You may use this script to easily list the resource groups per subscription, and programmatically remove the delegation based on user input.
Notes on using the script:
###############################################################
#
# This Sample Code is provided for the purpose of illustration only
# and is not intended to be used in a production environment. THIS
# SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED AS IS
# WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF
# MERCHANTABILITY ANDOR FITNESS FOR A PARTICULAR PURPOSE. We
# grant You a nonexclusive, royalty-free right to use and modify
# the Sample Code and to reproduce and distribute the object code
# form of the Sample Code, provided that You agree (i) to not use
# Our name, logo, or trademarks to market Your software product in
# which the Sample Code is embedded; (ii) to include a valid
# copyright notice on Your software product in which the Sample
#
# Code is embedded; and (iii) to indemnify, hold harmless, and
# defend Us and Our suppliers from and against any claims or
# lawsuits, including attorneys’ fees, that arise or result from
# the use or distribution of the Sample Code.
# Please note None of the conditions outlined in the disclaimer
# above will supersede the terms and conditions contained within
# the Premier Customer Services Description.
#
###############################################################
Param (
[Parameter()]
[String[]]
$subIdsFromParams,
[Parameter()]
[String]
$inputFile = "InputSubscriptionIds.txt"
)
[String[]] $subscrpitionIDs
try {
if($null -ne $subIdsFromParams){
$subscrpitionIDs = $subIdsFromParams
}elseif ($null -ne $inputFile) {
$subscrpitionIDs = Get-Content -Path "$inputFile"
}
}
catch {
Write-Host "Error Reading in Subscription IDs from parameters or file." -ForegroundColor Red
Exit
}
if ($null -ne $subscrpitionIDs){
foreach ($subId in $subscrpitionIDs)
{
try {
$managedServicesAssignments = Get-AzManagedServicesAssignment -Scope "/subscriptions/$subId/"
Write-Host
Write-Host "The following" $managedServicesAssignments.count.tostring() "resource group and subscription assignments were found for subscription ${subId}:" -ForegroundColor Yellow
foreach ($assignment in $managedServicesAssignments){
if ($null -ne $assignment.ResourceGroupName){
Write-Host $assignment.ResourceGroupName -ForegroundColor Green
}else{
Write-Host "$subId - Subscription Level Assignment" -ForegroundColor Green
}
}
Write-Host "----------------------------------------------------------------------------------------"
$delete = Read-Host "Do you wish to remove these delegations? ***This action is not reversable!*** Y/N"
Write-Host "----------------------------------------------------------------------------------------"
if ($delete -eq "Y"){
foreach ($assignment in $managedServicesAssignments){
if ($null -ne $assignment.ResourceGroupName){
$rgName = $assignment.ResourceGroupName
Write-Host "Removing Resource Group Delegate" $assignment.Id -ForegroundColor Yellow
Remove-AzManagedServicesAssignment -Name $assignment.Name -Scope "/subscriptions/${subId}/resourceGroups/${rgName}"
}else {
Write-Host "Removing Subscription Delegate" $assignment.Id -ForegroundColor Yellow
Remove-AzManagedServicesAssignment -Name $assignment.Name -Scope "/subscriptions/${subId}"
}
}
Write-Host "Completed" -ForegroundColor Blue
}
}
catch {
Write-Host "Error reading in subscription ID" $subId
}#end try/catch
}#end foreach subscriptionID
}else{
Write-Host "Input subscriptionIds array was null" -ForegroundColor Red
}
Example of what Lighthouse looks like before running the script. Note subscription names and IDs are not visible so in cases where the resource groups are the same name, you do not know which subscription they belong to making delegation removal via UI difficult.
Example script output. Note in this case, duplicate resource group names in separate subscriptions are not a concern. This was due to my testing but if duplicate names were present, each name would show under its proper subscription.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.