Forum Discussion
Power shell script which shows list of RBAC role, Azure resource and Username
AlphaBetaGamma Thanks- that makes sense.
The following script should do something like that, by looping through the resources and then a nested loop through the role assignments. I've included the "Display Name" field as well in case you have any roles assigned to groups- they just have a blank entry for "SignInName".foreach ($Resource in Get-AzResource) { $RoleAssignments=Get-AZRoleAssignment -ResourceGroupName $Resource.ResourceGroupName -ResourceName $Resource.Name -ResourceType $resource.type ForEach ($RoleAssignment in $RoleAssignments){ $Resource | Select-Object @{Name="Azure Resource name";Expression={$Resource.Name}}, @{Name="SignInName";Expression={$RoleAssignment.SignInName}}, @{Name="DisplayName";Expression={$RoleAssignment.DisplayName}}, @{Name="RoleDefinitionName";Expression={$RoleAssignment.RoleDefinitionName}} } }
ChrisBradshaw Does this script show the roles of users which are in groups too?
printscreen Not as it stands- it shows the group name assigned to a role , but wouldn't resolve any members. To do that, we could look for any results from this script which had a value for a display name but not a sign in name. These could probably be interpreted as groups and fed into https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-adgroupmember?view=win10-ps with the -recursive flag set.
printscreen Sorry, I've had a busy week at the office so haven't got back sooner.
With this script we can separate out the Group assignments from the user assignments by checking $RoleAssignment.ObjectType. I've used an if block in the following example. Once we have the group, Get-AzADGroupMember can be used to do a lookup on the group and then we can loop through those $GroupMembers and get the value for each.Note that this code won't currently deal with nested groups (Get-AZADGroupMember doesn't have a -recursive option), but you should be able to find the code to do that with a quick search around if required.
foreach ($Resource in Get-AzResource) { $RoleAssignments=Get-AZRoleAssignment -ResourceGroupName $Resource.ResourceGroupName -ResourceName $Resource.Name -ResourceType $resource.type ForEach ($RoleAssignment in $RoleAssignments){ if ($RoleAssignment.ObjectType -eq "Group"){ #Role Assignment is a Group, list Group members $GroupMembers=Get-AzADGroupMember -GroupObjectId $RoleAssignment.ObjectID ForEach ($GroupMember in $GroupMembers){ $Resource | Select-Object @{Name="Azure Resource name";Expression={$Resource.Name}}, @{Name="SignInName";Expression={$GroupMember.UserPrincipalName}}, @{Name="DisplayName";Expression={$GroupMember.DisplayName}}, @{Name="RoleDefinitionName";Expression={$RoleAssignment.RoleDefinitionName}} } }else{ #Not a Group- Treat as a User $Resource | Select-Object @{Name="Azure Resource name";Expression={$Resource.Name}}, @{Name="SignInName";Expression={$RoleAssignment.SignInName}}, @{Name="DisplayName";Expression={$RoleAssignment.DisplayName}}, @{Name="RoleDefinitionName";Expression={$RoleAssignment.RoleDefinitionName}} } } }ChrisBradshaw Ignore my previous script. I was just messing myself and trying out, but it doesn't display the individual members in the group. And hitting this error:
Get-AzADGroupMember : A parameter cannot be found that matches parameter name 'Name'.
At line:4 char:30I'm sure there is some wrong with the line which I added, Is this something you can help with?
ChrisBradshawsomething like this?
ForEach ($Resource in Get-AzResource) {$RoleAssignments=Get-AZRoleAssignment -ResourceGroupName $Resource.ResourceGroupName -ResourceName $Resource.Name -ResourceType $resource.typeForEach ($RoleAssignment in $RoleAssignments){$new=Get-AzADGroupMember -DisplayName $RoleAssignments.DisplayNameforeach ($new in $RoleAssignment){$Resource | Select-Object @{Name="Azure Resource name";Expression={$Resource.Name}},@{Name="SignInName";Expression={$RoleAssignment.SignInName}},@{Name="DisplayName";Expression={$RoleAssignment.DisplayName}},@{Name="RoleDefinitionName";Expression={$RoleAssignment.RoleDefinitionName}}}}}