Microsoft Azure 在任何服务主体过期时发出邮件警报

Question

I need to know if there any simple script which I can run from Azure cli or Azure automation. I am amazed in 2022 there is no by default ready-maid solution when service principal getting expired should get a mail alert.

I am new to Azure admin stuff could help us to run the azure CLI or Azure automation (what modules I need to install & which script to get the alert.) I have found a script but some how it is not running in azure cli and azure automation.

https://dev.azure.com/leo1984sandeep/Sandeep%20Project/_git/Sandeep%20Project?path=/Useful%20Powershell%20Scripts/get%20SPN%20details%20with%20secret%20expiry.ps1
    

Thanks Anuj Gupta

Answer 1

Please check if my findings are helpful,

We can use the below script to automate for getting alert when our serviceprincipal is about to expired using sendgrid:

PowerShell Script:-

Param
(
    [Parameter (Mandatory = $true,
        HelpMessage = "Enter the originating email address.")]
    [string] $FromEmailAddress,
    [Parameter (Mandatory = $true,
        HelpMessage = "Enter the destination email address.")]
    [string] $ToEmailAddress,
    [Parameter (Mandatory = $true,
        HelpMessage = "Enter the email subject.")]
    [string] $EmailSubject,
    [Parameter (Mandatory = $true,
        HelpMessage = "Enter the number of days to warn of credential expiry")]
    [string] $ExpiresInDays
)

function Send-EmailWithSendGrid {
    Param
    (
        [Parameter(Mandatory = $true)]
        [string] $From,

        [Parameter(Mandatory = $true)]
        [String] $To,

        [Parameter(Mandatory = $true)]
        [string] $ApiKey,

        [Parameter(Mandatory = $true)]
        [string] $Subject,

        [Parameter(Mandatory = $true)]
        [string] $Body

    )

    $headers = @{}
    $headers.Add("Authorization", "Bearer $apiKey")
    $headers.Add("Content-Type", "application/json")

    $jsonRequest = [ordered]@{
        personalizations = @(@{to = @(@{email = "$To" })
                subject           = "$SubJect" 
            })
        from             = @{email = "$From" }
        content          = @( @{ type = "text/plain"
                value        = "$Body" 
            }
        )
    } | ConvertTo-Json -Depth 10
    Invoke-RestMethod   -Uri "https://api.sendgrid.com/v3/mail/send" -Method Post -Headers $headers -Body $jsonRequest 

}

try {
    #Get the connection "AzureRunAsConnection "

    $servicePrincipalConnection = Get-AutomationConnection -Name "AzureRunAsConnection"

    "Logging in to Azure..."
    $connectionResult = Connect-AzAccount -Tenant $servicePrincipalConnection.TenantID `
        -ApplicationId $servicePrincipalConnection.ApplicationID   `
        -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint `
        -ServicePrincipal
    "Logged in."

}
catch {
    if (!$servicePrincipalConnection) {
        $ErrorMessage = "Connection $connectionName not found."
        throw $ErrorMessage
    }
    else {
        Write-Error -Message $_.Exception
        throw $_.Exception
    }
}


Write-Host 'Gathering necessary information...'
$applications = Get-AzADApplication
$servicePrincipals = Get-AzADServicePrincipal

$appWithCredentials = @()
$appWithCredentials += $applications | Sort-Object -Property DisplayName | % {
    $application = $_
    $sp = $servicePrincipals | ? ApplicationId -eq $application.ApplicationId
    Write-Verbose ('Fetching information for application {0}' -f $application.DisplayName)
    $application | Get-AzADAppCredential -ErrorAction SilentlyContinue | Select-Object -Property @{Name = 'DisplayName'; Expression = { $application.DisplayName } }, @{Name = 'ObjectId'; Expression = { $application.Id } }, @{Name = 'ApplicationId'; Expression = { $application.ApplicationId } }, @{Name = 'KeyId'; Expression = { $_.KeyId } }, @{Name = 'Type'; Expression = { $_.Type } }, @{Name = 'StartDate'; Expression = { $_.StartDate -as [datetime] } }, @{Name = 'EndDate'; Expression = { $_.EndDate -as [datetime] } }
}

Write-Host 'Validating expiration data...'
$today = (Get-Date).ToUniversalTime()
$limitDate = $today.AddDays($ExpiresInDays)
$appWithCredentials | Sort-Object EndDate | % {
    if ($_.EndDate -lt $today) {
        $_ | Add-Member -MemberType NoteProperty -Name 'Status' -Value 'Expired'
    }
    elseif ($_.EndDate -le $limitDate) {
        $_ | Add-Member -MemberType NoteProperty -Name 'Status' -Value 'ExpiringSoon'
    }
    else {
        $_ | Add-Member -MemberType NoteProperty -Name 'Status' -Value 'Valid'
    }
}

$ExpiringAppCredentials = $appWithCredentials | ? { $_.Status -eq 'Expired' -or $_.Status -eq 'ExpiringSoon' } | Sort-Object -Property DisplayName
$ExpiringAppCredentialsString = $ExpiringAppCredentials | Out-String
#$ExpiringAppCredentialsString = $ExpiringAppCredentials | sort-object -Property enddate | format-table  -Property displayname, startdate, enddate, status, applicationid, keyid, type | Out-String


$ApiKeyString = Get-AutomationVariable -Name "SendGridAutomationCloudServices"

$From = $FromEmailAddress 
$To = $ToEmailAddress  
$APIKEY = $ApiKeyString
$Subject = $EmailSubject 
$Body = "$ExpiringAppCredentialsString"

Send-EmailWithSendGrid -from $from -to $to -ApiKey $APIKEY -Body $Body -Subject $Subject 

For more information please refer this MICROSOFT|TECH COMMUNITY