Access\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Line\",\"text\":\"Unknown\"}]}},{\"columnMatch\":\"RoleDefinitionName\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"RoleAssignmentType\",\"formatter\":0,\"tooltipFormat\":{\"tooltip\":\"[\\\"TransitiveByObjectDisplayName\\\"]\"}},{\"columnMatch\":\"Service\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"RoleAssignmentId\",\"formatter\":5},{\"columnMatch\":\"RoleAssignmentScopeId\",\"formatter\":5,\"tooltipFormat\":{\"tooltip\":\"[\\\"RoleAssignmentScopeName\\\"]\"}}]},\"sortBy\":[]},\"name\":\"Related privileged role assignments\"}],\"isLocked\":false,\"fallbackResourceIds\":[\"azure active directory\"]}", "version": "1.0", "sourceId": "[parameters('workbookSourceId')]", "category": "[parameters('workbookType')]" @@ -54,4 +54,4 @@ } }, "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#" -} \ No newline at end of file +} From 29f0787682b7ced0f3e5f4f25ac6082b73c592ef Mon Sep 17 00:00:00 2001 From: Thomas Naunheim <47817884+Cloud-Architekt@users.noreply.github.com> Date: Wed, 27 Nov 2024 06:22:59 +0100 Subject: [PATCH 15/15] Update CHANGELOG.md --- CHANGELOG.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0e60822..58c615c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,15 +2,17 @@ # Change Log All essential changes on EntraOps will be documented in this changelog. -## [0.3.3] - 2024-11-26 +## [0.3.3] - 2024-11-27 ### Added - Status of Restricted Management in Privileged EAM Workbook [#28](https://github.com/Cloud-Architekt/EntraOps/issues/28) -- Support to identify Privileged Auth Admin as Control Plane - Added support for EligibilityBy and enhanced PIM for Groups support ### Changed - Added tenant root group as default for high privileged scopes +- Support for multiple scopes for high privileged +- Improvement in visualization of Privileged EAM Workbook +- Support to identify Privileged Auth Admin as Control Plane ### Fixed - Order of ResourceApps by tiered levels