Merge pull request #277316 from davidsmatlak/ds-rbac-arg-samples-20240605

Stacyrch140 · web-flow · commit 4e5cd4f2fb44 · 2024-06-05T15:36:21.000-04:00
Add ARG samples to RBAC content set
diff --git a/articles/role-based-access-control/includes/query/authorization-same-principal-scope-condition.md b/articles/role-based-access-control/includes/query/authorization-same-principal-scope-condition.md
@@ -0,0 +1,29 @@
+---
+author: rolyon
+ms.service: resource-graph
+ms.topic: include
+ms.date: 01/12/2024
+ms.author: rolyon
+---
+
+```kusto
+AuthorizationResources
+| where type =~ "microsoft.authorization/roleassignments"
+| where id startswith "/subscriptions"
+| extend PrincipalId = tostring(properties.principalId) 
+| extend Scope = tolower(properties.scope)
+| extend RoleDefinitionId = tolower(tostring(properties.roleDefinitionId))
+| extend condition = tostring(properties.condition)
+| join kind = leftouter (
+  AuthorizationResources
+  | where type =~ "microsoft.authorization/roledefinitions"
+  | extend RoleName = tostring(properties.roleName)
+  | extend RoleId = tolower(id)
+  | extend RoleType = tostring(properties.type) 
+  | where RoleType == "BuiltInRole"
+  | extend RoleId_RoleName = pack(RoleId, RoleName)
+) on $left.RoleDefinitionId == $right.RoleId
+| summarize count_ = count(), AllRD = make_set(RoleId_RoleName) by PrincipalId, Scope, condition
+| where count_ > 1
+| order by count_ desc
+```
diff --git a/articles/role-based-access-control/includes/query/authorization-same-principal-scope.md b/articles/role-based-access-control/includes/query/authorization-same-principal-scope.md
@@ -0,0 +1,28 @@
+---
+author: rolyon
+ms.service: resource-graph
+ms.topic: include
+ms.date: 05/30/2023
+ms.author: rolyon
+---
+
+```kusto
+AuthorizationResources
+| where type =~ "microsoft.authorization/roleassignments"
+| where id startswith "/subscriptions"
+| extend PrincipalId = tostring(properties.principalId) 
+| extend Scope = tolower(properties.scope)
+| extend RoleDefinitionId = tolower(tostring(properties.roleDefinitionId))
+| join kind = leftouter (
+  AuthorizationResources
+  | where type =~ "microsoft.authorization/roledefinitions"
+  | extend RoleName = tostring(properties.roleName)
+  | extend RoleId = tolower(id)
+  | extend RoleType = tostring(properties.type) 
+  | where RoleType == "BuiltInRole"
+  | extend RoleId_RoleName = pack(RoleId, RoleName)
+) on $left.RoleDefinitionId == $right.RoleId
+| summarize count_ = count(), AllRD = make_set(RoleId_RoleName) by PrincipalId, Scope
+| where count_ > 1
+| order by count_ desc
+```
diff --git a/articles/role-based-access-control/includes/query/authorization-same-role-principal-condition.md b/articles/role-based-access-control/includes/query/authorization-same-role-principal-condition.md
@@ -0,0 +1,28 @@
+---
+author: rolyon
+ms.service: resource-graph
+ms.topic: include
+ms.date: 01/12/2024
+ms.author: rolyon
+---
+
+```kusto
+authorizationresources
+| where type =~ "microsoft.authorization/roleassignments"
+| where id startswith "/subscriptions"
+| extend RoleDefinitionId = tolower(tostring(properties.roleDefinitionId))
+| extend PrincipalId = tolower(properties.principalId)
+| extend RoleDefinitionId_PrincipalId = strcat(RoleDefinitionId, "_", PrincipalId)
+| extend condition = tostring(properties.condition)
+| join kind = leftouter (
+  authorizationresources
+  | where type =~ "microsoft.authorization/roledefinitions"
+  | extend RoleDefinitionName = tostring(properties.roleName)
+  | extend rdId = tolower(id)
+  | project RoleDefinitionName, rdId
+) on $left.RoleDefinitionId == $right.rdId
+| summarize count_ = count(), Scopes = make_set(tolower(properties.scope)) by RoleDefinitionId_PrincipalId,RoleDefinitionName
+| project RoleDefinitionId = split(RoleDefinitionId_PrincipalId, "_", 0)[0], RoleDefinitionName, PrincipalId = split(RoleDefinitionId_PrincipalId, "_", 1)[0], count_, Scopes, condition
+| where count_ > 1
+| order by count_ desc
+```
diff --git a/articles/role-based-access-control/includes/query/authorization-same-role-principal.md b/articles/role-based-access-control/includes/query/authorization-same-role-principal.md
@@ -0,0 +1,27 @@
+---
+author: rolyon
+ms.service: resource-graph
+ms.topic: include
+ms.date: 05/30/2023
+ms.author: rolyon
+---
+
+```kusto
+authorizationresources
+| where type =~ "microsoft.authorization/roleassignments"
