Forum Discussion
Addin Eligible role to Subscription by powershell Question
I need assign groups to roles for subscription by powershell (100+ groups and subsc)
I need this was eligible so users in grop must use PIN to activate role.
How to do this?
9 Replies
You can do this by reading in a list of Group names and Resource Groups from a csv file. The CSV file should be formatted like the example below and please keep the column headers as they will be referenced in the script.
CSV input file for script:
GroupName,ResourceGroup
Group1,ResourceGroup1
Group2,ResourceGroup2
Group3,ResourceGroup3Note:
The duration is set by -Duration flag in the New-AzRoleAssignment cmdlet. I've set it to be "P1Y" which denotes 1 year. You could change that to "P1M" for 1 month etc. This is the ISO 8601 standard for setting durations.
Script:
# Import the CSV file $groups = Import-Csv -Path "path\to\your\groups.csv" # Connect to Azure Connect-AzAccount # Define the role $roleDefinitionId = (Get-AzRoleDefinition -Name "Contributor").Id # Loop through each group and assign the role foreach ($group in $groups) { try { $groupName = $group.GroupName $resourceGroup = $group.ResourceGroup $scope = "/subscriptions/your-subscription-id/resourceGroups/$resourceGroup" $groupObject = Get-AzADGroup -DisplayName $groupName $groupId = $groupObject.Id # Assign the role with eligible and time-bound settings for 1 year New-AzRoleAssignment -ObjectId $groupId -RoleDefinitionId $roleDefinitionId -Scope $scope -AssignmentType "Eligible" -Duration "P1Y" Write-Output "Successfully assigned role to group: $groupName for resource group: $resourceGroup" } catch { Write-Error "Failed to assign role to group: $groupName for resource group: $resourceGroup. Error: $_" } } Write-Output "Role assignments completed."This is wrong.
New-AzRoleAssignment doesn't have parameter AssignmentType.
I responded to this earlier today but noticed my reply is stick. Here goes attempt #2.
You can do this by reading in a list of Group names and Resource Groups from a csv file. The CSV file should be formatted like the example below and please keep the column headers as they will be referenced in the script.
CSV input file for script:
GroupName,ResourceGroup
Group1,ResourceGroup1
Group2,ResourceGroup2
Group3,ResourceGroup3Note:
The duration is set by -Duration flag in the New-AzRoleAssignment cmdlet. I've set it to be "P1Y" which denotes 1 year. You could change that to "P1M" for 1 month etc. This is the ISO 8601 standard for setting durations.
Script:
# Import the CSV file $groups = Import-Csv -Path "path\to\your\groups.csv" # Connect to Azure Connect-AzAccount # Define the role $roleDefinitionId = (Get-AzRoleDefinition -Name "Contributor").Id # Loop through each group and assign the role foreach ($group in $groups) { try { $groupName = $group.GroupName $resourceGroup = $group.ResourceGroup $scope = "/subscriptions/your-subscription-id/resourceGroups/$resourceGroup" $groupObject = Get-AzADGroup -DisplayName $groupName $groupId = $groupObject.Id # Assign the role with eligible and time-bound settings for 1 year New-AzRoleAssignment -ObjectId $groupId -RoleDefinitionId $roleDefinitionId -Scope $scope -AssignmentType "Eligible" -Duration "P1Y" Write-Output "Successfully assigned role to group: $groupName for resource group: $resourceGroup" } catch { Write-Error "Failed to assign role to group: $groupName for resource group: $resourceGroup. Error: $_" } } Write-Output "Role assignments completed."This is wrong.
New-AzRoleAssignment doesn't have parameter AssignmentType.
I responded to this earlier today but noticed my reply is stick. Here goes attempt #2.
You can do this by reading in a list of Group names and Resource Groups from a csv file. The CSV file should be formatted like the example below and please keep the column headers as they will be referenced in the script.
CSV input file for script:
GroupName,ResourceGroup
Group1,ResourceGroup1
Group2,ResourceGroup2
Group3,ResourceGroup3Note:
The duration is set by -Duration flag in the New-AzRoleAssignment cmdlet. I've set it to be "P1Y" which denotes 1 year. You could change that to "P1M" for 1 month etc. This is the ISO 8601 standard for setting durations.
