I have a resource named devtest
. I want to get list from IAM -> Role assignments
blade using azure cli
or REST API
:
How to retrieve that information (group-id
, display name
etc) in programmatically way? Is it possible to get list of users and groups that have access to resource?
For example, using graph
im allowed to get groups that signed user belongs to:
POST https://graph.microsoft.com/v1.0/me/getMemberGroups
Request Body:
{
"securityEnabledOnly": true
}
Response:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(Edm.String)",
"value": [
// group ids here
]
}
But how to do something similar for resource and get list of users and groups that have role in that resource?
EDIT:
When we go to Role Assignments
blade, Azure
calls endpoint:
POST https://graph.windows.net/{subscriptionId}/getObjectsByObjectIds
Request body:
{ "objectIds":[ "bunch unknown ids here" ],"includeDirectoryObjectReferences":true }
And i am getting response like:
That is related for what i am seeing in Role assignments
tab, but not all positions are returned. In this responses we dont have information about role
, how to dig into them?
CodePudding user response:
You can use the below cmdlets, to list all the role assignments of a resource & their respective groups (if the object type of the role assignment is other than User it wont give you any output).
Here is the Script:
connect-azuread # Manadatory to authenticate with azuread & to further run Get-azureadusermembership cmdlet
$rbac=Get-AzRoleAssignment -ResourceGroupName '<RgName>' -ResourceName '<ResourceName>' -ResourceType 'Microsoft.KeyVault/vaults' | Where-Object -Property ObjectType -EQ User| select -Property SignInName,ObjectId,RoleDefinitionName
Write-output $rbac
foreach($item in $rbac)
{
Get-AzureADUserMembership -ObjectId $item.ObjectId | select -Property *
}
Here is the sample output for reference: