Get-AzureSecurityCenterComplianceReport.ps1

$tenantId = ''
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$token = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate(
  $context.Account,
  $context.Environment,
  $context.Tenant.Id.ToString(),
  $null,
  [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never,
  $null,
  'https://management.azure.com/'
)


$subscriptions = Get-AzSubscription -TenantId $tenantId
$body = @{
  subscriptionId = @(
    $subscriptions.SubscriptionId
  )
  subscriptionName = @(
    $subscriptions.Name
  )
} | ConvertTo-Json

@(
  'Azure CIS 1.1.0'
  'PCI DSS 3.2.1'
  'SOC TSP'
  'ISO 27001'
) | ForEach-Object -Process {
  $escapedReportName = [uri]::EscapeDataString($_)
  irm "https://s2.security.ext.azure.com/api/regulatoryCompliance/reports/executiveSummary?standardName=$escapedReportName" -Headers @{
    Authorization = "Bearer $($token.AccessToken)"
  } -Method Post -Body $body -OutFile "/Users/bengelens/Desktop/$_.pdf"
}

@scarytoon I investigated a little bit and found that it's the tokens that are not working anymore. When copying a token used in the portal and passing it in as the bearer token for the PowerShell script, things work fine.

I diffed the tokens and found a couple of noticeable differences.

1. The resource used in the portal is https://management.core.windows.net/
2. The application in the jwt token is of appidacr type 2 (certifcate auth) with app id c44b4083-3bb0-49c1-b47d-974e53cbdf3c (portal app)

They might have constrained access to this app id. There is no way to know :(

@scarytoon I just noticed @JustinGrote created a function that can fetch a token as the portal app. I did not check it out yet but it might be usable for this scenario as well.

https://github.com/JustinGrote/AzSpotPricing/blob/main/Modules/Az.SpotPricing/Get-AzPortalToken.ps1