'Get all role assignments of an Azure AD Principal
I have an Azure environment with multiple subscriptions and resources. My requirement is to have a functionality where if I pass a user name or SPN name, it gives me all azure resources (from management group to azure resource) where that user/spn has access to and what access it is (reader/ data reader etc).
Major catch is - I want PIM role assignments too. Is there a way to get it?
Options explored
- https://docs.microsoft.com/en-us/rest/api/authorization/role-assignments but this gives role assignments per scope. I want per user/spn
- https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-portal it does not cover PIM assignments and gives assignments per subscription only
- Azure Resource Graph Explorer - this does not cover role assignments at all
Apart from iterating through 50 subscriptions, fetching role assignments per scope and then comparing object id, is there any better way?
Solution 1:[1]
You can use the below Powershell Script to get the role-assignement for a Service Principal Name in multiple Subscriptions.
Connect-AzAccount
$tenantID = "yourTenantID"
$spn = "serviceprincipalname"
$user= Get-AzADUser -UserPrincipalName $spn
$subscriptions = Get-AzSubscription -TenantId $tenantID
#$subscriptions.Id
foreach ($subscription in $subscriptions) {
$set = Set-AzContext -Subscription $subscription
$set
$roleassignment= Get-AzRoleAssignment -ObjectId $user.Id
$roleassignment
}
Output:
Reference:
Solution 2:[2]
This might help you:
az role assignment list --all --assignee <Pricipal_ID>
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | AnsumanBal-MT |
| Solution 2 | Gjoshevski |