Export role assignments for all Azure subscriptions
Microsoft has done it straightforward to get an overview of Azure role assignments for a subscription. They have added the Download role assignments button in the Azure portal under Subscriptions. When I’m working with customers that have many subscriptions, I’ll like to get an overview of all the subscriptions at once. Therefore I use PowerShell the export role assignments for all Azure subscriptions at once.
Script parameters
There are 2 parameters in the script, $OutputPath and $SelectCurrentSubscription . None of them are mandatory.
$OutputPath: If defined, a CSV file will be exported to the chosen location. Example: .\Export-RoleAssignments.ps1 -OutputPath C:\temp
$SelectCurrentSubscription: Will only export role assignments from the subscription that are selected. Example: .\Export-RoleAssignments.ps1 -SelectCurrentSubscription
Run Get-Azcontext to view which subscription is selected.
Script Output
Besides getting an overview of the overall role assignments in an Azure subscription, I also like to know if a role is a Custom or Built-in role. The script will check each assignment if CustomRole is True or False.
Output Example in Powershell Console
Output Example to CSV File
The PowerShell Script
The Powershell script will be available on my account Github . Go there for the latest updates (article script will not be synced with the GitHub version).
3 thoughts on “ Export role assignments for all Azure subscriptions ”
Can you edit the script that when roles assigned to groups the group members are also exported in that csv?
getting the following error on azuread part:
PS C:\scripts> .\azure.ps1 -OutPutPath C:\temp VERBOSE: Running for all subscriptions in tenant VERBOSE: Changing to Subscription Access to Azure Active Directory VERBOSE: Getting information about Role Assignments… WARNING: We have migrated the API calls for this cmdlet from Azure Active Directory Graph to Microsoft Graph. Visit https://go.microsoft.com/fwlink/?linkid=2181475 for any permission issues. Get-AzRoleAssignment : Operation returned an invalid status code ‘BadRequest’ At C:\scripts\azure.ps1:39 char:14 + $roles = Get-AzRoleAssignment | Select-Object RoleDefinitionName, … + ~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [Get-AzRoleAssignment], ErrorResponseException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.GetAzureRoleAssignmentCommand
You have to edit the script for it to work again. You will have to change the API call to Microsoft Graph. Maybe I will do it at some point.
Leave a Reply Cancel reply
Your email address will not be published.
Manage Azure Role Assignments Like a Pro with PowerShell
Today’s blog post is a little bit different. I have a couple of examples of how you can use PowerShell snippets and simple commandlets to get or set role assignmnets in your Azure Subscriptions.
PowerShell examples for managing Azure Role assignments
List all role assignments in a subscription, get all role assignments for a specific resource group, get all role assignments for a specific user, add a role assignment to a user, remove a role assignment for a user, remove all role assignments for a specific user, list all built-in roles, list all custom roles, create a custom role, update a custom role, delete a custom role, list all users or groups assigned to a specific role, list all permissions granted by a specific role, list all resource groups that a user has access to, create a role assignment for a service principal, powershell script to manage azure role assignments.
And now there is a script that combines some of these examples into one usable function:
I hope this was useful. Let me know if you liked the format of this blog and if you want me to include more of these examples.
Vukasin Terzic
Recent Update
- Writing your first Azure Terraform Configuration
- Transition from ARM Templates to Terraform with AI
- Getting started with Terraform for Azure
- Terraform Configuration Essentials: File Types, State Management, and Provider Selection
- Dynamically Managing Azure NSG Rules with PowerShell
Trending Tags
Retrieve azure resource group cost with powershell api.
The Future Of Azure Governance: Trends and Predictions
Further Reading
In my previous blog posts, I wrote about how simple PowerShell scripts can help speed up daily tasks for Azure administrators, and how you can convert them to your own API. One of these tasks is...
Azure Cost Optimization: 30 Ways to Save Money and Increase Efficiency
As organizations continue to migrate their applications and workloads to the cloud, managing and controlling cloud costs has become an increasingly critical issue. While Azure provides a robust s...
Custom PowerShell API for Azure Naming Policy
To continue our PowerShell API series, we have another example of a highly useful API that you can integrate into your environment. Choosing names for Azure resources can be a challenging task. ...
Get-AzRoleAssignment
In this Azure PowerShell article, we will discuss the syntax and usage of the Get-AzRoleAssignment PowerShell cmdlet with a few examples.
Table of Contents
Syntax of Get-AzRoleAssignment
Wrapping up.
Get-AzRoleAssignment is an excellent Azure PowerShell cmdlet that can get you the lists of all the role assignments under your subscription or a specific scope.
Below is the syntax of the Get-AzRoleAssignment Azure PowerShell cmdlet.
