Created
May 28, 2020 11:14
-
-
Save bgelens/58c7854b9a111a46363deccf13ea7937 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $tenantId = '' | |
| $context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext | |
| $token = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate( | |
| $context.Account, | |
| $context.Environment, | |
| $context.Tenant.Id.ToString(), | |
| $null, | |
| [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, | |
| $null, | |
| 'https://management.azure.com/' | |
| ) | |
| $subscriptions = Get-AzSubscription -TenantId $tenantId | |
| $body = @{ | |
| subscriptionId = @( | |
| $subscriptions.SubscriptionId | |
| ) | |
| subscriptionName = @( | |
| $subscriptions.Name | |
| ) | |
| } | ConvertTo-Json | |
| @( | |
| 'Azure CIS 1.1.0' | |
| 'PCI DSS 3.2.1' | |
| 'SOC TSP' | |
| 'ISO 27001' | |
| ) | ForEach-Object -Process { | |
| $escapedReportName = [uri]::EscapeDataString($_) | |
| irm "https://s2.security.ext.azure.com/api/regulatoryCompliance/reports/executiveSummary?standardName=$escapedReportName" -Headers @{ | |
| Authorization = "Bearer $($token.AccessToken)" | |
| } -Method Post -Body $body -OutFile "/Users/bengelens/Desktop/$_.pdf" | |
| } |
TBH, I did not think about it until now :( Too busy with non azure things past couple of weeks. Maybe during the weekend (no promises)
@scarytoon I investigated a little bit and found that it's the tokens that are not working anymore. When copying a token used in the portal and passing it in as the bearer token for the PowerShell script, things work fine.
I diffed the tokens and found a couple of noticeable differences.
- The resource used in the portal is
https://management.core.windows.net/ - The application in the jwt token is of appidacr type 2 (certifcate auth) with app id c44b4083-3bb0-49c1-b47d-974e53cbdf3c (portal app)
They might have constrained access to this app id. There is no way to know :(
@scarytoon I just noticed @JustinGrote created a function that can fetch a token as the portal app. I did not check it out yet but it might be usable for this scenario as well.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
HI, did you have any luck of getting it to work ?