Script:
# Import the CSV file
$groups = Import-Csv -Path "path\to\your\groups.csv"# Connect to Azure
Connect-AzAccount# Define the role
$roleDefinitionId = (Get-AzRoleDefinition -Name "Contributor").Id# Loop through each group and assign the role
foreach ($group in $groups) {
try {
$groupName = $group.GroupName
$resourceGroup = $group.ResourceGroup
$scope = "/subscriptions/your-subscription-id/resourceGroups/$resourceGroup"$groupObject = Get-AzADGroup -DisplayName $groupName
$groupId = $groupObject.Id# Assign the role with eligible and time-bound settings for 1 year
New-AzRoleAssignment -ObjectId $groupId -RoleDefinitionId $roleDefinitionId -Scope $scope -AssignmentType "Eligible" -Duration "P1Y"Write-Output "Successfully assigned role to group: $groupName for resource group: $resourceGroup"
}
catch {
Write-Error "Failed to assign role to group: $groupName for resource group: $resourceGroup. Error: $_"
}
}Write-Output "Role assignments completed."
This is wrong.
New-AzRoleAssignment doesn't have parameter AssignmentType.
This should be doable. Assuming you are assigning the permissions to Resource Groups you ideally want to specify the group names, and the Resource Group names in a CSV file. Something like the following, remember to keep the column header as they will be referenced in the powershell script.
CSV File with Groups and Resource Groups
GroupName,ResourceGroup
Group1,ResourceGroup1
Group2,ResourceGroup2
Group3,ResourceGroup3
etcIn the script below the duration is specified using the ISO 8601 format. PT8H means 8 hours, you can use P1D for 1 day or P3M to denote 3 months, P1Y for 1 year and so on.
The script will loop through all the rows in your CSV file and try the role assignment.
Script:
# Import the CSV file
$groups = Import-Csv -Path "path\to\your\groups.csv"# Connect to Azure
Connect-AzAccount# Define the role
$roleDefinitionId = (Get-AzRoleDefinition -Name "Contributor").Id# Loop through each group and assign the role
foreach ($group in $groups) {
try {
$groupName = $group.GroupName
$resourceGroup = $group.ResourceGroup
$scope = "/subscriptions/your-subscription-id/resourceGroups/$resourceGroup"$groupObject = Get-AzADGroup -DisplayName $groupName
$groupId = $groupObject.Id# Assign the role with eligible and time-bound settings
New-AzRoleAssignment -ObjectId $groupId -RoleDefinitionId $roleDefinitionId -Scope $scope -AssignmentType "Eligible" -Duration "PT8H"Write-Output "Successfully assigned role to group: $groupName for resource group: $resourceGroup"
}
catch {
Write-Error "Failed to assign role to group: $groupName for resource group: $resourceGroup. Error: $_"
}
}Write-Output "Role assignments completed."
This is wrong.
New-AzRoleAssignment doesn't have parameter AssignmentType.
My apologies for the oversight. This is the updated script, I've tested it in my lab. Please update the parameters as needed.
# Import the CSV file $groups = Import-Csv -Path "path\to\your\groups.csv" # Connect to Azure Connect-AzAccount # Define the role $roleDefinitionId = (Get-AzRoleDefinition -Name "Contributor").Id # Loop through each group and assign the role foreach ($group in $groups) { try { $groupName = $group.GroupName $resourceGroup = $group.ResourceGroup $scope = "/subscriptions/your-subscription-id/resourceGroups/$resourceGroup" $groupObject = Get-AzADGroup -DisplayName $groupName $groupId = $groupObject.Id # Define the GUID for the request $guid = [guid]::NewGuid().Guid # Define the start time in ISO 8601 format $startTime = Get-Date -Format o # Assign the role with eligible and time-bound settings New-AzRoleEligibilityScheduleRequest -Name $guid -Scope $scope -ExpirationDuration "PT8H" -ExpirationType AfterDuration -PrincipalId $groupId -RequestType AdminAssign -RoleDefinitionId $roleDefinitionId -ScheduleInfoStartDateTime $startTime Write-Output "Successfully assigned role to group: $groupName for resource group: $resourceGroup" } catch { Write-Error "Failed to assign role to group: $groupName for resource group: $resourceGroup. Error: $_" } } Write-Output "Role assignments completed."
