How to get PIM role assignments for children resources of a subscription via PowerShell in Azure?

Johnathan Welker 81 Reputation points
2022-09-20T15:43:40.907+00:00

I'm having a hard time pulling PIM assignments for every child resource within a subscription in Azure via PowerShell.

I'm currently using Get-AzureADMSPrivilegedRoleAssignment from the AzureADPreview module, like below:

$allRolesSingleSubAssignment = Get-AzureADMSPrivilegedRoleAssignment -ProviderId AzureResources -ResourceId $sub.Id

This is returning everything at the provided -ResourceId level, which in my case is a subscription. However, I'm trying to return the PIM assignments for everything that is a child resource of that sub as well, exactly how it allows you to do in the portal, as in the screenshot below.

![243063-ipsnh.png]3

Whereas currently the command I shared above is providing only the first option "Export members only in this subscription". I'm a bit at a loss here and am wondering if it's not available via PowerShell? I'd prefer to be able to pull this via PowerShell if possible, but would appreciate any suggestions direct from the Graph side as well.

I did look at what API was being hit for when you hit the "Export All Members" button through the browser Dev tools. Looks like it's the below, but I'm not familiar with this API (https://api.azrbac.mspim.azure.com) or if I can leverage that:
243111-image.png

Any tips or suggestions would be much apreciated, thank you!

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
666 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,451 questions
Accepted answer
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2022-09-22T19:02:29.167+00:00

    Hi @Johnathan Welker ,

    I just got confirmation that there is no Powershell script to export all child resource level assignments. However, you can use the PIM ARM API to get the role assignments at child resources when you call the API and not passing "$filter=atScope()". You would just remove the entire filter and could use a call like this: 

      GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignmentScheduleInstances?api-version=2020-10-01

    (For role assignments that are active at the current time)

    OR 

    GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignmentScheduleInstances?api-version=2020-10-01

    (Also includes assignments that will become active in the future)

    243918-image.png

    For more details, you can refer to the documentation here: https://learn.microsoft.com/en-us/rest/api/authorization/privileged-role-assignment-rest-sample

    -

    If the information helped you, please Accept the answer. This will help us and other community members as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest