Role-assignments

CONTRIBUTING.md

@@ -0,0 +1,26 @@
+# Contributing
+
+This project welcomes contributions and suggestions.  Most contributions require you to agree to a
+Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
+the rights to use your contribution. For details, visit <https://cla.opensource.microsoft.com>.
+
+When you submit a pull request, a CLA bot will automatically determine whether you need to provide
+a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions
+provided by the bot. You will only need to do this once across all repos using our CLA.
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
+contact [[email protected]](mailto:[email protected]) with any additional questions or comments.
+
+<!-- ## Build -->
+
+<!-- ## Test -->
+
+## Power BI Template Updates
+
+Updating the Power BI Template files (.pbit) can be tricky and must align with changes to the PowerShell data collection process. Power BI also has a [Data Privacy Firewall](https://docs.microsoft.com/en-us/power-query/dataprivacyfirewall) which prevents accidental data leakage between data sources. This firewall can sometimes prevent our assessment templates from loading when a query combines or joins data from multiple files, for example, oauth2PermissionGrants.csv + servicePrincipals.json. In our case, all the data sources have the same privacy level which should allow them to be combined but Power BI may still prevent loading with the following error:
+Query 'Query1' (step 'Source') references other queries or steps, so it may not directly access a data source. Please rebuild this data combination.
+
+One option to avoid this error is to turn off the Data Privacy Firewall by setting [Power BI Desktop privacy level](https://docs.microsoft.com/en-us/power-bi/enterprise/desktop-privacy-levels) to "Ignore the Privacy levels" when the template fails to load the data.
+
+However, in order to avoid changing this setting whenever the template is instantiated, we can "rebuild this data combination" to avoid the firewall restrictions by introducing a proxy [function](https://docs.microsoft.com/en-us/power-query/custom-function) for each data sources used in the combination query. You can see some examples of this in the existing templates where queries will reference f_oauth2PermissionGrants() and f_servicePrincipals() which are proxy functions for the oauth2PermissionGrants and servicePrincipal data source tables rather than referencing those tables directly.

README.md

@@ -147,3 +147,5 @@ provided by the bot. You will only need to do this once across all repos using o
 This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
 For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
 contact [[email protected]](mailto:[email protected]) with any additional questions or comments.
+
+For more detailed guidance and recommendations for contributing, see the page for [contributing](CONTRIBUTING.md).

src/Complete-AADAssessmentReports.ps1

@@ -66,18 +66,18 @@ function Complete-AADAssessmentReports {
 
         ## Expand Data Package
         Write-Progress -Id 0 -Activity 'Microsoft Azure AD Assessment Complete Reports' -Status 'Expand Data' -PercentComplete 0
-        #Expand-Archive $Path -DestinationPath $OutputDirectoryData -Force -ErrorAction Stop
         # Remove destination before extract
         if (Test-Path -Path $OutputDirectoryData) {
             Remove-Item $OutputDirectoryData -Recurse -Force
         }
         # Extract content
+        #Expand-Archive $Path -DestinationPath $OutputDirectoryData -Force -ErrorAction Stop
         [System.IO.Compression.ZipFile]::ExtractToDirectory($Path,$OutputDirectoryData)
         $AssessmentDetail = Get-Content $AssessmentDetailPath -Raw | ConvertFrom-Json
         #Check for DataFiles
         $OutputDirectoryAAD = Join-Path $OutputDirectoryData 'AAD-*' -Resolve -ErrorAction Stop
         [array] $DataFiles = Get-Item -Path (Join-Path $OutputDirectoryAAD "*") -Include "*Data.xml"
-        $SkippedReportOutput = $DataFiles -and $DataFiles.Count -eq 9
+        $SkippedReportOutput = $DataFiles -and $DataFiles.Count -ge 8
 
         ## Check the provided archive
         $archiveState = Test-AADAssessmentPackage -Path $Path -SkippedReportOutput $SkippedReportOutput
@@ -87,7 +87,7 @@ function Complete-AADAssessmentReports {
         }
 
         # Check assessment version
-        $moduleVersion = $MyInvocation.MyCommand.ScriptBlock.Module.Version
+        $moduleVersion = $MyInvocation.MyCommand.Module.Version
         [System.Version]$packageVersion = $AssessmentDetail.AssessmentVersion
         if ($packageVersion.Build -eq -1) {
             Write-Warning "The package was not generate with a module installed from the PowerShell Gallery"

src/Export-AADAssessmentReportData.ps1

@@ -158,7 +158,7 @@ function Export-AADAssessmentReportData {
         $LookupCache.userRegistrationDetails.Clear()
     }
 
