Microsoft Azure As Built Report

Microsoft Azure As Built Report is a PowerShell module which works in conjunction with AsBuiltReport.Core.

AsBuiltReport is an open-sourced community project which utilises PowerShell to produce as-built documentation in multiple document formats for multiple vendors and technologies.

Please refer to the AsBuiltReport website for more detailed information about this project.

The Microsoft Azure As Built Report currently supports reporting for the following Azure resources;

• Availability Sets
• Bastion Hosts
• ExpressRoute Circuits
• Firewalls
• Firewall Policies
• IP Groups
• Key Vaults
• Load Balancers
• Log Analytics Workspaces
• Policies
• Private DNS Resolvers
• Private Endpoints
• Route Tables
• Storage Accounts
• Subscriptions
• Tenants
• Virtual Machines
• Virtual Networks

🔰 Getting Started

Below are the instructions on how to install, configure and generate a Microsoft Azure As Built report.

PowerShell

This report is compatible with the following PowerShell versions;

Windows PowerShell 5.1	PowerShell 7
✅	✅

🗺️ Language Support

The Microsoft Azure As Built Report supports the following languages;

• English (US) (Default)
• English (GB)

🔧 System Requirements

PowerShell 5.1 or PowerShell 7, and the following PowerShell modules are required for generating a Microsoft Azure As Built Report.

• Microsoft Azure PowerShell Module
• AsBuiltReport.Microsoft.Azure Module

🔐 Required Privileges

The Microsoft Azure as built report requires an Azure AD account. This report will not work with personal Azure accounts.

The least privileged roles required to generate a Microsoft Azure As Built Report are;

• Reader
• Backup Reader

📦 Module Installation

PowerShell

Open a PowerShell terminal window and install each of the required modules.

Note

Microsoft Az 14.4.0 or higher is required. Please ensure older Az modules have been uninstalled.

# Install
install-module Az -Repository PSGallery -MinimumVersion 14.4.0 -Force
install-module AsBuiltReport.Microsoft.Azure -Repository PSGallery -Force

# Update
update-module Az -Force
update-module AsBuiltReport.Microsoft.Azure -Force

GitHub

If you are unable to use the PowerShell Gallery, you can still install the module manually. Ensure you repeat the following steps for the system requirements also.

1. Download the code package / latest release zip from GitHub
2. Extract the zip file
3. Copy the folder AsBuiltReport.Microsoft.Azure to a path that is set in $env:PSModulePath.
4. Open a PowerShell terminal window and unblock the downloaded files with

   $path = (Get-Module -Name AsBuiltReport.Microsoft.Azure -ListAvailable).ModuleBase; Unblock-File -Path $path\*.psd1; Unblock-File -Path $path\Src\Public\*.ps1; Unblock-File -Path $path\Src\Private\*.ps1

5. Close and reopen the PowerShell terminal window.

Note: You are not limited to installing the module to those example paths, you can add a new entry to the environment variable PSModulePath if you want to use another path.

✏️ Configuration

The Microsoft Azure As Built Report utilises a JSON file to allow configuration of report information, options, detail and healthchecks.

Important

Please remember to generate a new report JSON configuration file after each module update to ensure the report functions correctly.

A Microsoft Azure report configuration file can be generated by executing the following command;

New-AsBuiltReportConfig -Report Microsoft.Azure -FolderPath <User specified folder> -Filename <Optional>

Executing this command will copy the default Microsoft Azure report JSON configuration to a user specified folder.

All report settings can then be configured via the JSON file.

The following provides information of how to configure each schema within the report's JSON file.

Report

The Report schema provides configuration of the Microsoft Azure report information.

Sub-Schema	Setting	Default	Description
Name	User defined	Microsoft Azure As Built Report	The name of the As Built Report
Version	User defined	1.0	The report version
Status	User defined	Released	The report release status
Language	User defined	en-US	The default report language. This can be customised if the report module provides multilingual support
ShowCoverPageImage	true / false	true	Toggle to enable/disable the display of the cover page image
ShowTableOfContents	true / false	true	Toggle to enable/disable table of contents
ShowHeaderFooter	true / false	true	Toggle to enable/disable document headers & footers
ShowTableCaptions	true / false	true	Toggle to enable/disable table captions/numbering

Options

The Options schema allows certain options within the report to be toggled on or off.

