EntraOps icon indicating copy to clipboard operation
EntraOps copied to clipboard
verified publisher icon Cloud-Architekt

Clean bootstrap update

Open soulemike opened this issue 2 months ago • 1 comments

This is a clean reset of the original concept from #32.

The core functionality of this PR provides:

  • Individual functions (New-EntraOpsServiceAZ/EM/Entra/PIM*) to interact with core Entitlement Management (EM) capabilities for validating and creating new resources.
  • A bootstrap function (`New-EntraOpsServiceBootstrap) to wrap the individual functions and provide a single processor for all EM resource creation in the intent of supporting a new "service".
  • An example of using the bootstrap function for a new Azure Subscription Landing Zone (New-EntraOpsSubscriptionLandingZoneAlt).
  • The ability to generate a report object (Get-EntraOpsReport) and convert that report object to a Mermaid diagram (ConvertTo-Mermaid).
  • The ability to bulk remove an EM Catalog and all resources (Remove-EntraOpsServiceCatalog).

As a note, EM Assignments can take minutes to process. Use -Verbose to see the status of backoff retries against the API.

The bootstrap functionality uses the following Azure & Graph Modules: Microsoft.Graph.Users, Microsoft.Graph.Authentication, Microsoft.Graph.Groups, Microsoft.Graph.Identity.Governance, Microsoft.Graph.Identity.SignIns, Microsoft.Graph.Identity.Governance, Az.Accounts, Az.Resources

The bootstrap functionality uses the following Graph scopes: Directory.AccessAsUser.All, EntitlementManagement.ReadWrite.All, RoleManagementPolicy.ReadWrite.AzureADGroup, RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory, PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup, PrivilegedAccess.ReadWrite.AzureADGroup

Quick start, these three lines will set the service member and service owner and bootstrap the minimal Entra resources for a Subscription Landing Zone. Including:

  • 1 M365 Group, Default Members
  • 7 Security Groups (SG), SG-Default-*
  • 1 EM Catalog, Catalog-Default
    • All 8 group objects are registered resources for the catalog
    • The SG-Default-Admins-Control group is Catalog owner
    • The SG-Default-Members-Catalog group is Catalog reader
    • The SG-Default-Admins-Management group is Access package assignment manager
    • There are 7 Access Packages (AP) created, one for each SG
  • Each AP has a resource assignment to the corresponding SG
    • With the Default Members M365 Group assigned to the AP-Default-Users-Workload
  • Each AP has at least one assignment policy associated for time bound and approval requirements
    • AP-Default-Admins-Management has a second policy for initial assignment of admin inheritance
  • The Service Members inherits an assignment to AP-Default-Members-Workload.
  • The Service Owner inherits an assignment to AP-Default-Admins-Management.
$serviceMember = "[email protected]"
$serviceOwner = "[email protected]"
$service = New-EntraOpsSubscriptionLandingZoneAlt -SkipAzureResourceGroup -ProhibitDirectElevation -ServiceMembers $serviceMember -ServiceOwner $serviceOwner

To visualize the created EM resources you can run the following commands then use a Mermaid visualizer, such as https://mermaid.live/. The bootstrap example is included here for reference as well.

$report = Get-EntraOpsReport
ConvertTo-Mermaid -ReportObject $report|clip

graph
  subgraph ce00f510-ca43-496d-a403-b83bd960bdbb [Catalog-Default]

    subgraph ce00f510-ca43-496d-a403-b83bd960bdbbRoles [Roles]
      6b00960b-fc09-4dc3-8313-037ce7db74e2(Catalog owner - SG-Default-Admins-Control)
      163e73b2-f5ee-4c52-a4bc-117e45fe952f(Catalog reader - SG-Default-Members-Catalog)
      28fc3a3d-839f-4544-9f9a-4888f708aac3(AccessPackage assignment manager - SG-Default-Admins-Management)
    end

    subgraph ce00f510-ca43-496d-a403-b83bd960bdbbResources [Resources]
      0d6ba2e8-9251-4839-86c6-af1187007513(SG-Default-Admins-Management)
      a9f7c14a-ee2b-4889-82ba-dc9409923c7c(Default Members)
      b26be3da-af7c-44dd-9f42-cf0ed4d809ef(SG-Default-Users-Workload)
      c97ad1ec-885a-4fe3-b2f5-d2691dad892d(SG-Default-Members-Catalog)
      de34e320-669a-478d-9b77-a8f1311af12f(SG-Default-Members-Management)
      e452f18c-e827-47fa-b9db-a11ae6f87843(SG-Default-Admins-Workload)
      e7f366ec-8010-4d6b-8eb9-04c89e0fd499(SG-Default-Members-Workload)
      ee901010-207e-48ef-b0bd-a7d0e14ca8e7(SG-Default-Admins-Control)
    end

