Skip to content

Latest commit

 

History

History
187 lines (133 loc) · 8.16 KB

role-assignments-list-powershell.md

File metadata and controls

187 lines (133 loc) · 8.16 KB
title description services documentationcenter author manager ms.assetid ms.service ms.devlang ms.topic ms.tgt_pltfrm ms.workload ms.date ms.author ms.reviewer ms.custom
List Azure role assignments using Azure PowerShell - Azure RBAC
Learn how to determine what resources users, groups, service principals, or managed identities have access to using Azure PowerShell and Azure role-based access control (Azure RBAC).
active-directory
rolyon
mtillman
9e225dba-9044-4b13-b573-2f30d77925a9
role-based-access-control
na
how-to
na
identity
07/28/2020
rolyon
bagovind
devx-track-azurepowershell

List Azure role assignments using Azure PowerShell

[!INCLUDE Azure RBAC definition list access] This article describes how to list role assignments using Azure PowerShell.

[!INCLUDE az-powershell-update]

Note

If your organization has outsourced management functions to a service provider who uses Azure Lighthouse, role assignments authorized by that service provider won't be shown here.

Prerequisites

List role assignments for the current subscription

The easiest way to get a list of all the role assignments in the current subscription (including inherited role assignments from root and management groups) is to use Get-AzRoleAssignment without any parameters.

Get-AzRoleAssignment

PS C:\> Get-AzRoleAssignment

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000
DisplayName        : Alain
SignInName         : alain@example.com
RoleDefinitionName : Storage Blob Data Reader
RoleDefinitionId   : 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1
ObjectId           : 44444444-4444-4444-4444-444444444444
ObjectType         : User
CanDelegate        : False

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales/providers/Microsoft.Authorization/roleAssignments/33333333-3333-3333-3333-333333333333
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales
DisplayName        : Marketing
SignInName         :
RoleDefinitionName : Contributor
RoleDefinitionId   : b24988ac-6180-42a0-ab88-20f7382dd24c
ObjectId           : 22222222-2222-2222-2222-222222222222
ObjectType         : Group
CanDelegate        : False

...

List role assignments for a subscription

To list all role assignments at a subscription scope, use Get-AzRoleAssignment. To get the subscription ID, you can find it on the Subscriptions blade in the Azure portal or you can use Get-AzSubscription.

Get-AzRoleAssignment -Scope /subscriptions/<subscription_id>

PS C:\> Get-AzRoleAssignment -Scope /subscriptions/00000000-0000-0000-0000-000000000000

List role assignments for a user

To list all the roles that are assigned to a specified user, use Get-AzRoleAssignment.

Get-AzRoleAssignment -SignInName <email_or_userprincipalname>

PS C:\> Get-AzRoleAssignment -SignInName isabella@example.com | FL DisplayName, RoleDefinitionName, Scope

DisplayName        : Isabella Simonsen
RoleDefinitionName : BizTalk Contributor
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales

To list all the roles that are assigned to a specified user and the roles that are assigned to the groups to which the user belongs, use Get-AzRoleAssignment.

Get-AzRoleAssignment -SignInName <email_or_userprincipalname> -ExpandPrincipalGroups

Get-AzRoleAssignment -SignInName isabella@example.com -ExpandPrincipalGroups | FL DisplayName, RoleDefinitionName, Scope

List role assignments for a resource group

To list all role assignments at a resource group scope, use Get-AzRoleAssignment.

Get-AzRoleAssignment -ResourceGroupName <resource_group_name>

PS C:\> Get-AzRoleAssignment -ResourceGroupName pharma-sales | FL DisplayName, RoleDefinitionName, Scope

DisplayName        : Alain Charon
RoleDefinitionName : Backup Operator
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales

DisplayName        : Isabella Simonsen
RoleDefinitionName : BizTalk Contributor
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales

DisplayName        : Alain Charon
RoleDefinitionName : Virtual Machine Contributor
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales

List role assignments for a management group

To list all role assignments at a management group scope, use Get-AzRoleAssignment. To get the management group ID, you can find it on the Management groups blade in the Azure portal or you can use Get-AzManagementGroup.

Get-AzRoleAssignment -Scope /providers/Microsoft.Management/managementGroups/<group_id>

PS C:\> Get-AzRoleAssignment -Scope /providers/Microsoft.Management/managementGroups/marketing-group

List role assignments for a resource

To list role assignments for a specific resource, use Get-AzRoleAssignment and the -Scope parameter. The scope will be different depending on the resource. To get the scope, you can run Get-AzRoleAssignment without any parameters to list all of the role assignments and then find the scope you want to list.

Get-AzRoleAssignment -Scope "/subscriptions/<subscription_id>/resourcegroups/<resource_group_name>/providers/<provider_name>/<resource_type>/<resource>

This following example shows how to list the role assignments for a storage account. Note that this command also lists role assignments at higher scopes, such as resource groups and subscriptions, that apply to this storage account.

PS C:\> Get-AzRoleAssignment -Scope "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/storage-test-rg/providers/Microsoft.Storage/storageAccounts/storagetest0122"

If you want to just list role assignments that are assigned directly on a resource, you can use the Where-Object command to filter the list.

PS C:\> Get-AzRoleAssignment | Where-Object {$_.Scope -eq "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/storage-test-rg/providers/Microsoft.Storage/storageAccounts/storagetest0122"}

List role assignments for classic service administrator and co-administrators

To list role assignments for the classic subscription administrator and co-administrators, use Get-AzRoleAssignment.

Get-AzRoleAssignment -IncludeClassicAdministrators

List role assignments for a managed identity

  1. Get the object ID of the system-assigned or user-assigned managed identity.

    To get the object ID of a user-assigned managed identity, you can use Get-AzADServicePrincipal.

    Get-AzADServicePrincipal -DisplayNameBeginsWith "<name> or <vmname>"

  2. To list the role assignments, use Get-AzRoleAssignment.

    Get-AzRoleAssignment -ObjectId <objectid>

Next steps