+| where id startswith "/subscriptions"
+| extend RoleDefinitionId = tolower(tostring(properties.roleDefinitionId))
+| extend PrincipalId = tolower(properties.principalId)
+| extend RoleDefinitionId_PrincipalId = strcat(RoleDefinitionId, "_", PrincipalId)
+| join kind = leftouter (
+  authorizationresources
+  | where type =~ "microsoft.authorization/roledefinitions"
+  | extend RoleDefinitionName = tostring(properties.roleName)
+  | extend rdId = tolower(id)
+  | project RoleDefinitionName, rdId
+) on $left.RoleDefinitionId == $right.rdId
+| summarize count_ = count(), Scopes = make_set(tolower(properties.scope)) by RoleDefinitionId_PrincipalId,RoleDefinitionName
+| project RoleDefinitionId = split(RoleDefinitionId_PrincipalId, "_", 0)[0], RoleDefinitionName, PrincipalId = split(RoleDefinitionId_PrincipalId, "_", 1)[0], count_, Scopes
+| where count_ > 1
+| order by count_ desc
+```
diff --git a/articles/role-based-access-control/includes/query/authorization-same-role-scope-condition.md b/articles/role-based-access-control/includes/query/authorization-same-role-scope-condition.md
@@ -0,0 +1,27 @@
+---
+author: rolyon
+ms.service: resource-graph
+ms.topic: include
+ms.date: 01/12/2024
+ms.author: rolyon
+---
+
+```kusto
+authorizationresources
+| where type =~ "microsoft.authorization/roleassignments"
+| where id startswith "/subscriptions"
+| extend RoleId = tolower(tostring(properties.roleDefinitionId))
+| extend condition = tostring(properties.condition)
+| join kind = leftouter (
+  authorizationresources
+  | where type =~ "microsoft.authorization/roledefinitions"
+  | extend RoleDefinitionName = tostring(properties.roleName)
+  | extend RoleId = tolower(id)
+  | project RoleDefinitionName, RoleId
+) on $left.RoleId == $right.RoleId
+| extend principalId = tostring(properties.principalId)
+| extend principal_to_ra = pack(principalId, id)
+| summarize count_ = count(), AllPrincipals = make_set(principal_to_ra) by RoleDefinitionId = RoleId, Scope = tolower(properties.scope), RoleDefinitionName, condition
+| where count_ > 1
+| order by count_ desc
+```
diff --git a/articles/role-based-access-control/includes/query/authorization-same-role-scope.md b/articles/role-based-access-control/includes/query/authorization-same-role-scope.md
@@ -0,0 +1,26 @@
+---
+author: rolyon
+ms.service: resource-graph
+ms.topic: include
+ms.date: 05/30/2023
+ms.author: rolyon
+---
+
+```kusto
+authorizationresources
+| where type =~ "microsoft.authorization/roleassignments"
+| where id startswith "/subscriptions"
+| extend RoleId = tolower(tostring(properties.roleDefinitionId))
+| join kind = leftouter (
+  authorizationresources
+  | where type =~ "microsoft.authorization/roledefinitions"
+  | extend RoleDefinitionName = tostring(properties.roleName)
+  | extend RoleId = tolower(id)
+  | project RoleDefinitionName, RoleId
+) on $left.RoleId == $right.RoleId
+| extend principalId = tostring(properties.principalId)
+| extend principal_to_ra = pack(principalId, id)
+| summarize count_ = count(), AllPrincipals = make_set(principal_to_ra) by RoleDefinitionId = RoleId, Scope = tolower(properties.scope), RoleDefinitionName
+| where count_ > 1
+| order by count_ desc
+```
diff --git a/articles/role-based-access-control/includes/query/authorization-unused-custom-roles.md b/articles/role-based-access-control/includes/query/authorization-unused-custom-roles.md
@@ -0,0 +1,23 @@
+---
+author: rolyon
+ms.service: resource-graph
+ms.topic: include
+ms.date: 05/30/2023
+ms.author: rolyon
+---
+
+```kusto
+AuthorizationResources
+| where type =~ "microsoft.authorization/roledefinitions"
+| where tolower(properties.type) == "customrole"
+| extend rdId = tolower(id)
+| extend Scope = tolower(properties.assignableScopes)
+| join kind = leftouter (
+AuthorizationResources
+  | where type =~ "microsoft.authorization/roleassignments"
+  | extend RoleId = tolower(tostring(properties.roleDefinitionId))
+  | summarize RoleAssignmentCount = count() by RoleId
+) on $left.rdId == $right.RoleId
+| where isempty(RoleAssignmentCount)
+| project RoleDefinitionId = rdId, RoleDefinitionName = tostring(properties.roleName), Scope
+```
diff --git a/articles/role-based-access-control/troubleshoot-limits.md b/articles/role-based-access-control/troubleshoot-limits.md
@@ -68,11 +68,11 @@ To reduce the number of role assignments in the subscription, add principals (us
 
