Forum Discussion

AlphaBetaGamma's avatar
AlphaBetaGamma
Brass Contributor
Dec 30, 2020

How to list azure resources which have inheriting access and direct access using powershell

Hi,   Is it really possible to list azure resources which have inherited access and direct access using Powershell? I couldn't find any azure PowerShell command which shows at least any column whic...
azure powershell
powershell
powershell script
  • AndySvints's avatar
    AndySvints
    Jan 02, 2021

    Hello AlphaBetaGamma,

    Here is quick and dirty way to get what you need:

    $Resource=Get-AzResource
$RoleAssignments=New-Object System.Collections.Generic.List[PSObject]
foreach($r in $Resource){
    $Assignment=Get-AzRoleAssignment -ResourceName $r.Name -ResourceGroupName $r.ResourceGroupName -ResourceType $r.ResourceType
    foreach($a in $Assignment){
        $IsInherited=if($r.ResourceId -eq $a.Scope){$false}else{$true}

       $a | Add-member -NotePropertyName ResourceName -NotePropertyValue $r.Name
        $a | Add-member -NotePropertyName ResourceId -NotePropertyValue $r.ResourceId
       $a | Add-member -NotePropertyName IsInherited -NotePropertyValue $IsInherited
       $RoleAssignments.Add($a)
    }
}
$RoleAssignments

     

    Pseudo code:

    1. Get all az resources
    2. For each resource run get az role assignments
    3. Loop trough role assignments and add IsInherited property:
      If scope eq resourceid then false otherwise true
    4. Add ResourceName and ID to resulting object
    5. Add results to List

    At the end you will get list of all Role Assignments with additional info(ResourceName, ResourceID and IsInherited flag).

    Then you can easily rotate data as needed.

    List Direct Assignments:

    #Direct Assignments
$RoleAssignments  |where {$_.isinherited -eq $false} |select ResourceName, DisplayName, RoleDefinitionName, IsInherited

     

    List Inherited Assignments:

    #Inherited ones
$RoleAssignments  |where {$_.isinherited -ne $false} |select ResourceName, DisplayName, RoleDefinitionName, IsInherited

     

    General stats:

    $RoleAssignments.isinherited  |group

     

     

    Hope that helps.

     

     

AndySvints's avatar
AndySvints
Steel Contributor

Hello AlphaBetaGamma,

You can use Get-AzRoleAssignment cmdlet which lists Azure RBAC role assignments at the specified scope.

Field that you are looking for is Scope.

Scope shows at what level permission have been assigned.

For example:

PS C:\> Get-AzRoleAssignment

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000
DisplayName        : Alain
SignInName         : alain@example.com
RoleDefinitionName : Storage Blob Data Reader
RoleDefinitionId   : 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1
ObjectId           : 44444444-4444-4444-4444-444444444444
ObjectType         : User
CanDelegate        : False

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales/providers/Microsoft.Authorization/roleAssignments/33333333-3333-3333-3333-333333333333
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales
DisplayName        : Marketing
SignInName         :
RoleDefinitionName : Contributor
RoleDefinitionId   : b24988ac-6180-42a0-ab88-20f7382dd24c
ObjectId           : 22222222-2222-2222-2222-222222222222
ObjectType         : Group
CanDelegate        : False

...

 

We see 2 assignments:

1) Role: Storage Blob Data Reader is assigned for user Allain at subscription level (based on scope value) and will be inherited for all resources in the subscription

2) Role: Contributor is assigned for Marketing group at resource group level and will be inherited for all resources in pharma-sales resource group.

 

Hope that helps.

AlphaBetaGamma's avatar
AlphaBetaGamma
Brass Contributor
Dec 31, 2020

AndySvints Thanks a mil for your response.

 

Yes, that will help to list the resources which have inherited access and direct access. 

 

Just messing around a bit and came up with something if we wish to pull out the exact resource name which has inherited access and exact resource name with direct access. 

