Forum Discussion
Permission/access Audit in Powershell
Hello, im trying to generate a report on "who has access" on all Projects in Azure DevOps
I use the following
$organization = "RELEVENT NAME"
$pat = "APATKEY"
$baseUrl = "https://dev.azure.com/$organization/_apis"
$APIVersion = "7.0"
# Get all projects in the organization
$projectsUrl = "$baseUrl/projects?api-version=$APIVersion"
$projects = Invoke-RestMethod -Uri $projectsUrl -Method Get -Headers @{Authorization = "Basic $($pat)"}
# Loop through each project and get the groups and permissions for each added user
foreach ($project in $projects.value) {
$projectName = $project.name
$projectUrl = "$baseUrl/$projectName/_apis/graph/users?api-version=$APIVersion&direction=2&$top=5000"
$addedUsers = Invoke-RestMethod -Uri $projectUrl -Method Get -Headers @{Authorization = "Basic $($pat)"}
Write-Host "Project: $projectName"
foreach ($user in $addedUsers.value) {
$userId = $user.descriptor
$userUrl = "$baseUrl/$projectName/_apis/accesscontrolentries?api-version=$APIVersion&identityDescriptor=$userId"
$permissions = Invoke-RestMethod -Uri $userUrl -Method Get -Headers @{Authorization = "Basic $($pat)"}
$groups = $user.memberOf | Where-Object { $_.subjectKind -eq "Group" }
$groups = $groups | ForEach-Object { $_.displayName }
$groups = $groups -join ', '
Write-Host "User: $($user.displayName), Groups: $groups"
foreach ($permission in $permissions.value) {
$permissionName = $permission.displayName
Write-Host " Permission: $permissionName"
}
}
Write-Host ""
}
can any one help me figure out why it returns empty all the time.
1 Reply
How about this:
$organization = "your-org" $pat = "your-pat" $token = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(":$pat")) $headers = @{ Authorization = "Basic $token" } # Get all projects $projectsUrl = "https://dev.azure.com/$organization/_apis/projects?api-version=7.0" $projects = Invoke-RestMethod -Uri $projectsUrl -Headers $headers foreach ($project in $projects.value) { $projectId = $project.id $projectName = $project.name Write-Host "Project: $projectName" # Get role assignments (who has access) $roleUrl = "https://dev.azure.com/$organization/_apis/securityroles/scopes/project/$projectId/roleassignments?api-version=7.0" $roles = Invoke-RestMethod -Uri $roleUrl -Headers $headers foreach ($assignment in $roles.value) { $principalName = $assignment.identity.displayName $roleName = $assignment.role.displayName Write-Host "User/Group: $principalName → Role: $roleName" } Write-Host "" }
