stackoom
  简体   繁体   中英

Get all role assignments of an Azure AD Principal

 原文  2021-09-06 14:41:12       azure/ azure-active-directory/ rbac

Question

I have an Azure environment with multiple subscriptions and resources. My requirement is to have a functionality where if I pass a user name or SPN name, it gives me all azure resources (from management group to azure resource) where that user/spn has access to and what access it is (reader/ data reader etc).

Major catch is - I want PIM role assignments too. Is there a way to get it?

Options explored

  1. https://docs.microsoft.com/en-us/rest/api/authorization/role-assignments but this gives role assignments per scope. I want per user/spn
  2. https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-portal it does not cover PIM assignments and gives assignments per subscription only
  3. Azure Resource Graph Explorer - this does not cover role assignments at all

Apart from iterating through 50 subscriptions, fetching role assignments per scope and then comparing object id, is there any better way?

3 answers

solution1
 0  2021-09-09 07:04:35

You can use the below Powershell Script to get the role-assignement for a Service Principal Name in multiple Subscriptions.

Connect-AzAccount
$tenantID = "yourTenantID"
$spn = "serviceprincipalname"
$user= Get-AzADUser -UserPrincipalName $spn
$subscriptions = Get-AzSubscription -TenantId $tenantID
#$subscriptions.Id
foreach ($subscription in $subscriptions) {
$set = Set-AzContext -Subscription $subscription
$set
$roleassignment= Get-AzRoleAssignment -ObjectId $user.Id
$roleassignment
}

Output:

在此处输入图像描述

Reference:

Install the Azure Az PowerShell module | Microsoft Docs

solution2
 0  2022-04-13 13:06:21

This might help you:

az role assignment list --all --assignee <Pricipal_ID>

https://docs.microsoft.com/en-us/cli/azure/role/assignment?view=azure-cli-latest#az-role-assignment-list

solution3
 0  2022-09-27 08:39:03

@Gjoshevski has shared a useful command, but you still need to loop through each subscription to list the role assignments on each subscription (if you have more than one in your tenant).

The following Azure CLI commands will do the job.

spID='<ObjectID here>' # ObjectID of an Applicatin or Service Principal
$tenantId='<TenantID here>'
az login --tenant 'Your Tenant'
$sub_ids=$(az account list --query id -o tsv)

foreach ($sub_id in $sub_ids) {
    az account set --subscription $sub_id
    "Subscription Name: $(az account show --query name)"
    az role assignment list --all --assignee $spID --include-inherited --include-groups -o table
}

Note that the above is PowerShell syntax but is using Aure CLI commands

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure service principal - API permissions vs. AD Role azure ad app registrations - one allows me to add Azure Role Assignments to a managed id, another doesn't Get all AppRole assignments in Azure Active Directory Managed Identity Azure Role Assignments? Get the user role from Azure AD by Laravel azure ad oauth Delete Orphaned Role assignments in Azure AuthorizationFailed - Creating Role Assignments in Azure Azure AD - Can a Service Principal assign itself RBAC role in an Azure Subscription? ASP.NET MVC using Azure AD authentication — how to allow users to administer group/role assignments? Azure add application role assignments with Python
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM