SOLVED

Power shell script which shows list of RBAC role, Azure resource and Username

%3CLINGO-SUB%20id%3D%22lingo-sub-2006146%22%20slang%3D%22en-US%22%3EPower%20shell%20script%20which%20shows%20list%20of%20RBAC%20role%2C%20Azure%20resource%20and%20Username%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2006146%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20please%20help%20me%20with%20a%20powershell%20script%20which%20shows%20list%20consisting%20of%20RBAC%20role%2C%20Azure%20resource%20%26amp%3B%20username%20to%20whom%20it%20is%20allocated%20to%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F327830%22%20target%3D%22_blank%22%3E%40dcaro%3C%2FA%3E%26nbsp%3Bis%20this%20something%20you%20can%20help%20with%2C%20please%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2006146%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eazure%20powershell%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2006166%22%20slang%3D%22en-US%22%3ERe%3A%20Power%20shell%20script%20which%20shows%20list%20of%20RBAC%20role%2C%20Azure%20resource%20and%20Username%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2006166%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F810782%22%20target%3D%22_blank%22%3E%40AlphaBetaGamma%3C%2FA%3E%26nbsp%3BHow%20about%20this%2C%20using%20the%26nbsp%3B%20Get-AzRoleAssignment%20cmdlet%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EGet-AzRoleAssignment%20%7C%20Select-Object%20RoleDefinitionName%2C%20Scope%20%2C%20DisplayName%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOutput%20will%20look%20something%20like%20this%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3ERoleDefinitionName%20%20Scope%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20DisplayName%0A------------------%20%20-----%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20-----------%0AContributor%20%20%20%20%20%20%20%20%20%2Fsubscriptions%2F(guid)%2Fresourcegroups%2Fmyresourcegroup%20%20%20%20%20%20Bob%0AReader%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2Fsubscriptions%2F(guid)%2Fresourcegroups%2Fmyresourcegroup%2Fmyvm%20Jim%0AContributor%20%20%20%20%20%20%20%20%20%2Fsubscriptions%2F(guid)%2Fresourcegroups%2Fmyresourcegroup%2Fmyvm%20Sal%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2007750%22%20slang%3D%22en-US%22%3ERe%3A%20Power%20shell%20script%20which%20shows%20list%20of%20RBAC%20role%2C%20Azure%20resource%20and%20Username%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2007750%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20your%20response%2C%20Yeah%2C%20i%20have%20tried%20this.%20But%20I%20was%20trying%20to%20get%20exact%20resource%20name%20against%20each%20RABC%20role%20and%20the%20username.%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9929%22%20target%3D%22_blank%22%3E%40Chris%20Bradshaw%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2008627%22%20slang%3D%22en-US%22%3ERe%3A%20Power%20shell%20script%20which%20shows%20list%20of%20RBAC%20role%2C%20Azure%20resource%20and%20Username%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2008627%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F810782%22%20target%3D%22_blank%22%3E%40AlphaBetaGamma%3C%2FA%3E%26nbsp%3B-%20would%20you%20be%20able%20to%20write%20out%20some%20sample%20(made%20up)%20output%20so%20I%20can%20get%20a%20better%20idea%20of%20what%20you're%20looking%20for%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2008936%22%20slang%3D%22en-US%22%3ERe%3A%20Power%20shell%20script%20which%20shows%20list%20of%20RBAC%20role%2C%20Azure%20resource%20and%20Username%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2008936%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9929%22%20target%3D%22_blank%22%3E%40Chris%20Bradshaw%3C%2FA%3E%26nbsp%3BSorry%2C%20I%20didn't%20convey%20it%20properly%20it%20seems%2C%20my%20bad.%20Here%20is%20below%20output%20I%20was%20expecting%20from%20Powershell%20script.