Display Name and Sign-In-Name are empty

Seenuvasan, Venkatanathan 56 Reputation points
2022-07-22T15:31:57.323+00:00

I am working on azure automation and the RunBook Type is PowerShell. The requirement is to get the list of role assignments at subscription or resource group levels. Output should be like RoleDefinitionName, Scope, DisplayName and SignInName etc..

I use the below code in power shell

Connect-azaccount -Identity
$R = Get-AzContext
get-azRoleAssignment

Note : I am connecting the azure account through system assigned managed identity of azure automation and this identity has below level of access. PFB screenshot.

223780-image.png

I am getting the results when i run the above code. But DisplayName and SignInName details are empty. PFB screenshot. These are the required one to see the user's information. Could you please help me on it ? Is there any special permission required to access the user's data from active directory ?

223828-image.png

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,132 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AnuragSingh-MSFT 20,431 Reputation points
    2022-07-31T11:58:32.683+00:00

    @Seenuvasan, Venkatanathan , thank you for providing additional information regarding this question earlier.

    To Summarize, you have "Azure Automation Account" with System Assigned Identity enabled and some roles assigned at Subscription level as available in the question. When running a runbook script (PowerShell) with get-azRoleAssignment, you are unable to get any DisplayName or SignInName as the output for the role assignments.

    Note that, apart from the role assignment at subscription level, you also need to assign Directory readers role to this Identity in Azure Active Directory to allow it to read basic directory information. For it, follow the steps below:

    1. In Azure Portal, seach for "Azure Active Directory" --> Roles and administrators
    2. Search for "Directory readers" role --> "+ Add assignments" --> Search with Azure Automation Account name and assign.

    Also, for your reference, I'm providing the script used to test this scenario as below with relevant comments: 

    # Ensures you do not inherit an AzContext in your runbook  
Disable-AzContextAutosave -Scope Process  
  
# Connect to Azure with system-assigned managed identity  
$AzureContext = (Connect-AzAccount -Identity).context  
  
# set and store context for a subscription.  
$AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext  
  
$roleAssignments = get-azRoleAssignment  
write-output "total count: $($roleAssignments.Count)"  
  
foreach ($roleAssignment in $roleAssignments)  
{  
    write-output $roleAssignment  
	Write-Output "----------------------------------------"  
}

    Please let me know if you have any questions.

    ---
    Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.