Let’s discuss some examples of implementation of the Get-AzRoleAssignment PowerShell command.
You can execute the Azure PowerShell cmdlet below to help you get the list of all the role assignments under my current subscription.
After executing the above PowerShell command, I got the below output.
You can see the output below
You can also use the below Azure PowerShell command to get the list of role assignments under the specified service principal “http://tsinfotechnologies.com”.
Execute the below PowerShell command that can help you to get the list of role assignments under a specified tsinfo website scope.
You may also like following the articles below
- New-AzRoleAssignment
- Get-AzRoleDefinition
- Get-AzResource
In this Azure article, we have discussed the syntax and usage of the Get-AzRoleAssignment Azure PowerShell cmdlet. Thanks for reading this article !!!
I am Rajkishore, and I have over 14 years of experience in Microsoft Azure and AWS, with good experience in Azure Functions, Storage, Virtual Machine, Logic Apps, PowerShell Commands, CLI Commands, Machine Learning, AI, Azure Cognitive Services, DevOps, etc. Not only that, I do have good real-time experience in designing and developing cloud-native data integrations on Azure or AWS, etc. I hope you will learn from these practical Azure tutorials. Read more .
- Career Model
- Proactive Mentorship
- Productivity
- Review Model
- Work:Life Balance
- 3D Printing
- Announcements
- Conferences
How to find all the Azure Built-In Roles for Azure RBAC with Azure CLI, PowerShell, Docs, or AzAdvertizer
Here are a bunch of ways you can find which roles are built into Azure. This will come in super handy when you need to assign a role to a service principal or user with Azure CLI commands like this:
- Query the big honking json
- Query all, but only return Name and Id in a nice table
- Filter by name contains:
This one filters for roles with “Map” in the name:
Azure PowerShell
https://docs.microsoft.com/en-us/powershell/module/az.resources/get-azroledefinition?view=azps-3.8.0
This page has all the built in roles: https://docs.microsoft.com/azure/role-based-access-control/built-in-roles
AzAdvertizer
Just found this site today by Julian Hayward. It’s a great way to find roles
https://www.azadvertizer.net/azrolesadvertizer_all.html
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Manage Azure role-based access control (Azure RBAC).
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .
Submit and view feedback for
Additional resources
Navigation Menu
Search code, repositories, users, issues, pull requests..., provide feedback.
We read every piece of feedback, and take your input very seriously.
Saved searches
Use saved searches to filter your results more quickly.
To see all available qualifiers, see our documentation .
- Notifications
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
az role assignment list retuns "subscription could not be found" in tenant without subscription #19063
starbuck3000 commented Jul 30, 2021 • edited
- 👍 1 reaction
yonzhan commented Jul 31, 2021
Sorry, something went wrong.
QuickScoP3s commented Oct 18, 2022
No branches or pull requests
- Ansible community forum
- Documentation
- Collection Index
- Collections in the Azure Namespace
- Azure.Azcollection
- azure.azcollection.azure_rm_roleassignment module – Manage Azure Role Assignment
azure.azcollection.azure_rm_roleassignment module – Manage Azure Role Assignment
This module is part of the azure.azcollection collection (version 1.19.0).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core . To check whether it is installed, run ansible-galaxy collection list .
To install it, use: ansible-galaxy collection install azure.azcollection . You need further requirements to be able to use this module, see Requirements for details.
To use it in a playbook, specify: azure.azcollection.azure_rm_roleassignment .
New in azure.azcollection 0.1.2
Create and delete instance of Azure Role Assignment.
Requirements
The below requirements are needed on the host that executes this module.
python >= 2.7
The host that executes this module must have the azure.azcollection collection installed via galaxy
All python packages listed in collection’s requirements-azure.txt must be installed via pip on the host that executes modules from azure.azcollection
Full installation instructions may be found https://galaxy.ansible.com/azure/azcollection
Parameters
For authentication with Azure you can pass parameters, set environment variables, use a profile stored in ~/.azure/credentials, or log in before you run your tasks or playbook with az login .
Authentication is also possible using a service principal or Active Directory user.
To authenticate via service principal, pass subscription_id, client_id, secret and tenant or set environment variables AZURE_SUBSCRIPTION_ID, AZURE_CLIENT_ID, AZURE_SECRET and AZURE_TENANT.
To authenticate via Active Directory user, pass ad_user and password, or set AZURE_AD_USER and AZURE_PASSWORD in the environment.
Alternatively, credentials can be stored in ~/.azure/credentials. This is an ini file containing a [default] section and the following keys: subscription_id, client_id, secret and tenant or subscription_id, ad_user and password. It is also possible to add additional profiles. Specify the profile by passing profile or setting AZURE_PROFILE in the environment.
