Get all role assignments of an Azure AD Principal

1
votes

I have an Azure environment with multiple subscriptions and resources. My requirement is to have a functionality where if I pass a user name or SPN name, it gives me all azure resources (from management group to azure resource) where that user/spn has access to and what access it is (reader/ data reader etc).

Major catch is - I want PIM role assignments too. Is there a way to get it?

Options explored

  1. https://docs.microsoft.com/en-us/rest/api/authorization/role-assignments but this gives role assignments per scope. I want per user/spn
  2. https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-portal it does not cover PIM assignments and gives assignments per subscription only
  3. Azure Resource Graph Explorer - this does not cover role assignments at all

Apart from iterating through 50 subscriptions, fetching role assignments per scope and then comparing object id, is there any better way?

1
azureazure-active-directoryrbac
Please edit your question and include what you have tried so far and the issues you're running into.Gaurav Mantri
That is the catch, I cannot find anything. The API for RBAC (docs.microsoft.com/en-us/rest/api/authorization/…) fetches role assignments per scope. I want per user. Apart from iterating through all the subscriptions and its resources and then matching the user/spn object id, I am at loss. Iterating through such huge data and then comparing object id, does not seem to be a good solution either. Hence the query.codegal
Also tried this docs.microsoft.com/en-us/azure/role-based-access-control/… but sadly it does not give PIM assignments and then there is no GA api for PIMcodegal
Thanks. Please edit your question and include this information there only.Gaurav Mantri
updated the questioncodegal

1 Answers

0
votes

You can use the below Powershell Script to get the role-assignement for a Service Principal Name in multiple Subscriptions.

Connect-AzAccount
$tenantID = "yourTenantID"
$spn = "serviceprincipalname"
$user= Get-AzADUser -UserPrincipalName $spn
$subscriptions = Get-AzSubscription -TenantId $tenantID
#$subscriptions.Id
foreach ($subscription in $subscriptions) {
$set = Set-AzContext -Subscription $subscription
$set
$roleassignment= Get-AzRoleAssignment -ObjectId $user.Id
$roleassignment
}

Output:

enter image description here

Reference:

Install the Azure Az PowerShell module | Microsoft Docs