SOLVED

How to list azure resources which have inheriting access and direct access using powershell

Brass Contributor

Hi,

 

Is it really possible to list azure resources which have inherited access and direct access using Powershell? I couldn't find any azure PowerShell command which shows at least any column which has this information. Can anyone help me here, please?

5 Replies

Hello @AlphaBetaGamma,

You can use Get-AzRoleAssignment cmdlet which lists Azure RBAC role assignments at the specified scope.

Field that you are looking for is Scope.

Scope shows at what level permission have been assigned.

For example:

PS C:\> Get-AzRoleAssignment

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000
DisplayName        : Alain
SignInName         : alain@example.com
RoleDefinitionName : Storage Blob Data Reader
RoleDefinitionId   : 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1
ObjectId           : 44444444-4444-4444-4444-444444444444
ObjectType         : User
CanDelegate        : False

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales/providers/Microsoft.Authorization/roleAssignments/33333333-3333-3333-3333-333333333333
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales
DisplayName        : Marketing
SignInName         :
RoleDefinitionName : Contributor
RoleDefinitionId   : b24988ac-6180-42a0-ab88-20f7382dd24c
ObjectId           : 22222222-2222-2222-2222-222222222222
ObjectType         : Group
CanDelegate        : False

...

 

We see 2 assignments:

1) Role: Storage Blob Data Reader is assigned for user Allain at subscription level (based on scope value) and will be inherited for all resources in the subscription

2) Role: Contributor is assigned for Marketing group at resource group level and will be inherited for all resources in pharma-sales resource group.

 

Hope that helps.

@AndySvints Thanks a mil for your response.

 

Yes, that will help to list the resources which have inherited access and direct access. 

 

Just messing around a bit and came up with something if we wish to pull out the exact resource name which has inherited access and exact resource name with direct access. 

 

Procedure 1: 

# to list resources which have inherited access
$inhaccess = Get-AzRoleAssignment | Where-Object {$_.Scope -ne "/subscriptions/00000000-0000-0000-0000-000000000000"}
$inhaccess | Format-Table DisplayName, RoleDefinitionName, Scope
 
# to list resources which have direct access
$diraccess = Get-AzRoleAssignment | Where-Object {$_.Scope -eq "/subscriptions/00000000-0000-0000-0000-000000000000"}
$diraccess | Format-Table DisplayName, RoleDefinitionName, Scope
 
Procedure 2:
#to list exact resource which have inherited access along with its Displayname
foreach ($Resource in Get-AzResource) {
    $RoleAssignments=Get-AzRoleAssignment | Where-Object {$_.Scope -ne "/subscriptions/00000000-0000-0000-0000-000000000000"}
    ForEach ($RoleAssignment in $RoleAssignments){
      $Resource | Select-Object @{Name="Azure Resource name";Expression={$Resource.Name}},      
        @{Name="DisplayName";Expression={$RoleAssignment.DisplayName}}   
    }
   }
 
But, I'm just confused if this is the correct way to pull only resource name which has inherited access and resource name with direct access? Do you think the above is correct or else am I missing anything here?

@AlphaBetaGamma,

It is partially correct.

Your code is assuming that permissions can be inherited only from Subscription level which is not true.

There also might be assignments on the resource group level which will be inherited also.

As mentioned in List role assignments for a resource to get permissions directly assigned to a resource(storage account):

PS C:\> Get-AzRoleAssignment | Where-Object {$_.Scope -eq "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/storage-test-rg/providers/Microsoft.Storage/storageAccounts/storagetest0122"}

If you change Where-Object condition from equal to not equal you will get inherited permissions. 

 

Hope that helps.

