Forum Discussion

AlphaBetaGamma's avatar
AlphaBetaGamma
Brass Contributor
Dec 21, 2020
Solved

Power shell script which shows list of RBAC role, Azure resource and Username

Hi,   Can anyone please help me with a powershell script which shows list consisting of RBAC role, Azure resource & username to whom it is allocated to?   
azure powershell
powershell
  • ChrisBradshaw's avatar
    ChrisBradshaw
    Dec 22, 2020

    AlphaBetaGamma Thanks- that makes sense.

    The following script should do something like that, by looping through the resources and then a nested loop through the role assignments. I've included the "Display Name" field as well in case you have any roles assigned to groups- they just have a blank entry for "SignInName".

     

    foreach ($Resource in Get-AzResource) {
 $RoleAssignments=Get-AZRoleAssignment -ResourceGroupName $Resource.ResourceGroupName -ResourceName $Resource.Name -ResourceType $resource.type
 ForEach ($RoleAssignment in $RoleAssignments){
   $Resource | Select-Object @{Name="Azure Resource name";Expression={$Resource.Name}},
     @{Name="SignInName";Expression={$RoleAssignment.SignInName}},
     @{Name="DisplayName";Expression={$RoleAssignment.DisplayName}},
     @{Name="RoleDefinitionName";Expression={$RoleAssignment.RoleDefinitionName}}
 }
}

     

AlphaBetaGamma's avatar
AlphaBetaGamma
Brass Contributor
Dec 22, 2020

ChrisBradshaw Sorry, I didn't convey it properly it seems, my bad. Here is below output I was expecting from Powershell script.

Azure Resource nameSignInNameRoleDefinitionName
keyvaultaaa@aaa.comConributor
sqlaaa@aaa.comReader
ChrisBradshaw's avatar
ChrisBradshaw
Iron Contributor
Dec 22, 2020

AlphaBetaGamma Thanks- that makes sense.

The following script should do something like that, by looping through the resources and then a nested loop through the role assignments. I've included the "Display Name" field as well in case you have any roles assigned to groups- they just have a blank entry for "SignInName".

 

foreach ($Resource in Get-AzResource) {
 $RoleAssignments=Get-AZRoleAssignment -ResourceGroupName $Resource.ResourceGroupName -ResourceName $Resource.Name -ResourceType $resource.type
 ForEach ($RoleAssignment in $RoleAssignments){
   $Resource | Select-Object @{Name="Azure Resource name";Expression={$Resource.Name}},
     @{Name="SignInName";Expression={$RoleAssignment.SignInName}},
     @{Name="DisplayName";Expression={$RoleAssignment.DisplayName}},
     @{Name="RoleDefinitionName";Expression={$RoleAssignment.RoleDefinitionName}}
 }
}

 

  • printscreen's avatar
    printscreen
    Brass Contributor
    Jan 10, 2021

    ChrisBradshaw Does this script show the roles of users which are in groups too?

    • ChrisBradshaw's avatar
      ChrisBradshaw
      Iron Contributor
      Jan 10, 2021

      printscreen Not as it stands- it shows the group name assigned to a role , but wouldn't resolve any members. To do that, we could look for any results from this script which had a value for a display name but not a sign in name. These could probably be interpreted as groups and fed into Get-ADGroupMember with the -recursive flag set.

      • printscreen's avatar
        printscreen
        Brass Contributor
        Jan 10, 2021

        ChrisBradshawsomething like this? 

         

        ForEach ($Resource in Get-AzResource) {
            $RoleAssignments=Get-AZRoleAssignment -ResourceGroupName $Resource.ResourceGroupName -ResourceName $Resource.Name -ResourceType $resource.type
            ForEach ($RoleAssignment in $RoleAssignments){
              $new=Get-AzADGroupMember -DisplayName $RoleAssignments.DisplayName 
              foreach ($new in $RoleAssignment){
                $Resource | Select-Object @{Name="Azure Resource name";Expression={$Resource.Name}},
                @{Name="SignInName";Expression={$RoleAssignment.SignInName}},
                @{Name="DisplayName";Expression={$RoleAssignment.DisplayName}},
                @{Name="RoleDefinitionName";Expression={$RoleAssignment.RoleDefinitionName}}
              }
            }
           }

Resources