cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Use PowerShell to Remove Lighthouse Delegations Based on Subscription IDs
By
AndrewSchwalbe
Published Mar 10 2023 09:49 AM 4,970 Views
AndrewSchwalbe
Microsoft
‎Mar 10 2023 09:49 AM

Use PowerShell to Remove Lighthouse Delegations Based on Subscription IDs

‎Mar 10 2023 09:49 AM

You may use this script to easily list the resource groups per subscription, and programmatically remove the delegation based on user input. 

Notes on using the script: 

  1. The script will accept a list of subscription ids as input at the command line (separated by commas), OR, a text file with a list of subscription IDs within it. 
    1. For each subscription, it reads the delegations and outputs on the screen, then asks if you want to remove them.
  2. As written, the code will remove BOTH resource group and subscription-level assignments. Adjust the code as needed to ignore subscription-level assignments. 
  3. This code is provided AS IS and as an example only. 

 

 

 

 

###############################################################
#
# This Sample Code is provided for the purpose of illustration only
# and is not intended to be used in a production environment.  THIS
# SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED AS IS
# WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF
# MERCHANTABILITY ANDOR FITNESS FOR A PARTICULAR PURPOSE.  We
# grant You a nonexclusive, royalty-free right to use and modify
# the Sample Code and to reproduce and distribute the object code
# form of the Sample Code, provided that You agree (i) to not use
# Our name, logo, or trademarks to market Your software product in
# which the Sample Code is embedded; (ii) to include a valid
# copyright notice on Your software product in which the Sample
#
# Code is embedded; and (iii) to indemnify, hold harmless, and
# defend Us and Our suppliers from and against any claims or
# lawsuits, including attorneys’ fees, that arise or result from
# the use or distribution of the Sample Code.
# Please note None of the conditions outlined in the disclaimer
# above will supersede the terms and conditions contained within
# the Premier Customer Services Description.
#
###############################################################
Param (
    [Parameter()]
    [String[]] 
    $subIdsFromParams,

    [Parameter()]
    [String]
    $inputFile = "InputSubscriptionIds.txt"
)
[String[]] $subscrpitionIDs
try {
    if($null -ne $subIdsFromParams){
        $subscrpitionIDs = $subIdsFromParams
    }elseif ($null -ne $inputFile) {
        $subscrpitionIDs = Get-Content -Path "$inputFile"
    } 
}
catch {
    Write-Host "Error Reading in Subscription IDs from parameters or file." -ForegroundColor Red
    Exit
}
if ($null -ne $subscrpitionIDs){
    foreach ($subId in $subscrpitionIDs)
    {
        try {
            $managedServicesAssignments =  Get-AzManagedServicesAssignment -Scope "/subscriptions/$subId/"
            Write-Host
            Write-Host "The following" $managedServicesAssignments.count.tostring() "resource group and subscription assignments were found for subscription ${subId}:" -ForegroundColor Yellow
            foreach ($assignment in $managedServicesAssignments){
                if ($null -ne $assignment.ResourceGroupName){
                    Write-Host $assignment.ResourceGroupName -ForegroundColor Green
                }else{
                    Write-Host "$subId - Subscription Level Assignment" -ForegroundColor Green
                }
            }
            Write-Host "----------------------------------------------------------------------------------------"
            $delete = Read-Host "Do you wish to remove these delegations?  ***This action is not reversable!***  Y/N"
            Write-Host "----------------------------------------------------------------------------------------"
            if ($delete -eq "Y"){
                foreach ($assignment in $managedServicesAssignments){
                    if ($null -ne $assignment.ResourceGroupName){
                        $rgName = $assignment.ResourceGroupName
                        Write-Host "Removing Resource Group Delegate" $assignment.Id -ForegroundColor Yellow
                        Remove-AzManagedServicesAssignment -Name $assignment.Name -Scope "/subscriptions/${subId}/resourceGroups/${rgName}"
                    }else {
                        Write-Host "Removing Subscription Delegate" $assignment.Id -ForegroundColor Yellow
                        Remove-AzManagedServicesAssignment -Name $assignment.Name -Scope "/subscriptions/${subId}"
                    }
                }
                Write-Host "Completed" -ForegroundColor Blue
            }
        }
        catch {
            Write-Host "Error reading in subscription ID" $subId
        }#end try/catch
    }#end foreach subscriptionID
}else{
    Write-Host "Input subscriptionIds array was null" -ForegroundColor Red
}

 

 

 

 

 

Example of what Lighthouse looks like before running the script.  Note subscription names and IDs are not visible so in cases where the resource groups are the same name, you do not know which subscription they belong to making delegation removal via UI difficult. 

 

AndrewSchwalbe_0-1676327357871.png

 

Example script output. Note in this case, duplicate resource group names in separate subscriptions are not a concern. This was due to my testing but if duplicate names were present, each name would show under its proper subscription.

AndrewSchwalbe_1-1676327602157.png

 

 

 

0 Likes
Like
Co-Authors
Version history
Last update:
‎Mar 10 2023 09:49 AM
Updated by:
Labels