@AndySvints Thanks for your response. Yes, we can see the inherited access/direct access for each resource with the help of below one,

Get-AzRoleAssignment | Where-Object {$_.Scope -eq "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/storage-test-rg/providers/Microsoft.Storage/storageAccounts/storagetest0122"}​

But, what if we wish to see a list of all azure resources which have inherited access and a list of azure resources with direct access. Something like this as a sample output
List of azure resources which have inherited access

Resource nameDisplayName
keyvaultTom
sqlJeremy

 

List of Azure resources which have direct access

Resource nameDisplayName
Log analyticsjack
VMJones




 

best response confirmed by AlphaBetaGamma (Brass Contributor)
Solution

Hello @AlphaBetaGamma,

Here is quick and dirty way to get what you need:

$Resource=Get-AzResource
$RoleAssignments=New-Object System.Collections.Generic.List[PSObject]
foreach($r in $Resource){
    $Assignment=Get-AzRoleAssignment -ResourceName $r.Name -ResourceGroupName $r.ResourceGroupName -ResourceType $r.ResourceType
    foreach($a in $Assignment){
        $IsInherited=if($r.ResourceId -eq $a.Scope){$false}else{$true}

       $a | Add-member -NotePropertyName ResourceName -NotePropertyValue $r.Name
        $a | Add-member -NotePropertyName ResourceId -NotePropertyValue $r.ResourceId
       $a | Add-member -NotePropertyName IsInherited -NotePropertyValue $IsInherited
       $RoleAssignments.Add($a)
    }
}
$RoleAssignments

 

Pseudo code:

  1. Get all az resources
  2. For each resource run get az role assignments
  3. Loop trough role assignments and add IsInherited property:
    If scope eq resourceid then false otherwise true
  4. Add ResourceName and ID to resulting object
  5. Add results to List

At the end you will get list of all Role Assignments with additional info(ResourceName, ResourceID and IsInherited flag).

Then you can easily rotate data as needed.

List Direct Assignments:

#Direct Assignments
$RoleAssignments  |where {$_.isinherited -eq $false} |select ResourceName, DisplayName, RoleDefinitionName, IsInherited

 

List Inherited Assignments:

#Inherited ones
$RoleAssignments  |where {$_.isinherited -ne $false} |select ResourceName, DisplayName, RoleDefinitionName, IsInherited

 

General stats:

$RoleAssignments.isinherited  |group

image.png

 

 

Hope that helps.

 

 

1 best response

Accepted Solutions
best response confirmed by AlphaBetaGamma (Brass Contributor)
Solution

Hello @AlphaBetaGamma,

Here is quick and dirty way to get what you need:

$Resource=Get-AzResource
$RoleAssignments=New-Object System.Collections.Generic.List[PSObject]
foreach($r in $Resource){
    $Assignment=Get-AzRoleAssignment -ResourceName $r.Name -ResourceGroupName $r.ResourceGroupName -ResourceType $r.ResourceType
    foreach($a in $Assignment){
        $IsInherited=if($r.ResourceId -eq $a.Scope){$false}else{$true}

       $a | Add-member -NotePropertyName ResourceName -NotePropertyValue $r.Name
        $a | Add-member -NotePropertyName ResourceId -NotePropertyValue $r.ResourceId
       $a | Add-member -NotePropertyName IsInherited -NotePropertyValue $IsInherited
       $RoleAssignments.Add($a)
    }
}
$RoleAssignments

 

Pseudo code:

  1. Get all az resources
  2. For each resource run get az role assignments
  3. Loop trough role assignments and add IsInherited property:
    If scope eq resourceid then false otherwise true
  4. Add ResourceName and ID to resulting object
  5. Add results to List

At the end you will get list of all Role Assignments with additional info(ResourceName, ResourceID and IsInherited flag).

Then you can easily rotate data as needed.

List Direct Assignments:

#Direct Assignments
$RoleAssignments  |where {$_.isinherited -eq $false} |select ResourceName, DisplayName, RoleDefinitionName, IsInherited

 

List Inherited Assignments:

#Inherited ones
$RoleAssignments  |where {$_.isinherited -ne $false} |select ResourceName, DisplayName, RoleDefinitionName, IsInherited

 

General stats:

$RoleAssignments.isinherited  |group

image.png

 

 

Hope that helps.

 

 

View solution in original post