Export role assignments for all Azure subscriptions

By | July 20, 2021

Microsoft has done it straightforward to get an overview of Azure role assignments for a subscription. They have added the Download role assignments button in the Azure portal under Subscriptions.
When I’m working with customers that have many subscriptions, I’ll like to get an overview of all the subscriptions at once. Therefore I use PowerShell the export role assignments for all Azure subscriptions at once.

Script parameters

There are 2 parameters in the script, $OutputPath and $SelectCurrentSubscription.
None of them are mandatory.

$OutputPath: If defined, a CSV file will be exported to the chosen location.
Example: .\Export-RoleAssignments.ps1 -OutputPath C:\temp

$SelectCurrentSubscription: Will only export role assignments from the subscription that are selected.
Example: .\Export-RoleAssignments.ps1 -SelectCurrentSubscription

Run Get-Azcontext to view which subscription is selected.

Script Output

Besides getting an overview of the overall role assignments in an Azure subscription, I also like to know if a role is a Custom or Built-in role. The script will check each assignment if CustomRole is True or False.

Output Example in Powershell Console

Output Example to CSV File

The PowerShell Script

The Powershell script will be available on my account Github.
Go there for the latest updates (article script will not be synced with the GitHub version).

#Parameters
Param (
    [Parameter(Mandatory=$false)]    
    [string]$OutputPath = '',
    [Parameter(Mandatory=$false)]    
    [Switch]$SelectCurrentSubscription
	
)

#Get Current Context
$CurrentContext = Get-AzContext

#Get Azure Subscriptions
if ($SelectCurrentSubscription) {
  #Only selection current subscription
  Write-Verbose "Only running for selected subscription $($CurrentContext.Subscription.Name)" -Verbose
  $Subscriptions = Get-AzSubscription -SubscriptionId $CurrentContext.Subscription.Id -TenantId $CurrentContext.Tenant.Id

}else {
  Write-Verbose "Running for all subscriptions in tenant" -Verbose
  $Subscriptions = Get-AzSubscription -TenantId $CurrentContext.Tenant.Id
}


#Get Role roles in foreach loop
$report = @()

foreach ($Subscription in $Subscriptions) {
    #Choose subscription
    Write-Verbose "Changing to Subscription $($Subscription.Name)" -Verbose

    $Context = Set-AzContext -TenantId $Subscription.TenantId -SubscriptionId $Subscription.Id -Force
    $Name     = $Subscription.Name
    $TenantId = $Subscription.TenantId
    $SubId    = $Subscription.SubscriptionId  

    #Getting information about Role Assignments for choosen subscription
    Write-Verbose "Getting information about Role Assignments..." -Verbose
    $roles = Get-AzRoleAssignment | Select-Object RoleDefinitionName,DisplayName,SignInName,ObjectId,ObjectType,Scope,
    @{name="TenantId";expression = {$TenantId}},@{name="SubscriptionName";expression = {$Name}},@{name="SubscriptionId";expression = {$SubId}}


         foreach ($role in $roles){
            #            
            $DisplayName = $role.DisplayName
            $SignInName = $role.SignInName
            $ObjectType = $role.ObjectType
            $RoleDefinitionName = $role.RoleDefinitionName
            $AssignmentScope = $role.Scope
            $SubscriptionName = $Context.Subscription.Name
            $SubscriptionID = $Context.Subscription.SubscriptionId

            #Check for Custom Role
            $CheckForCustomRole = Get-AzRoleDefinition -Name $RoleDefinitionName
            $CustomRole = $CheckForCustomRole.IsCustom
            
            #New PSObject
            $obj = New-Object -TypeName PSObject
            $obj | Add-Member -MemberType NoteProperty -Name SubscriptionName -value $SubscriptionName
		      	$obj | Add-Member -MemberType NoteProperty -Name SubscriptionID -value $SubscriptionID			
            
			      $obj | Add-Member -MemberType NoteProperty -Name DisplayName -Value $DisplayName
			      $obj | Add-Member -MemberType NoteProperty -Name SignInName -Value $SignInName
			      $obj | Add-Member -MemberType NoteProperty -Name ObjectType -value $ObjectType
            
            $obj | Add-Member -MemberType NoteProperty -Name RoleDefinitionName -value $RoleDefinitionName
            $obj | Add-Member -MemberType NoteProperty -Name CustomRole -value $CustomRole
		      	$obj | Add-Member -MemberType NoteProperty -Name AssignmentScope -value $AssignmentScope
            
            
			
			$Report += $obj
           

    }
}

if ($OutputPath) {
  #Export to CSV file
  Write-Verbose "Exporting CSV file to $OutputPath" -Verbose
  $Report | Export-Csv $OutputPath\RoleExport-$(Get-Date -Format "yyyy-MM-dd").csv

}else {
  $Report
}

3 thoughts on “Export role assignments for all Azure subscriptions

  1. Reda Brik

    Can you edit the script that when roles assigned to groups the group members are also exported in that csv?

    Thanks 🙂

    Reply
  2. Erez

    getting the following error on azuread part:

    PS C:\scripts> .\azure.ps1 -OutPutPath C:\temp
    VERBOSE: Running for all subscriptions in tenant
    VERBOSE: Changing to Subscription Access to Azure Active Directory
    VERBOSE: Getting information about Role Assignments…
    WARNING: We have migrated the API calls for this cmdlet from Azure Active Directory Graph to Microsoft Graph.
    Visit https://go.microsoft.com/fwlink/?linkid=2181475 for any permission issues.
    Get-AzRoleAssignment : Operation returned an invalid status code ‘BadRequest’
    At C:\scripts\azure.ps1:39 char:14
    + $roles = Get-AzRoleAssignment | Select-Object RoleDefinitionName, …
    + ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : CloseError: (:) [Get-AzRoleAssignment], ErrorResponseException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.GetAzureRoleAssignmentCommand

    Reply
    1. Morten Pedholt Post author

      Hi Erez,

      You have to edit the script for it to work again.
      You will have to change the API call to Microsoft Graph.
      Maybe I will do it at some point.

      Reply

Leave a Reply

Your email address will not be published.