Sub-Schema	Setting	Default	Description
ShowSectionInfo	true / false	true	Toggle to enable/disable information relating to Azure resources within each section.
ShowTags	true / false	true	Toggle to enable/disable the display of Azure resource tags. Note: Reporting of tags is not currently available on all Azure resources. Tags will only be displayed for Azure resources when the relevant section InfoLevel is configured to 2 or higher.

Filter

The Filter schema allows report content to be filtered to specific Azure subscriptions within a tenant.

Sub-Schema	Setting	Default	Description
Subscription	User defined	*	Filters report content to specific Azure subscription IDs within a tenant. Specifying an asterisk (*) will generate a report for all Azure subscriptions within a tenant.

Example 1: Generate a report for all Azure subscriptions within a tenant.

"Filter": {
    "Subscription": ["*"]
},

Example 2: Filter report content to specific Azure subscription IDs within a tenant.

"Filter": {
    "Subscription": ["555fff88-777d-1234-987a-23bc67890z5","666dfg67-654h-1234-984f-08kb67834y8"]
},

InfoLevel

The InfoLevel schema allows configuration of each section of the report at a granular level. The following sections can be set.

There are 5 levels (0-4) of detail granularity for each section as follows;

Setting	InfoLevel	Description
0	Disabled	Does not collect or display any information
1	Enabled / Summary	Provides summarised information for a collection of objects
2	Detailed	Provides detailed information for individual objects
3	Adv Detailed	Provides detailed information for individual objects, as well as information for associated objects
4	Comprehensive	Provides comprehensive information for individual objects, such as advanced configuration settings

The table below outlines the default and maximum InfoLevel settings for each section.

Sub-Schema	Default Setting	Maximum Setting
AvailabilitySet	1	1
Bastion	1	2
DnsPrivateResolver	1	2
ExpressRoute	1	2
Firewall	1	3
FirewallPolicy	1	4
IpGroup	1	2
KeyVault	1	1
LoadBalancer	1	2
LogAnalyticsWorkspace	1	2
NetworkSecurityGroup	1	2
Policy > Assignments	1	2
Policy > Definitions	0	1
RecoveryServicesVault	1	2
RouteTable	1	2
SiteRecovery	1	1
StorageAccount	1	2
Subscription	1	1
Tenant	1	1
VirtualNetwork	1	2
VirtualMachine	1	2

Healthcheck

The Healthcheck schema is used to toggle health checks on or off.

Bastion

The Bastion schema is used to configure health checks for Azure Bastion.

Sub-Schema	Setting	Default	Description	Highlight
ProvisioningState	true / false	true	Highlights Bastion instances in a failed provisioning state	Provisioning is in a critical state

DnsPrivateResolver

The DnsPrivateResolver schema is used to configure health checks for Azure DNS Private Resolver.

Sub-Schema	Setting	Default	Description	Highlight
ProvisioningState	true / false	true	Highlights DNS Private Resolvers in a failed provisioning state	Provisioning is in a critical state
CurrentState	true / false	true	Highlights DNS Private Resolvers not in a Connected state	DNS Private Resolver is not Connected

ExpressRoute

The ExpressRoute schema is used to configure health checks for Azure ExpressRoute.

Sub-Schema	Setting	Default	Description	Highlight
CircuitStatus	true / false	true	Highlights ExpressRoute circuits which are disabled	ExpressRoute circuit is disabled

Firewall

The Firewall schema is used to configure health checks for Azure Firewall.

Sub-Schema	Setting	Default	Description	Highlight
ProvisioningState	true / false	true	Highlights Firewalls in a failed provisioning state	Provisioning is in a critical state

FirewallPolicy

The FirewallPolicy schema is used to configure health checks for Azure Firewall Policy.

Sub-Schema	Setting	Default	Description	Highlight
ProvisioningState	true / false	true	Highlights Firewall Policies in a failed provisioning state	Provisioning is in a critical state
ThreatIntelMode	true / false	true	Highlights Firewall Policies with Threat Intelligence disabled	Threat Intelligence is disabled

IpGroup

The IpGroup schema is used to configure health checks for Azure IP Groups.

Sub-Schema	Setting	Default	Description	Highlight
ProvisioningState	true / false	true	Highlights IP Groups in a failed provisioning state	Provisioning is in a critical state

KeyVault

The KeyVault schema is used to configure health checks for Azure Key Vault.