-    # notificaiton emails report
+    # notificaiton emails report (Remove on next release)
     if (!(Test-Path -Path (Join-Path $OutputDirectory "NotificationsEmailsReport.csv")) -or $Force) {
         # load unique data
         $OrganizationData = Get-Content -Path (Join-Path $SourceDirectory "organization.json") -Raw | ConvertFrom-Json
@@ -186,18 +186,19 @@ function Export-AADAssessmentReportData {
     # role assignment report
     if (!(Test-Path -Path (Join-Path $OutputDirectory "RoleAssignmentReport.csv")) -or $Force) {
         # Set file header
-        Set-Content -Path (Join-Path $OutputDirectory "RoleAssignmentReport.csv") -Value "id,directoryScopeId,directoryScopeObjectId,directoryScopeDisplayName,directoryScopeType,roleDefinitionId,roleDefinitionTemplateId,roleDefinitionDisplayName,principalId,principalDisplayName,principalType,memberType,status,assignmentType,startDateTime,endDateTime"
+        Set-Content -Path (Join-Path $OutputDirectory "RoleAssignmentReport.csv") -Value "id,directoryScopeId,directoryScopeObjectId,directoryScopeDisplayName,directoryScopeType,roleDefinitionId,roleDefinitionTemplateId,roleDefinitionDisplayName,principalId,principalDisplayName,principalType,principalMail,principalOtherMails,memberType,assignmentType,startDateTime,endDateTime"
         # load unique data
-        [array] $roleAssignmentSchedulesData =  @()
-        [array] $roleEligibilitySchedulesData = @()
+        [array] $roleAssignmentScheduleInstancesData =  @()
+        [array] $roleEligibilityScheduleInstancesData = @()
         [array] $roleAssignmentsData = @()
         if ($licenseType -eq "P2") {
-            $roleAssignmentSchedulesData = Import-Clixml -Path (Join-Path $SourceDirectory "roleAssignmentSchedulesData.xml")
-            $roleEligibilitySchedulesData = Import-Clixml -Path (Join-Path $SourceDirectory "roleEligibilitySchedulesData.xml")
+            $roleAssignmentScheduleInstancesData = Import-Clixml -Path (Join-Path $SourceDirectory "roleAssignmentScheduleInstancesData.xml")
+            $roleEligibilityScheduleInstancesData = Import-Clixml -Path (Join-Path $SourceDirectory "roleEligibilityScheduleInstancesData.xml")
         } else {
             $roleAssignmentsData = Import-Clixml -Path (Join-Path $SourceDirectory "roleAssignmentsData.xml")
         }
         # load data if cache empty
+        $OrganizationData = Get-Content -Path (Join-Path $SourceDirectory "organization.json") -Raw | ConvertFrom-Json
         if ($LookupCache.user.Count -eq 0) {
             Write-Output "Loading users in lookup cache"
             Import-Clixml -Path (Join-Path $SourceDirectory "userData.xml") | Add-AadObjectToLookupCache -Type user -LookupCache $LookupCache
@@ -220,13 +221,13 @@ function Export-AADAssessmentReportData {
         }
 
         # generate the report
-        Get-AADAssessRoleAssignmentReport -Offline -TenantHasP2 ($licenseType -eq "P2") -RoleAssignmentsData $roleAssignmentsData -RoleAssignmentSchedulesData $roleAssignmentSchedulesData -RoleEligibilitySchedulesData $roleEligibilitySchedulesData -OrganizationData $OrganizationData -AdministrativeUnitsData $LookupCache.administrativeUnit -UsersData $LookupCache.user -GroupsData $LookupCache.group -ApplicationsData $LookupCache.application -ServicePrincipalsData $LookupCache.servicePrincipal `
+        Get-AADAssessRoleAssignmentReport -Offline -RoleAssignmentsData $roleAssignmentsData -RoleAssignmentScheduleInstancesData $roleAssignmentScheduleInstancesData -RoleEligibilityScheduleInstancesData $roleEligibilityScheduleInstancesData -OrganizationData $OrganizationData -AdministrativeUnitsData $LookupCache.administrativeUnit -UsersData $LookupCache.user -GroupsData $LookupCache.group -ApplicationsData $LookupCache.application -ServicePrincipalsData $LookupCache.servicePrincipal `
         | Use-Progress -Activity 'Exporting RoleAssignmentReport' -Property id -PassThru -WriteSummary `
         | Format-Csv `
         | Export-Csv -Path (Join-Path $OutputDirectory "RoleAssignmentReport.csv") -NoTypeInformation -Append
 
         # clear unique data
-        Remove-Variable roleAssignmentSchedulesData, roleEligibilitySchedulesData
+        Remove-Variable roleAssignmentScheduleInstancesData, roleEligibilityScheduleInstancesData
         # clear cache as data is not further used by other reports
         $LookupCache.group.Clear()
         $LookupCache.administrativeUnit.Clear()