     # [Default](#tab/default)
 
-    [!INCLUDE [resource-graph-query-authorization-same-role-scope](../governance/includes/resource-graph/query/authorization-same-role-scope.md)]
+    [!INCLUDE [resource-graph-query-authorization-same-role-scope](./includes/query/authorization-same-role-scope.md)]
 
     # [Conditions](#tab/conditions)
 
-    [!INCLUDE [resource-graph-query-authorization-same-role-scope-condition](../governance/includes/resource-graph/query/authorization-same-role-scope-condition.md)]
+    [!INCLUDE [resource-graph-query-authorization-same-role-scope-condition](./includes/query/authorization-same-role-scope-condition.md)]
 
     ---
 
@@ -152,11 +152,11 @@ To reduce the number of role assignments in the subscription, remove redundant r
 
     # [Default](#tab/default)
 
-    [!INCLUDE [resource-graph-query-authorization-same-role-principal](../governance/includes/resource-graph/query/authorization-same-role-principal.md)]
+    [!INCLUDE [resource-graph-query-authorization-same-role-principal](./includes/query/authorization-same-role-principal.md)]
 
     # [Conditions](#tab/conditions)
 
-    [!INCLUDE [resource-graph-query-authorization-same-role-principal-condition](../governance/includes/resource-graph/query/authorization-same-role-principal-condition.md)]
+    [!INCLUDE [resource-graph-query-authorization-same-role-principal-condition](./includes/query/authorization-same-role-principal-condition.md)]
 
     ---
 
@@ -222,11 +222,11 @@ To reduce the number of role assignments in the subscription, replace multiple b
 
     # [Default](#tab/default)
 
-    [!INCLUDE [resource-graph-query-authorization-same-principal-scope](../governance/includes/resource-graph/query/authorization-same-principal-scope.md)]
+    [!INCLUDE [resource-graph-query-authorization-same-principal-scope](./includes/query/authorization-same-principal-scope.md)]
 
     # [Condition](#tab/conditions)
 
-    [!INCLUDE [resource-graph-query-authorization-same-principal-scope-condition](../governance/includes/resource-graph/query/authorization-same-principal-scope-condition.md)]
+    [!INCLUDE [resource-graph-query-authorization-same-principal-scope-condition](./includes/query/authorization-same-principal-scope-condition.md)]
 
     ---
 
@@ -324,7 +324,7 @@ Follow these steps to find and delete unused Azure custom roles.
 
     This query checks active role assignments and doesn't consider eligible custom role assignments in [Microsoft Entra Privileged Identity Management](/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles). To list eligible custom role assignments, you can use the Microsoft Entra admin center, PowerShell, or REST API. For more information, see [Get-AzRoleEligibilityScheduleInstance](/powershell/module/az.resources/get-azroleeligibilityscheduleinstance) or [Role Eligibility Schedule Instances - List For Scope](/rest/api/authorization/role-eligibility-schedule-instances/list-for-scope).
 
-    [!INCLUDE [resource-graph-query-authorization-unused-custom-roles](../governance/includes/resource-graph/query/authorization-unused-custom-roles.md)]
+    [!INCLUDE [resource-graph-query-authorization-unused-custom-roles](./includes/query/authorization-unused-custom-roles.md)]
 
     The following shows an example of the results:
 