%3C%2FP%3E%3CTABLE%20width%3D%22356%22%3E%3CTBODY%3E%3CTR%3E%3CTD%20width%3D%22135%22%3EAzure%20Resource%20name%3C%2FTD%3E%3CTD%20width%3D%2293%22%3ESignInName%3C%2FTD%3E%3CTD%20width%3D%22128%22%3ERoleDefinitionName%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3Ekeyvault%3C%2FTD%3E%3CTD%3E%3CA%20href%3D%22mailto%3Aaaa%40aaa.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eaaa%40aaa.com%3C%2FA%3E%3C%2FTD%3E%3CTD%3EConributor%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3Esql%3C%2FTD%3E%3CTD%3E%3CA%20href%3D%22mailto%3Aaaa%40aaa.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eaaa%40aaa.com%3C%2FA%3E%3C%2FTD%3E%3CTD%3EReader%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2009068%22%20slang%3D%22en-US%22%3ERe%3A%20Power%20shell%20script%20which%20shows%20list%20of%20RBAC%20role%2C%20Azure%20resource%20and%20Username%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2009068%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F810782%22%20target%3D%22_blank%22%3E%40AlphaBetaGamma%3C%2FA%3E%26nbsp%3BThanks-%20that%20makes%20sense.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20following%20script%20should%20do%20something%20like%20that%2C%20by%20looping%20through%20the%20resources%20and%20then%20a%20nested%20loop%20through%20the%20role%20assignments.%20I've%20included%20the%20%22Display%20Name%22%20field%20as%20well%20in%20case%20you%20have%20any%20roles%20assigned%20to%20groups-%20they%20just%20have%20a%20blank%20entry%20for%20%22SignInName%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3Eforeach%20(%24Resource%20in%20Get-AzResource)%20%7B%0A%20%24RoleAssignments%3DGet-AZRoleAssignment%20-ResourceGroupName%20%24Resource.ResourceGroupName%20-ResourceName%20%24Resource.Name%20-ResourceType%20%24resource.type%0A%20ForEach%20(%24RoleAssignment%20in%20%24RoleAssignments)%7B%0A%20%20%20%24Resource%20%7C%20Select-Object%20%40%7BName%3D%22Azure%20Resource%20name%22%3BExpression%3D%7B%24Resource.Name%7D%7D%2C%0A%20%20%20%20%20%40%7BName%3D%22SignInName%22%3BExpression%3D%7B%24RoleAssignment.SignInName%7D%7D%2C%0A%20%20%20%20%20%40%7BName%3D%22DisplayName%22%3BExpression%3D%7B%24RoleAssignment.DisplayName%7D%7D%2C%0A%20%20%20%20%20%40%7BName%3D%22RoleDefinitionName%22%3BExpression%3D%7B%24RoleAssignment.RoleDefinitionName%7D%7D%0A%20%7D%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2009687%22%20slang%3D%22en-US%22%3ERe%3A%20Power%20shell%20script%20which%20shows%20list%20of%20RBAC%20role%2C%20Azure%20resource%20and%20Username%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2009687%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3Ba%20lot%20Chris%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9929%22%20target%3D%22_blank%22%3E%40Chris%20Bradshaw%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2047026%22%20slang%3D%22en-US%22%3ERe%3A%20Power%20shell%20script%20which%20shows%20list%20of%20RBAC%20role%2C%20Azure%20resource%20and%20Username%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2047026%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9929%22%20target%3D%22_blank%22%3E%40Chris%20Bradshaw%3C%2FA%3E%26nbsp%3BDoes%20this%20script%20show%20the%20roles%20of%20users%20which%20are%20in%20groups%20too%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2047066%22%20slang%3D%22en-US%22%3ERe%3A%20Power%20shell%20script%20which%20shows%20list%20of%20RBAC%20role%2C%20Azure%20resource%20and%20Username%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2047066%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F923986%22%20target%3D%22_blank%22%3E%40printscreen%3C%2FA%3E%26nbsp%3BNot%20as%20it%20stands-%20it%20shows%20the%20group%20name%20assigned%20to%20a%20role%20%2C%20but%20wouldn't%20resolve%20any%20members.%20To%20do%20that%2C%20we%20could%20look%20for%20any%20results%20from%20this%20script%20which%20had%20a%20value%20for%20a%20display%20name%20but%20not%20a%20sign%20in%20name.%20These%20could%20probably%20be%20interpreted%20as%20groups%20and%20fed%20into%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Faddsadministration%2Fget-adgroupmember%3Fview%3Dwin10-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGet-ADGroupMember%3C%2FA%3E%20with%20the%20-recursive%20flag%20set.