I have a resource named devtest. I want to get list from IAM -> Role assignments blade using azure cli or REST API:

How to retrieve that information (group-id, display name etc) in programmatically way? Is it possible to get list of users and groups that have access to resource?

For example, using graph im allowed to get groups that signed user belongs to:

POST https://graph.microsoft.com/v1.0/me/getMemberGroups
Request Body:
{
    "securityEnabledOnly": true
}

Response:
{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(Edm.String)",
    "value": [
        // group ids here
    ]
}

But how to do something similar for resource and get list of users and groups that have role in that resource?

EDIT:

When we go to Role Assignments blade, Azure calls endpoint:

POST https://graph.windows.net/{subscriptionId}/getObjectsByObjectIds

Request body:
{ "objectIds":[ "bunch unknown ids here" ],"includeDirectoryObjectReferences":true }

And i am getting response like:

That is related for what i am seeing in Role assignments tab, but not all positions are returned. In this responses we dont have information about role, how to dig into them?

CodePudding user response：

You can use the below cmdlets, to list all the role assignments of a resource & their respective groups (if the object type of the role assignment is other than User it wont give you any output).

Here is the Script:

 connect-azuread  # Manadatory to authenticate with azuread & to further run Get-azureadusermembership cmdlet
$rbac=Get-AzRoleAssignment -ResourceGroupName '<RgName>' -ResourceName '<ResourceName>' -ResourceType 'Microsoft.KeyVault/vaults' | Where-Object -Property ObjectType -EQ User| select -Property SignInName,ObjectId,RoleDefinitionName
Write-output $rbac
foreach($item in $rbac)
{
    Get-AzureADUserMembership -ObjectId $item.ObjectId | select -Property *
}

Here is the sample output for reference: