Home > Software design >  Is there any PowerShell script or command to get a report of all the user's access role in tena
Is there any PowerShell script or command to get a report of all the user's access role in tena

Time:12-12

I am preparing the report which contains all the users access level tenant wise from the azure.

is there any one command or script to get all the users access level from Azure tenant ?

CodePudding user response:

That is a little be trick: The PS library for Azure is different from the PS library for the AD. You must cross informations.

  1. You must get all users from you AD using the command above and save as variable

    $allUsers = Get-ADUsers -Filter *

  2. Now you can navigate to all subscriptions into your tenant, all resource groups and resources and for each and every one get the IAM (who came with the objectId of the user) and cross with the variable $allUsers to identify everyone.

The sample is not the best but maybe can help you:

Connect-AzAccount
$listIAM = New-Object System.Collections.ArrayList
$listSubscriptions = Get-AzSubscription
foreach($subscription in $listSubscriptions){
    Set-AzContext -SubscriptionId $subscription.SubscriptionId
    # Now you have all roleAssignements for this subscription
    $subscriptionIAM = Get-AzRoleAssignment -Scope /subscriptions/$subscription.SubscriptionId
    $listIAM.Add($subscriptionIAM) | Out-Null
    
    # Navigate into resource groups
    $listResourceGroups = Get-AzResourceGroup
    foreach($resourceGroup in $listResourceGroups){
        $rgIAM = Get-AzRoleAssignment -ResourceGroupName $resourceGroup.ResourceGroupName
        $listIAM.Add($rgIAM) | Out-Null

        # Navigate into resources
        $listResources = Get-AzResource -ResourceGroupName $resourceGroup
        foreach($resource in $listResources){
            $rIAM = Get-AzRoleAssignment -Scope $resouce.ResourceId
            $listIAM.Add($rIAM) | Out-Null
        }
    }
}

CodePudding user response:

You can do this in either PowerShell or the Graph API. Both methods are in preview (the graph API calls are under the beta branch).

#Get the user
$userId = (Get-AzureADUser -Filter "userPrincipalName eq '[email protected]'").ObjectId

#Get direct role assignments to the user
$directRoles = (Get-AzureADMSRoleAssignment -Filter "principalId eq '$userId'").RoleDefinitionId

Prerequisites

  • AzureADPreview module when using PowerShell
  • Microsoft.Graph module when using PowerShell
  • Admin consent when using Graph Explorer for Microsoft Graph API

https://docs.microsoft.com/en-us/azure/active-directory/roles/list-role-assignments-users

  • Related