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2047077%22%20slang%3D%22en-US%22%3ERe%3A%20Power%20shell%20script%20which%20shows%20list%20of%20RBAC%20role%2C%20Azure%20resource%20and%20Username%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2047077%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9929%22%20target%3D%22_blank%22%3E%40Chris%20Bradshaw%3C%2FA%3Esomething%20like%20this%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EForEach%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B(%3C%2FSPAN%3E%3CSPAN%3E%24Resource%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ein%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EGet-AzResource%3C%2FSPAN%3E%3CSPAN%3E)%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24RoleAssignments%3C%2FSPAN%3E%3CSPAN%3E%3D%3C%2FSPAN%3E%3CSPAN%3EGet-AZRoleAssignment%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B-ResourceGroupName%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24Resource%3C%2FSPAN%3E%3CSPAN%3E.ResourceGroupName%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B-ResourceName%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24Resource%3C%2FSPAN%3E%3CSPAN%3E.Name%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B-ResourceType%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24resource%3C%2FSPAN%3E%3CSPAN%3E.type%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EForEach%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B(%3C%2FSPAN%3E%3CSPAN%3E%24RoleAssignment%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ein%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24RoleAssignments%3C%2FSPAN%3E%3CSPAN%3E)%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24new%3C%2FSPAN%3E%3CSPAN%3E%3D%3C%2FSPAN%3E%3CSPAN%3EGet-AzADGroupMember%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B-DisplayName%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24RoleAssignments%3C%2FSPAN%3E%3CSPAN%3E.DisplayName%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eforeach%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B(%3C%2FSPAN%3E%3CSPAN%3E%24new%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ein%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24RoleAssignment%3C%2FSPAN%3E%3CSPAN%3E)%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24Resource%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3ESelect-Object%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%40%3C%2FSPAN%3E%3CSPAN%3E%7B%3C%2FSPAN%3E%3CSPAN%3EName%3C%2FSPAN%3E%3CSPAN%3E%3D%3C%2FSPAN%3E%3CSPAN%3E%22Azure%26nbsp%3BResource%26nbsp%3Bname%22%3C%2FSPAN%3E%3CSPAN%3E%3B%3C%2FSPAN%3E%3CSPAN%3EExpression%3C%2FSPAN%3E%3CSPAN%3E%3D%7B%3C%2FSPAN%3E%3CSPAN%3E%24Resource%3C%2FSPAN%3E%3CSPAN%3E.Name%3C%2FSPAN%3E%3CSPAN%3E%7D%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%40%3C%2FSPAN%3E%3CSPAN%3E%7B%3C%2FSPAN%3E%3CSPAN%3EName%3C%2FSPAN%3E%3CSPAN%3E%3D%3C%2FSPAN%3E%3CSPAN%3E%22SignInName%22%3C%2FSPAN%3E%3CSPAN%3E%3B%3C%2FSPAN%3E%3CSPAN%3EExpression%3C%2FSPAN%3E%3CSPAN%3E%3D%7B%3C%2FSPAN%3E%3CSPAN%3E%24RoleAssignment%3C%2FSPAN%3E%3CSPAN%3E.SignInName%3C%2FSPAN%3E%3CSPAN%3E%7D%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%40%3C%2FSPAN%3E%3CSPAN%3E%7B%3C%2FSPAN%3E%3CSPAN%3EName%3C%2FSPAN%3E%3CSPAN%3E%3D%3C%2FSPAN%3E%3CSPAN%3E%22DisplayName%22%3C%2FSPAN%3E%3CSPAN%3E%3B%3C%2FSPAN%3E%3CSPAN%3EExpression%3C%2FSPAN%3E%3CSPAN%3E%3D%7B%3C%2FSPAN%3E%3CSPAN%3E%24RoleAssignment%3C%2FSPAN%3E%3CSPAN%3E.DisplayName%3C%2FSPAN%3E%3CSPAN%3E%7D%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%40%3C%2FSPAN%3E%3CSPAN%3E%7B%3C%2FSPAN%3E%3CSPAN%3EName%3C%2FSPAN%3E%3CSPAN%3E%3D%3C%2FSPAN%3E%3CSPAN%3E%22RoleDefinitionName%22%3C%2FSPAN%3E%3CSPAN%3E%3B%3C%2FSPAN%3E%3CSPAN%3EExpression%3C%2FSPAN%3E%3CSPAN%3E%3D%7B%3C%2FSPAN%3E%3CSPAN%3E%24RoleAssignment%3C%2FSPAN%3E%3CSPAN%3E.RoleDefinitionName%3C%2FSPAN%3E%3CSPAN%3E%7D%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

