Microsoft has done it straightforward to get an overview of Azure role assignments for a subscription. They have added the Download role assignments button in the Azure portal under Subscriptions.
When I’m working with customers that have many subscriptions, I’ll like to get an overview of all the subscriptions at once. Therefore I use PowerShell the export role assignments for all Azure subscriptions at once.
Script parameters
There are 2 parameters in the script, $OutputPath and $SelectCurrentSubscription.
None of them are mandatory.
$OutputPath: If defined, a CSV file will be exported to the chosen location.
Example: .\Export-RoleAssignments.ps1 -OutputPath C:\temp
$SelectCurrentSubscription: Will only export role assignments from the subscription that are selected.
Example: .\Export-RoleAssignments.ps1 -SelectCurrentSubscription
Run Get-Azcontext to view which subscription is selected.
Script Output
Besides getting an overview of the overall role assignments in an Azure subscription, I also like to know if a role is a Custom or Built-in role. The script will check each assignment if CustomRole is True or False.
Output Example in Powershell Console
Output Example to CSV File
The PowerShell Script
The Powershell script will be available on my account Github.
Go there for the latest updates (article script will not be synced with the GitHub version).
#Parameters
Param (
[Parameter(Mandatory=$false)]
[string]$OutputPath = '',
[Parameter(Mandatory=$false)]
[Switch]$SelectCurrentSubscription
)
#Get Current Context
$CurrentContext = Get-AzContext
#Get Azure Subscriptions
if ($SelectCurrentSubscription) {
#Only selection current subscription
Write-Verbose "Only running for selected subscription $($CurrentContext.Subscription.Name)" -Verbose
$Subscriptions = Get-AzSubscription -SubscriptionId $CurrentContext.Subscription.Id -TenantId $CurrentContext.Tenant.Id
}else {
Write-Verbose "Running for all subscriptions in tenant" -Verbose
$Subscriptions = Get-AzSubscription -TenantId $CurrentContext.Tenant.Id
}
#Get Role roles in foreach loop
$report = @()
foreach ($Subscription in $Subscriptions) {
#Choose subscription
Write-Verbose "Changing to Subscription $($Subscription.Name)" -Verbose
$Context = Set-AzContext -TenantId $Subscription.TenantId -SubscriptionId $Subscription.Id -Force
$Name = $Subscription.Name
$TenantId = $Subscription.TenantId
$SubId = $Subscription.SubscriptionId
#Getting information about Role Assignments for choosen subscription
Write-Verbose "Getting information about Role Assignments..." -Verbose
$roles = Get-AzRoleAssignment | Select-Object RoleDefinitionName,DisplayName,SignInName,ObjectId,ObjectType,Scope,
@{name="TenantId";expression = {$TenantId}},@{name="SubscriptionName";expression = {$Name}},@{name="SubscriptionId";expression = {$SubId}}
foreach ($role in $roles){
#
$DisplayName = $role.DisplayName
$SignInName = $role.SignInName
$ObjectType = $role.ObjectType
$RoleDefinitionName = $role.RoleDefinitionName
$AssignmentScope = $role.Scope
$SubscriptionName = $Context.Subscription.Name
$SubscriptionID = $Context.Subscription.SubscriptionId
#Check for Custom Role
$CheckForCustomRole = Get-AzRoleDefinition -Name $RoleDefinitionName
$CustomRole = $CheckForCustomRole.IsCustom
#New PSObject
$obj = New-Object -TypeName PSObject
$obj | Add-Member -MemberType NoteProperty -Name SubscriptionName -value $SubscriptionName
$obj | Add-Member -MemberType NoteProperty -Name SubscriptionID -value $SubscriptionID
$obj | Add-Member -MemberType NoteProperty -Name DisplayName -Value $DisplayName
$obj | Add-Member -MemberType NoteProperty -Name SignInName -Value $SignInName
$obj | Add-Member -MemberType NoteProperty -Name ObjectType -value $ObjectType
$obj | Add-Member -MemberType NoteProperty -Name RoleDefinitionName -value $RoleDefinitionName
$obj | Add-Member -MemberType NoteProperty -Name CustomRole -value $CustomRole
$obj | Add-Member -MemberType NoteProperty -Name AssignmentScope -value $AssignmentScope
$Report += $obj
}
}
if ($OutputPath) {
#Export to CSV file
Write-Verbose "Exporting CSV file to $OutputPath" -Verbose
$Report | Export-Csv $OutputPath\RoleExport-$(Get-Date -Format "yyyy-MM-dd").csv
}else {
$Report
}
Can you edit the script that when roles assigned to groups the group members are also exported in that csv?
Thanks 🙂
getting the following error on azuread part:
PS C:\scripts> .\azure.ps1 -OutPutPath C:\temp
VERBOSE: Running for all subscriptions in tenant
VERBOSE: Changing to Subscription Access to Azure Active Directory
VERBOSE: Getting information about Role Assignments…
WARNING: We have migrated the API calls for this cmdlet from Azure Active Directory Graph to Microsoft Graph.
Visit https://go.microsoft.com/fwlink/?linkid=2181475 for any permission issues.
Get-AzRoleAssignment : Operation returned an invalid status code ‘BadRequest’
At C:\scripts\azure.ps1:39 char:14
+ $roles = Get-AzRoleAssignment | Select-Object RoleDefinitionName, …
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzRoleAssignment], ErrorResponseException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.GetAzureRoleAssignmentCommand
Hi Erez,
You have to edit the script for it to work again.
You will have to change the API call to Microsoft Graph.
Maybe I will do it at some point.
Did you ever get a chance to update the script to use the Microsoft Graph API? It would really be helpful for something I’m working on.
Thanks for this script. You’d think MS would have this type of exporting built into their console. Very useful and critical tool to manage tenants with tons of subscriptions. Good work!!