Sub-Schema	Setting	Default	Description	Highlight
SoftDelete	true / false	true	Highlights Key Vaults without soft delete enabled	Soft delete is disabled
PurgeProtection	true / false	true	Highlights Key Vaults without purge protection enabled	Purge protection is disabled
PublicNetworkAccess	true / false	true	Highlights Key Vaults with public network access enabled	Public network access is enabled
RBACAuthorization	true / false	true	Highlights Key Vaults without RBAC authorization enabled	RBAC authorization is disabled

LoadBalancer

The LoadBalancer schema is used to configure health checks for Azure Load Balancer.

Sub-Schema	Setting	Default	Description	Highlight
ProvisioningState	true / false	true	Highlights Load Balancers in a failed provisioning state	Provisioning is in a critical state

LogAnalyticsWorkspace

The LogAnalyticsWorkspace schema is used to configure health checks for Azure Log Analytics Workspace.

Sub-Schema	Setting	Default	Description	Highlight
ProvisioningState	true / false	true	Highlights workspaces which are in a critical state	Provisioning is in a critical state
PublicNetworkAccessForIngestion	true / false	true	Highlights workspaces which have public network access enabled for ingestion	Public network access for ingestion is enabled
PublicNetworkAccessForQuery	true / false	true	Highlights workspaces which have public network access enabled for query	Public network access for query is enabled

NetworkSecurityGroup

The NetworkSecurityGroup schema is used to configure health checks for Azure Network Security Groups.

Sub-Schema	Setting	Default	Description	Highlight
ProvisioningState	true / false	true	Highlights NSGs in a failed provisioning state	Provisioning is in a critical state
OverlyPermissiveRules	true / false	true	Highlights NSG rules with overly permissive source addresses (*, 0.0.0.0/0, Internet)	Rule has overly permissive source address

PrivateEndpoint

The PrivateEndpoint schema is used to configure health checks for Azure Private Endpoints.

Sub-Schema	Setting	Default	Description	Highlight
ProvisioningState	true / false	true	Highlights Private Endpoints in a failed provisioning state	Provisioning is in a critical state
ConnectionStatus	true / false	true	Highlights Private Endpoints with connection status not Approved	Connection is not Approved

RecoveryServicesVault

The RecoveryServicesVault schema is used to configure health checks for Azure Recovery Services Vault.

Sub-Schema	Setting	Default	Description	Highlight
ProvisioningState	true / false	true	Highlights Recovery Services Vaults in a failed provisioning state	Provisioning is in a critical state
PrivateEndpointStateForBackup	true / false	true	Highlights vaults without private endpoints configured for backup	Private endpoint for backup is not configured

RouteTable

The RouteTable schema is used to configure health checks for Azure Route Tables.

Sub-Schema	Setting	Default	Description	Highlight
ProvisioningState	true / false	true	Highlights Route Tables in a failed provisioning state	Provisioning is in a critical state

SiteRecovery

The SiteRecovery schema is used to configure health checks for Azure Site Recovery.

Sub-Schema	Setting	Default	Description	Highlight
ReplicationHealth	true / false	true	Highlights replicated items which are in a critical state	Replication health is in a critical state
FailoverHealth	true / false	true	Highlights the failover health status of replicated items	A successful test failover has not been performed on the replicated item

StorageAccount

The StorageAccount schema is used to configure health checks for Azure Storage Account.

Sub-Schema	Setting	Default	Description	Highlight
ProvisioningState	true / false	true	Highlights storage accounts which are in a critical state	Provisioning is in a critical state
StorageAccountKeyAccess	true / false	true	Highlights storage accounts which have storage account key access enabled	Storage account key access is enabled
SecureTransfer	true / false	true	Highlights storage accounts which do not have secure transfer enabled	Secure transfer is disabled
BlobAnonymousAccess	true / false	true	Highlights storage accounts which have Blob anonymous read access enabled	Anonymous read access is enabled
PublicNetworkAccess	true / false	true	Highlights storage accounts which have public network access enabled	Public network access is enabled
MinimumTlsVersion	true / false	true	Highlights storage accounts which have TLS 1.0 or TLS 1.1 configured	TLS version 1.0 or 1.1 configured

VirtualMachine

The VirtualMachine schema is used to configure health checks for Azure Virtual Machines.

