history.md

AzGovViz - Azure Governance Visualizer

AzGovViz version history

AzGovViz version 5

Breaking Changes (2021-Feb-28)

• When granting Azure Active Directory Graph API permissions in the background an AAD Role assignment for AAD Group Directory readers was triggered automatically - since January/February 2021 this is no longer the case. Review the updated AzGovViz technical documentation section for detailed permission requirements.

Let´s accellerate by going parallel! (2021-Feb-14)

• Support for PowerShell Core ONLY! No support for PowerShell version < 7.0.3
• New section DefinitionInsights - Insights on all built-in and custom Policy, PolicySet and RBAC Role definitions
• New parameter -NoScopeInsights - Q: Why would you want to do this? A: In larger tenants the ScopeInsights section blows up the html file (up to unusable due to html file size)
• New parameter -ThrottleLimit - Leveraging PowerShell Core´s parallel capability you can define the ThrottleLimit (default=5)
• New parameter DoTranscript - Log the console output
• Parameter SubscriptionQuotaIdWhitelist now expects an array
• Renamed parameter -NoServicePrincipalResolve to -NoAADServicePrincipalResolve
• Renamed parameter -ServicePrincipalExpiryWarningDays to -AADServicePrincipalExpiryWarningDays
• Bugfixes

Note: In order to run AzGovViz Version 5 in Azure DevOps you also must use the v5 pipeline YAML.

AzGovViz version 4

Updates 2021-Jan-26

• Role Assigments indicate if User is Member/Guest
• Enrich information for Policy assignment related ServicePrincipal/Managed Identity (Policy assignment details on policy/set definition and Role assignments)
• Preloading of TableFilter removed for TenantSummary PolicyAssignmentsAll and RoleAssignmentsAll (on poor hardware loading the HTML file took quite long)
• Fix 'Orphaned Custom Roles' bug - thanks to Tim Wanierke
• More bugfixes
• Performance optimization

Updates 2021-Jan-18

• Feature: Policy Exemptions
• Feature: ResourceLocks
• Feature: Tag Name Usage
• Feature: Cost Management / Consumption Reporting - use another API
• Bugfixes

Updates 2021-Jan-08

• Feature: Cost Management / Consumption Reporting - Changed AzureConsumptionPeriod default to 1 day
  
• Bugfixes

Updates 2021-Jan-06 - Happy New Year

• Feature: Resolve Azure Active Directory Group memberships for Role assignment with identity type 'Group' leveraging Microsoft Graph. With this capability AzGovViz can ultimately provide holistic insights on permissions granted for Management Groups and Subscriptions (honors parameter -DoNotShowRoleAssignmentsUserData). Use parameter -NoAADGroupsResolveMembers to disable the feature
  
• Feature: New TenantSummary section 'Azure Active Directory' -> Check all Azure Active Directory Service Principals (type=Application that have a Role assignment) for Secret/Certificate expiry. Mark all Service Principals (type=ManagedIdentity) that are related to a Policy assignments. Use parameter -NoServicePrincipalResolve to disable this feature
• Feature: Cost Management / Consumption Reporting for Subscriptions including aggregation at Management Group level. Use parameter -NoAzureConsumption to disable this feature.
  Note: Per default the consumption query will request consumption data for the last full 1 day (if you run it today, will capture the cost for yesterday), use the parameter -AzureConsumptionPeriod to define a favored time period e.g. -AzureConsumptionPeriod 7 (for 7 days)
• Removed parameter -Experimental. 'Resource Diagnostics Policy Lifecycle' enabled by default. Use -NoResourceDiagnosticsPolicyLifecycle to disable the feature.
• Renamed parameter -DisablePolicyComplianceStates to -NoPolicyComplianceStates for better consistency
• Optimize 'Get Resource Types capability for Resource Diagnostics' query - thanks Brooks Vaughn
• Update Pipeline to honor master/main change
• Add info to HTML file on parameters used
• Performance optimization

Updates 2020-Dec-17

• Now supporting > 5000 entities (Subscriptions/Management Groups) :) thanks Brooks Vaughn

Updates 2020-Dec-15

• Pipeline azurePowerShellVersion: latestVersion / ensures compatibility with latest Az.ResourceGraph 0.8.0 Release
• Error handling optimization / API
• Fix 'deprecated Policy assignments'
• Fix 'orphaned Custom Role definitions'

Updates 2020-Nov-30

• New parameter -DisablePolicyComplianceStates -NoPolicyComplianceStates (see Parameters)
• Error handling optimization / API

Updates 2020-Nov-25

• Highlight default Management Group
• Add AzAPICall debugging parameter -DebugAzAPICall
• Fix for using parameter -HierarchyMapOnly

Updates 2020-Nov-19

• New parameter -Experimental (see Parameters)
• Performance optimization
• Error handling optimization / API
• Azure DevOps pipeline worker changed from 'ubuntu-latest' to 'ubuntu-18.04' (see Azure Pipelines - Sprint 177 Update, Ubuntu-latest workflows will use Ubuntu-20.04 #1816)

Updates 2020-Nov-08

• Re-model Bearer token handling (Az PowerShell Module Az.Accounts > 1.9.5 no longer provides access to the tokenCache GitHub issue)
• Adding Scope information for Custom Policy definitions and Custom PolicySet definitions sections in TenantSummary
• Cosmetics and User Experience enhancement
• New demo

Updates 2020-Nov-01

• Error handling optimization
• Enhanced read-permission validation
• Toggle capabilities in TenantSummary (avoiding information overload)

Updates 2020-Oct-12

• Adding option to download HTML tables to csv
  
• Preloading of TableFilter removed for ScopeInsights (on poor hardware loading the HTML file took quite long)
• Added column un-select option for some HTML tables
• Performance optimization

Release v4

• Resource information for Management Groups (Resources in all child Subscriptions) in the ScopeInsights section
• Excluded Subscriptions information (whitelisted, disabled, AAD_ QuotaId)
• Bugfixes, Bugfixes, Bugfixes
• Cosmetics and User Experience enhancement
• Performance optimization
• API error handling / retry optimization
• New Parameters -NoASCSecureScore, -NoResourceProvidersDetailed (see Parameters)

AzGovViz version 3

• HTML filterable tables
• Resource Types Diagnostics capability check
• ResourceDiagnostics Policy Lifecycle recommendations (experimental)
• Resource Diagnostics Policy Findings
• Resource Provider details
• Policy assignments filter excluded scopes
• Use of deprecated uilt-in Policy definitions
• Subscription QuotaId Whitelist

AzGovViz version 2

• Optimized user experience for the HTML output
• TenantSummary / selected Management Group scope
• Reflect Tenant, ManagementGroup and Subscription Limits for Azure Governance capabilities
• Some security related best practice highlighting
• More details: Management Groups, Subscriptions, Policy definitions, PolicySet definitions (Initiatives), orphaned Policy definitions, RBAC and Policy related RBAC (DINE MI), orphaned Role definitions, orphaned Role assignments, Blueprints, Subscription State, Subscription QuotaId, Subscription Tags, Azure Scurity Center Secure Score, ResourceGroups count, Resource types and count by region, Limits, Security findings
• Resources / leveraging Azure Resource Graph
• Parameter based output (hierarchy only, 'srubbed' user information and more..)
• HTML version check