 

Procedure 1: 

# to list resources which have inherited access
$inhaccess = Get-AzRoleAssignment | Where-Object {$_.Scope -ne "/subscriptions/00000000-0000-0000-0000-000000000000"}
$inhaccess | Format-Table DisplayName, RoleDefinitionName, Scope
 
# to list resources which have direct access
$diraccess = Get-AzRoleAssignment | Where-Object {$_.Scope -eq "/subscriptions/00000000-0000-0000-0000-000000000000"}
$diraccess | Format-Table DisplayName, RoleDefinitionName, Scope
 
Procedure 2:
#to list exact resource which have inherited access along with its Displayname
foreach ($Resource in Get-AzResource) {
    $RoleAssignments=Get-AzRoleAssignment | Where-Object {$_.Scope -ne "/subscriptions/00000000-0000-0000-0000-000000000000"}
    ForEach ($RoleAssignment in $RoleAssignments){
      $Resource | Select-Object @{Name="Azure Resource name";Expression={$Resource.Name}},      
        @{Name="DisplayName";Expression={$RoleAssignment.DisplayName}}   
    }
   }
 
But, I'm just confused if this is the correct way to pull only resource name which has inherited access and resource name with direct access? Do you think the above is correct or else am I missing anything here?
  • AndySvints's avatar
    AndySvints
    Steel Contributor
    Dec 31, 2020

    AlphaBetaGamma,

    It is partially correct.

    Your code is assuming that permissions can be inherited only from Subscription level which is not true.

    There also might be assignments on the resource group level which will be inherited also.

    As mentioned in List role assignments for a resource to get permissions directly assigned to a resource(storage account):

    PS C:\> Get-AzRoleAssignment | Where-Object {$_.Scope -eq "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/storage-test-rg/providers/Microsoft.Storage/storageAccounts/storagetest0122"}

    If you change Where-Object condition from equal to not equal you will get inherited permissions. 

     

    Hope that helps.

    • AlphaBetaGamma's avatar
      AlphaBetaGamma
      Brass Contributor
      Jan 01, 2021

      AndySvints Thanks for your response. Yes, we can see the inherited access/direct access for each resource with the help of below one,

      Get-AzRoleAssignment | Where-Object {$_.Scope -eq "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/storage-test-rg/providers/Microsoft.Storage/storageAccounts/storagetest0122"}​

      But, what if we wish to see a list of all azure resources which have inherited access and a list of azure resources with direct access. Something like this as a sample output
      List of azure resources which have inherited access

      Resource nameDisplayName
      keyvaultTom
      sqlJeremy

       

      List of Azure resources which have direct access

      Resource nameDisplayName
      Log analyticsjack
      VMJones




       

      • AndySvints's avatar
        AndySvints
        Steel Contributor
        Jan 02, 2021

        Hello AlphaBetaGamma,

        Here is quick and dirty way to get what you need:

        $Resource=Get-AzResource
$RoleAssignments=New-Object System.Collections.Generic.List[PSObject]
foreach($r in $Resource){
    $Assignment=Get-AzRoleAssignment -ResourceName $r.Name -ResourceGroupName $r.ResourceGroupName -ResourceType $r.ResourceType
    foreach($a in $Assignment){
        $IsInherited=if($r.ResourceId -eq $a.Scope){$false}else{$true}

       $a | Add-member -NotePropertyName ResourceName -NotePropertyValue $r.Name
        $a | Add-member -NotePropertyName ResourceId -NotePropertyValue $r.ResourceId
       $a | Add-member -NotePropertyName IsInherited -NotePropertyValue $IsInherited
       $RoleAssignments.Add($a)
    }
}
$RoleAssignments

         

        Pseudo code:

        1. Get all az resources
        2. For each resource run get az role assignments
        3. Loop trough role assignments and add IsInherited property:
          If scope eq resourceid then false otherwise true
        4. Add ResourceName and ID to resulting object
        5. Add results to List

        At the end you will get list of all Role Assignments with additional info(ResourceName, ResourceID and IsInherited flag).

        Then you can easily rotate data as needed.

        List Direct Assignments:

        #Direct Assignments
$RoleAssignments  |where {$_.isinherited -eq $false} |select ResourceName, DisplayName, RoleDefinitionName, IsInherited

         

        List Inherited Assignments:

        #Inherited ones
$RoleAssignments  |where {$_.isinherited -ne $false} |select ResourceName, DisplayName, RoleDefinitionName, IsInherited

         

        General stats:

        $RoleAssignments.isinherited  |group

         

         

        Hope that helps.

         

         

Resources