I'm looking for API that will provide me the list of users assigned to a subscription ?

Salil Saini 26 Reputation points
2022-11-15T08:44:34.05+00:00

I'm having multiple subscription is azure portal and in each subscription is having different user access

Scenario is :

Need to get list of users assigned/access to a subscription. But users are not directly assigned to a subscription, ad-groups are in between each subscription. Means in subscription under role-assignment(IAM) different groups with some permissions were assigned. And in last we just assign user(ad user) to a group.

I tried with this api i.e. https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01

but only get the group that were assigned to subscription.

Now, I just want to know that is there any api that can give the list of user for subscription or vice-versa.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
716 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,533 questions
0 comments No comments
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,541 Reputation points Microsoft Employee
    2022-11-21T22:39:12.39+00:00

    @Salil Saini
    Thank you for your post and I apologize for the delayed response!

    I understand that you're looking for an API that can give you a list of users assigned to an Azure Subscription, specifically users with Role Assignments (IAM). However, you're running into an issue where users aren't directly assigned roles within the Subscription, but instead groups are assigned RBAC roles and users are assigned to those groups.

    When using the List Azure role assignments REST API, you're only getting the group that's assigned to the Subscription, but not the users within that group. In order to get the users within an Azure AD Group, there isn't a direct way to do this via the List Azure role assignments REST API, but as mentioned by @Bas Pruijn , you should be able to do this via a separate step.

    #The following request lists all role assignments for a specified Subscription  
    GET https://management.azure.com/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=atScope()  
      
    #Once you get all the Azure Role Assignments assigned to a Subscription, you'll need to get an Azure AD Access Token in order to list Azure AD Group members.  
    #Please keep in mind, you'll need to the correct Delegated or Application permissions. For more info, please reference the List Group Members link below.  
    https://login.microsoftonline.com/{{TenantID}}/oauth2/v2.0/token  
    
    #Note: You can also leverage Graph Explorer to get an Access Token or run the List Group API - https://developer.microsoft.com/en-us/graph/graph-explorer.  
      
    #Now that you have the appropriate access token, you can List group members within an Azure AD Group using the MS Graph REST API.  
    GET https://graph.microsoft.com/v1.0/groups/<Group Object ID>/members  
    

    262719-image.png

    For more info:
    List role assignments
    List group members
    Microsoft Graph Explorer

    I hope this helps!

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


1 additional answer

Sort by: Most helpful
  1. Bas Pruijn 951 Reputation points
    2022-11-15T13:47:59.627+00:00

    As far as I know you need to combine 2 separate queries:

    • get all RBAC assignments from Azure
    • Get all users in AAD groups

    And then combine them. At least that is what I have done in the past. We did the combining part in PowerBI to provide a nice report for the auditors.

    1 person found this answer helpful.
    0 comments No comments