How to authenticate using the az login command.
Return Values
Common return values are documented here , the following are the fields unique to this module:
Yunge Zhu(@yungezz)
Paul Aiton(@paultaiton)
Collection links
- Issue Tracker
- Repository (Sources)
IMAGES
VIDEO
COMMENTS
az role assignment list --assignee {assignee} By default, only role assignments for the current subscription will be displayed. To view role assignments for the current subscription and below, add the --all parameter. To include role assignments at parent scopes, add the --include-inherited parameter. To include role assignments for groups of which the user is a member transitively, add the ...
Step 1: Determine who needs access. You can assign a role to a user, group, service principal, or managed identity. To assign a role, you might need to specify the unique ID of the object. The ID has the format: 11111111-1111-1111-1111-111111111111. You can get the ID using the Azure portal or Azure CLI. User.
Navigate to the resource/resource group/subscription in the portal -> Access control (IAM) -> Role assignments, you can filter with the parameters you want. Or you can use the Azure powershell Get-AzRoleAssignment or REST API, it depends on your requirement. Sample: 1.You have a list of ObjectIds of the users, you can use the script as below.
Run Get-Azcontext to view which subscription is selected. Script Output. Besides getting an overview of the overall role assignments in an Azure subscription, I also like to know if a role is a Custom or Built-in role. The script will check each assignment if CustomRole is True or False. Output Example in Powershell Console Output Example to ...
Saved searches Use saved searches to filter your results more quickly
The command also has a "New-" variation, for adding a new assignment, and a "Remove-" variation for removing a role assignment. Note: If you see older blogs or scripts using "Get-AzureRmRoleAssignment", that was an earlier name for this command before the Az updates. You can often replace the AzureRm bit with just Az, but not in every case as ...
Learn how to manage Azure Role assignments using PowerShell snippets and simple commandlets. Discover examples for listing all role assignments, adding and removing assignments for users or service principals, creating custom roles, and more. Plus, check out a script that combines some of these examples into a single function. Written by Vukasin Terzic.
To list role assignments for a specific resource, use Get-AzRoleAssignment and the -Scope parameter. The scope will be different depending on the resource. To get the scope, you can run Get-AzRoleAssignment without any parameters to list all of the role assignments and then find the scope you want to list.
Describe the bug. When we run az role assignment list --subscription="${required_sub_name}", it fails when "${required_sub_name}" does not match the active subscription as shown by az account show.. The failure is with the message: No matches in graph database for '${assignee}' When we set active sub to match --subscription argument, everything works just fine.
az feedback auto-generates most of the information requested below, as of CLI version 2.0.62. Related command az role assignment list --include-inherited --scope /subscriptions/{ID} Describe the bug Trying to get list role assignments that are assigned at subscription level and inherited from parent scopes (Management group, root).
Get-AzRoleAssignment is an excellent Azure PowerShell cmdlet that can get you the lists of all the role assignments under your subscription or a specific scope. Syntax of Get-AzRoleAssignment. Below is the syntax of the Get-AzRoleAssignment Azure PowerShell cmdlet. Get-AzRoleAssignment Get-AzRoleAssignment -SignInName <String>
This will come in super handy when you need to assign a role to a service principal or user with Azure CLI commands like this: az role assignment create --assignee 3db3ad97-06be-4c28-aa96-f1bac93aeed3 --role "Azure Maps Data Reader" Azure CLI. Query the big honking json; az role definition list Query all, but only return Name and Id in a nice table
We include an additional query for which subscription the assignment is scoped to, because by default the subscription is only returned by its ID. The Group-Object is present to not list the same assignment multiple times (multiple subscriptions might inherit a role assignment from a Management Group higher up).
Manage role assignments. Create a new role assignment for a user, group, or service principal. Delete role assignments. List role assignments. List changelogs for role assignments. Update an existing role assignment for a user, group, or service principal. Manage role definitions. Create a custom role definition.
ghost added needs-triage This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that customer-reported Issues that are reported by GitHub users external to the Azure organization. labels Jul 30, 2021
The role assignments where the user has been removed remain as Identity not found. The az role assignment list does not return displayName to filter it out that way. Ex: "canDelegate"...
Controls the source of the credentials to use for authentication. Can also be set via the ANSIBLE_AZURE_AUTH_SOURCE environment variable.. When set to auto (the default) the precedence is module parameters -> env-> credential_file-> cli.. When set to env, the credentials will be read from the environment variables. When set to credential_file, it will read the profile from ~/.azure/credentials.
In azure active directory -> App registration -> Try to add service principal like below: To check existing for the service principal: az role assignment list --all --assignee <service-principal-object-id>. Make sure to check the Registry ID. az acr show --name <ACRName> --query id --output tsv.