    subgraph ce00f510-ca43-496d-a403-b83bd960bdbbAccessPackages [Access Packages]
      subgraph a5adb840-76ec-464c-8414-798b8ecedc12 [AP-Default-Users-Workload]
        18ee1718-ca1e-4b9d-b23c-debabac80a79(Baseline Policy)
      end
      subgraph db6e7a67-c336-4ebb-8d5f-4ccb76643895 [AP-Default-Members-Catalog]
        10120df6-17b8-45df-84e2-1f946d5c1dd2(Baseline Policy)
      end
      subgraph bd05df2f-0ab2-4021-9f34-bce28f439cad [AP-Default-Admins-Control]
        e9bf7db3-645c-4f28-b735-94633f9cabee(Baseline Policy)
      end
      subgraph 402de51c-2104-4376-96d2-d15ac3613099 [AP-Default-Members-Workload]
        744063ae-8c9e-4145-89d2-24a3371e9044(Initial Workload Membership Policy)
      end
      subgraph 74215264-4977-49d5-b81c-b3903c2ae06f [AP-Default-Admins-Workload]
        75d02a7d-61d0-4246-ac9f-2fe85d6698a3(Workload Plane Policy)
      end
      subgraph badbfea9-87d8-41b1-b49f-9d8dc1480bbc [AP-Default-Members-Management]
        564f9f2d-5969-44f4-a07c-1e6759523c86(Initial Management Membership Policy)
      end
      subgraph b845643c-3a38-491c-a5c7-3ff2cd173ed2 [AP-Default-Admins-Management]
        5fe3f349-011b-40b4-85c8-68d917e7e696(Management Plane Policy)
        056d8e94-0020-44e5-88af-f782e0140269(Initial Management Admin Policy)
      end
    end
  end

82754626-d53c-4469-b411-a7abf99f3316(Alex Wilber)
9391e1a9-6a0d-42f2-9289-9d66983bea4f(Adele Vance)

9391e1a9-6a0d-42f2-9289-9d66983bea4f --> 056d8e94-0020-44e5-88af-f782e0140269
9391e1a9-6a0d-42f2-9289-9d66983bea4f --> 744063ae-8c9e-4145-89d2-24a3371e9044
82754626-d53c-4469-b411-a7abf99f3316 --> 744063ae-8c9e-4145-89d2-24a3371e9044

c97ad1ec-885a-4fe3-b2f5-d2691dad892d --> 18ee1718-ca1e-4b9d-b23c-debabac80a79
c97ad1ec-885a-4fe3-b2f5-d2691dad892d --> 10120df6-17b8-45df-84e2-1f946d5c1dd2
c97ad1ec-885a-4fe3-b2f5-d2691dad892d --> e9bf7db3-645c-4f28-b735-94633f9cabee
e7f366ec-8010-4d6b-8eb9-04c89e0fd499 --> 75d02a7d-61d0-4246-ac9f-2fe85d6698a3
e7f366ec-8010-4d6b-8eb9-04c89e0fd499 --> 564f9f2d-5969-44f4-a07c-1e6759523c86
5fe3f349-011b-40b4-85c8-68d917e7e696 --> 056d8e94-0020-44e5-88af-f782e0140269

a5adb840-76ec-464c-8414-798b8ecedc12 --> b26be3da-af7c-44dd-9f42-cf0ed4d809ef
a5adb840-76ec-464c-8414-798b8ecedc12 --> a9f7c14a-ee2b-4889-82ba-dc9409923c7c
db6e7a67-c336-4ebb-8d5f-4ccb76643895 --> c97ad1ec-885a-4fe3-b2f5-d2691dad892d
bd05df2f-0ab2-4021-9f34-bce28f439cad --> ee901010-207e-48ef-b0bd-a7d0e14ca8e7
402de51c-2104-4376-96d2-d15ac3613099 --> e7f366ec-8010-4d6b-8eb9-04c89e0fd499
74215264-4977-49d5-b81c-b3903c2ae06f --> e452f18c-e827-47fa-b9db-a11ae6f87843
badbfea9-87d8-41b1-b49f-9d8dc1480bbc --> de34e320-669a-478d-9b77-a8f1311af12f
b845643c-3a38-491c-a5c7-3ff2cd173ed2 --> 0d6ba2e8-9251-4839-86c6-af1187007513

ee901010-207e-48ef-b0bd-a7d0e14ca8e7 --> 6b00960b-fc09-4dc3-8313-037ce7db74e2
c97ad1ec-885a-4fe3-b2f5-d2691dad892d --> 163e73b2-f5ee-4c52-a4bc-117e45fe952f
0d6ba2e8-9251-4839-86c6-af1187007513 --> 28fc3a3d-839f-4544-9f9a-4888f708aac3

To cleanup the created EM resources easily you can run the following command, note that this does NOT delete the Entra group objects.

Remove-EntraOpsServiceCatalog -ServiceCatalogName "Catalog-Default" -Force

soulemike avatar Oct 20 '25 21:10 soulemike

With the more recent commits, the following is now able to be used to create an Azure Resource Group for the service that also enables eligible PIM assignments for Azure access.

$service = New-EntraOpsSubscriptionLandingZoneAlt -ServiceMembers $serviceMember -ServiceOwner $serviceOwner -ProhibitDirectElevation

soulemike avatar Nov 09 '25 22:11 soulemike