Is there any way to export full PIM list (with children) in management group level ?

Hi @Alvin Leung ,

Thanks for your post!

I haven't been able to test this yet but I believe you should be able to use the PIM ARM API to get the role assignments for the child resources at the Management level when you call the API and not passing "$filter=atScope()". You would remove the entire filter and use the request documented here. According to the documentation the call would look something like this:

GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignmentScheduleInstances?api-version=2020-10-01&  

(With the scope replaced with providers/Microsoft.Management/managementGroups/{mg-name})

I've reached out to the product team to confirm though since I don't have a lab yet where I can test whether it works.

To get a list of all children of a resource on which you have eligible access you can also use the Eligible Child Resources API and filter at the management group level scope.

GET https://management.azure.com/providers/Microsoft.Management/managementGroups/{mg-name}	/providers/Microsoft.Authorization/eligibleChildResources?api-version=2020-10-01&$filter={filter}  

(Replacing {filter} with the condition that you want to apply to filter the role assignment list)

I'll get back to you with the response from the product team but in the meantime you can test the examples and see if they give you the results you need.

-

If the information helped you, please Accept the answer. This will help us and other community members as well.