 

Can anyone please help me with a powershell script which shows list consisting of RBAC role, Azure resource & username to whom it is allocated to? 

 

11 Replies

@AlphaBetaGamma How about this, using the  Get-AzRoleAssignment cmdlet:

 

Get-AzRoleAssignment | Select-Object RoleDefinitionName, Scope , DisplayName

 

 

Output will look something like this

 

RoleDefinitionName  Scope                                                     DisplayName
------------------  -----                                                     -----------
Contributor         /subscriptions/(guid)/resourcegroups/myresourcegroup      Bob
Reader              /subscriptions/(guid)/resourcegroups/myresourcegroup/myvm Jim
Contributor         /subscriptions/(guid)/resourcegroups/myresourcegroup/myvm Sal

 

Thanks for your response, Yeah, i have tried this. But I was trying to get exact resource name against each RABC role and the username. @Chris Bradshaw 

@AlphaBetaGamma - would you be able to write out some sample (made up) output so I can get a better idea of what you're looking for?

@Chris Bradshaw Sorry, I didn't convey it properly it seems, my bad. Here is below output I was expecting from Powershell script.

Azure Resource nameSignInNameRoleDefinitionName
keyvaultaaa@aaa.comConributor
sqlaaa@aaa.comReader
Best Response confirmed by AlphaBetaGamma (Occasional Contributor)
Solution

@AlphaBetaGamma Thanks- that makes sense.

The following script should do something like that, by looping through the resources and then a nested loop through the role assignments. I've included the "Display Name" field as well in case you have any roles assigned to groups- they just have a blank entry for "SignInName".

 

foreach ($Resource in Get-AzResource) {
 $RoleAssignments=Get-AZRoleAssignment -ResourceGroupName $Resource.ResourceGroupName -ResourceName $Resource.Name -ResourceType $resource.type
 ForEach ($RoleAssignment in $RoleAssignments){
   $Resource | Select-Object @{Name="Azure Resource name";Expression={$Resource.Name}},
     @{Name="SignInName";Expression={$RoleAssignment.SignInName}},
     @{Name="DisplayName";Expression={$RoleAssignment.DisplayName}},
     @{Name="RoleDefinitionName";Expression={$RoleAssignment.RoleDefinitionName}}
 }
}

 

@Chris Bradshaw Does this script show the roles of users which are in groups too?

@printscreen Not as it stands- it shows the group name assigned to a role , but wouldn't resolve any members. To do that, we could look for any results from this script which had a value for a display name but not a sign in name. These could probably be interpreted as groups and fed into Get-ADGroupMember with the -recursive flag set.

@Chris Bradshawsomething like this? 

 

ForEach ($Resource in Get-AzResource) {
    $RoleAssignments=Get-AZRoleAssignment -ResourceGroupName $Resource.ResourceGroupName -ResourceName $Resource.Name -ResourceType $resource.type
    ForEach ($RoleAssignment in $RoleAssignments){
      $new=Get-AzADGroupMember -DisplayName $RoleAssignments.DisplayName 
      foreach ($new in $RoleAssignment){
        $Resource | Select-Object @{Name="Azure Resource name";Expression={$Resource.Name}},
        @{Name="SignInName";Expression={$RoleAssignment.SignInName}},
        @{Name="DisplayName";Expression={$RoleAssignment.DisplayName}},
        @{Name="RoleDefinitionName";Expression={$RoleAssignment.RoleDefinitionName}}
      }
    }
   }

@Chris Bradshaw Ignore my previous script. I was just messing myself and trying out, but it doesn't display the individual members in the group. And hitting this error:

Get-AzADGroupMember : A parameter cannot be found that matches parameter name 'Name'.
At line:4 char:30

 

I'm sure there is some wrong with the line which I added, Is this something you can help with?

 

@printscreen Sorry, I've had a busy week at the office so haven't got back sooner.

With this script we can separate out the Group assignments from the user assignments by checking $RoleAssignment.ObjectType. I've used an if block in the following example. Once we have the group, Get-AzADGroupMember can be used to do a lookup on the group and then we can loop through those $GroupMembers and get the value for each.

 

Note that this code won't currently deal with nested groups (Get-AZADGroupMember doesn't have a -recursive option), but you should be able to find the code to do that with a quick search around if required.

foreach ($Resource in Get-AzResource) {
  $RoleAssignments=Get-AZRoleAssignment -ResourceGroupName $Resource.ResourceGroupName -ResourceName $Resource.Name -ResourceType $resource.type
  ForEach ($RoleAssignment in $RoleAssignments){
     if ($RoleAssignment.ObjectType -eq "Group"){
      #Role Assignment is a Group, list Group members
      $GroupMembers=Get-AzADGroupMember -GroupObjectId $RoleAssignment.ObjectID
      ForEach ($GroupMember in $GroupMembers){
       $Resource | Select-Object @{Name="Azure Resource name";Expression={$Resource.Name}},
       @{Name="SignInName";Expression={$GroupMember.UserPrincipalName}},
       @{Name="DisplayName";Expression={$GroupMember.DisplayName}},
       @{Name="RoleDefinitionName";Expression={$RoleAssignment.RoleDefinitionName}}
      }
     }else{
      #Not a Group- Treat as a User
     $Resource | Select-Object @{Name="Azure Resource name";Expression={$Resource.Name}},
       @{Name="SignInName";Expression={$RoleAssignment.SignInName}},
       @{Name="DisplayName";Expression={$RoleAssignment.DisplayName}},
       @{Name="RoleDefinitionName";Expression={$RoleAssignment.RoleDefinitionName}}
     }
   }
 }