Forum Discussion
How to list azure resources which have inheriting access and direct access using powershell
Hello AlphaBetaGamma,
Here is quick and dirty way to get what you need:
$Resource=Get-AzResource $RoleAssignments=New-Object System.Collections.Generic.List[PSObject] foreach($r in $Resource){ $Assignment=Get-AzRoleAssignment -ResourceName $r.Name -ResourceGroupName $r.ResourceGroupName -ResourceType $r.ResourceType foreach($a in $Assignment){ $IsInherited=if($r.ResourceId -eq $a.Scope){$false}else{$true} $a | Add-member -NotePropertyName ResourceName -NotePropertyValue $r.Name $a | Add-member -NotePropertyName ResourceId -NotePropertyValue $r.ResourceId $a | Add-member -NotePropertyName IsInherited -NotePropertyValue $IsInherited $RoleAssignments.Add($a) } } $RoleAssignmentsPseudo code:
- Get all az resources
- For each resource run get az role assignments
- Loop trough role assignments and add IsInherited property:
If scope eq resourceid then false otherwise true - Add ResourceName and ID to resulting object
- Add results to List
At the end you will get list of all Role Assignments with additional info(ResourceName, ResourceID and IsInherited flag).
Then you can easily rotate data as needed.
List Direct Assignments:
#Direct Assignments $RoleAssignments |where {$_.isinherited -eq $false} |select ResourceName, DisplayName, RoleDefinitionName, IsInheritedList Inherited Assignments:
#Inherited ones $RoleAssignments |where {$_.isinherited -ne $false} |select ResourceName, DisplayName, RoleDefinitionName, IsInheritedGeneral stats:
$RoleAssignments.isinherited |groupHope that helps.
AndySvints Thanks for your response. Yes, we can see the inherited access/direct access for each resource with the help of below one,
Get-AzRoleAssignment | Where-Object {$_.Scope -eq "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/storage-test-rg/providers/Microsoft.Storage/storageAccounts/storagetest0122"}But, what if we wish to see a list of all azure resources which have inherited access and a list of azure resources with direct access. Something like this as a sample output
List of azure resources which have inherited access
| Resource name | DisplayName |
| keyvault | Tom |
| sql | Jeremy |
List of Azure resources which have direct access
| Resource name | DisplayName |
| Log analytics | jack |
| VM | Jones |
Hello AlphaBetaGamma,
Here is quick and dirty way to get what you need:
$Resource=Get-AzResource
$RoleAssignments=New-Object System.Collections.Generic.List[PSObject]
foreach($r in $Resource){
$Assignment=Get-AzRoleAssignment -ResourceName $r.Name -ResourceGroupName $r.ResourceGroupName -ResourceType $r.ResourceType
foreach($a in $Assignment){
$IsInherited=if($r.ResourceId -eq $a.Scope){$false}else{$true}
$a | Add-member -NotePropertyName ResourceName -NotePropertyValue $r.Name
$a | Add-member -NotePropertyName ResourceId -NotePropertyValue $r.ResourceId
$a | Add-member -NotePropertyName IsInherited -NotePropertyValue $IsInherited
$RoleAssignments.Add($a)
}
}
$RoleAssignments
Pseudo code:
- Get all az resources
- For each resource run get az role assignments
- Loop trough role assignments and add IsInherited property:
If scope eq resourceid then false otherwise true - Add ResourceName and ID to resulting object
- Add results to List
At the end you will get list of all Role Assignments with additional info(ResourceName, ResourceID and IsInherited flag).
Then you can easily rotate data as needed.
List Direct Assignments:
#Direct Assignments
$RoleAssignments |where {$_.isinherited -eq $false} |select ResourceName, DisplayName, RoleDefinitionName, IsInherited
List Inherited Assignments:
#Inherited ones
$RoleAssignments |where {$_.isinherited -ne $false} |select ResourceName, DisplayName, RoleDefinitionName, IsInherited
General stats:
$RoleAssignments.isinherited |group
Hope that helps.