Sub-Schema	Setting	Default	Description	Highlight
Status	true / false	true	Highlights VMs which are not in a running state	VM is in a deallocated state
DiskEncryption	true / false	true	Highlights VMs which do not have disk encryption enabled	Disk encryption is disabled
BootDiagnostics	true / false	true	Highlights VMs which do not have boot diagnostics enabled with a custom storage account	Boot diagnostics is disabled Boot diagnostics is enabled with a managed storage account
BackupEnabled	true / false	true	Highlights VMs which do not have Azure Backup enabled	Backup is disabled

VirtualNetwork

The VirtualNetwork schema is used to configure health checks for Azure Virtual Networks.

Sub-Schema	Setting	Default	Description	Highlight
ProvisioningState	true / false	true	Highlights Virtual Networks in a failed provisioning state	Provisioning is in a critical state
DnsServers	true / false	true	Highlights Virtual Networks using default Azure-provided DNS	Using default Azure-provided DNS

💻 Examples

# Generate a Microsoft Azure As Built Report for Tenant ID '555fff88-777d-1234-987a-23bc67890z5' using 3rd party authentication. Export report to HTML & DOCX formats. Use default report style. Append timestamp to report filename. Save reports to 'C:\Users\Tim\Documents'
PS C:\> New-AsBuiltReport -Report Microsoft.Azure -Target '555fff88-777d-1234-987a-23bc67890z5' -UseInteractiveAuth -Format Html,Word -OutputFolderPath 'C:\Users\Tim\Documents' -Timestamp

# Generate a Microsoft Azure As Built Report for Tenant ID '555fff88-777d-1234-987a-23bc67890z5' using specified credentials and report configuration file. Export report to Text, HTML & DOCX formats. Use default report style. Save reports to 'C:\Users\Tim\Documents'. Display verbose messages to the console.
PS C:\> New-AsBuiltReport -Report Microsoft.Azure -Target '555fff88-777d-1234-987a-23bc67890z5' -Username '[email protected]' -Password 'MyP@ssw0rd!' -Format Text,Html,Word -OutputFolderPath 'C:\Users\Tim\Documents' -ReportConfigFilePath 'C:\Users\Tim\AsBuiltReport\AsBuiltReport.Microsoft.Azure.json' -Verbose

# Generate a Microsoft Azure As Built Report for Tenant ID '555fff88-777d-1234-987a-23bc67890z5' using stored credentials. Export report to HTML & Text formats. Use default report style. Highlight environment issues within the report. Save reports to 'C:\Users\Tim\Documents'.
PS C:\> $Creds = Get-Credential
PS C:\> New-AsBuiltReport -Report Microsoft.Azure -Target '555fff88-777d-1234-987a-23bc67890z5' -Credential $Creds -Format Html,Text -OutputFolderPath 'C:\Users\Tim\Documents' -EnableHealthCheck

# Generate a Microsoft Azure As Built Report for Tenant ID '555fff88-777d-1234-987a-23bc67890z5' using specified credentials. Report exports to WORD format by default. Apply custom style to the report. Reports are saved to the user profile folder by default.
PS C:\> New-AsBuiltReport -Report Microsoft.Azure -Target '555fff88-777d-1234-987a-23bc67890z5' -Username '[email protected]' -Password 'MyP@ssw0rd!' -StyleFilePath 'C:\Scripts\Styles\MyCustomStyle.ps1'

# Generate a Microsoft Azure As Built Report for Tenant ID '555fff88-777d-1234-987a-23bc67890z5' using specified credentials. Report exports to WORD format by default. Generate report in Spanish. Reports are saved to the user profile folder by default.
PS C:\> New-AsBuiltReport -Report Microsoft.Azure -Target '555fff88-777d-1234-987a-23bc67890z5' -Username '[email protected]' -Password 'MyP@ssw0rd!' -ReportLanguage es-ES

# Generate a Microsoft Azure As Built Report for Tenant ID '555fff88-777d-1234-987a-23bc67890z5' using Entra ID authentication. Export report to HTML & DOCX formats. Use default report style. Reports are saved to the user profile folder by default. Attach and send reports via e-mail.
PS C:\> New-AsBuiltReport -Report Microsoft.Azure -Target '555fff88-777d-1234-987a-23bc67890z5' -UseInteractiveAuth -Format Html,Word -OutputFolderPath 'C:\Users\Tim\Documents' -SendEmail