Forum Discussion
Power shell script which shows list of RBAC role, Azure resource and Username
AlphaBetaGamma Thanks- that makes sense.
The following script should do something like that, by looping through the resources and then a nested loop through the role assignments. I've included the "Display Name" field as well in case you have any roles assigned to groups- they just have a blank entry for "SignInName".foreach ($Resource in Get-AzResource) { $RoleAssignments=Get-AZRoleAssignment -ResourceGroupName $Resource.ResourceGroupName -ResourceName $Resource.Name -ResourceType $resource.type ForEach ($RoleAssignment in $RoleAssignments){ $Resource | Select-Object @{Name="Azure Resource name";Expression={$Resource.Name}}, @{Name="SignInName";Expression={$RoleAssignment.SignInName}}, @{Name="DisplayName";Expression={$RoleAssignment.DisplayName}}, @{Name="RoleDefinitionName";Expression={$RoleAssignment.RoleDefinitionName}} } }
AlphaBetaGamma Thanks- that makes sense.
The following script should do something like that, by looping through the resources and then a nested loop through the role assignments. I've included the "Display Name" field as well in case you have any roles assigned to groups- they just have a blank entry for "SignInName".
foreach ($Resource in Get-AzResource) {
$RoleAssignments=Get-AZRoleAssignment -ResourceGroupName $Resource.ResourceGroupName -ResourceName $Resource.Name -ResourceType $resource.type
ForEach ($RoleAssignment in $RoleAssignments){
$Resource | Select-Object @{Name="Azure Resource name";Expression={$Resource.Name}},
@{Name="SignInName";Expression={$RoleAssignment.SignInName}},
@{Name="DisplayName";Expression={$RoleAssignment.DisplayName}},
@{Name="RoleDefinitionName";Expression={$RoleAssignment.RoleDefinitionName}}
}
}
ChrisBradshaw Does this script show the roles of users which are in groups too?
printscreen Not as it stands- it shows the group name assigned to a role , but wouldn't resolve any members. To do that, we could look for any results from this script which had a value for a display name but not a sign in name. These could probably be interpreted as groups and fed into https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-adgroupmember?view=win10-ps with the -recursive flag set.
ChrisBradshawsomething like this?
ForEach ($Resource in Get-AzResource) {$RoleAssignments=Get-AZRoleAssignment -ResourceGroupName $Resource.ResourceGroupName -ResourceName $Resource.Name -ResourceType $resource.typeForEach ($RoleAssignment in $RoleAssignments){$new=Get-AzADGroupMember -DisplayName $RoleAssignments.DisplayNameforeach ($new in $RoleAssignment){$Resource | Select-Object @{Name="Azure Resource name";Expression={$Resource.Name}},@{Name="SignInName";Expression={$RoleAssignment.SignInName}},@{Name="DisplayName";Expression={$RoleAssignment.DisplayName}},@{Name="RoleDefinitionName";Expression={$RoleAssignment.RoleDefinitionName}}}}}ChrisBradshaw Ignore my previous script. I was just messing myself and trying out, but it doesn't display the individual members in the group. And hitting this error:
Get-AzADGroupMember : A parameter cannot be found that matches parameter name 'Name'.
At line:4 char:30I'm sure there is some wrong with the line which I added, Is this something you can help with?