How can I get I find the owners of a resources via API for Azure?

Question

Hi,
I'm trying to get the owner (or list of owners) of a VM. I've investigated some of Azure API I am using to pull resource information, for example [getting VM (Compute) details][1] however I have not found any information for roles or owners associated to the resource. I have also tried going up a level from that to get information from the resource group and that API endpoint does not return any owner information as well, however I have found in the tags of the response for Subscriptions - Get that returns "c7n-contact" which has a DL but still no users that own the specific resources below. I would very much appreciate some assistance with how I could find the owner(s) or a VM or Resource Group that VM is a part of, not necessarily who created it.
[1]: https://learn.microsoft.com/en-us/rest/api/compute/virtual-machines/get?tabs=HTTP

Answer 1

Hello, @JPAN !

How do I find the owners of a resource via API?
You can use the CLI command az role assignment list or the equivalent REST API below for roleAssignments. This works with a variety of scopes including the subscription, resource group, and resource:

https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-rest#list-role-assignments

To list the owners of a VM using the REST API, you would use this as your scope:

subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1/providers/Microsoft.Compute/virtualMachines/MyVM

Postman Example

I created a service principle and configured Postman using a blog from Jon Gallant, an Azure developer at Microsoft.

Once that was configured, I used the following request based on the documentation above:

https://management.azure.com/subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName/providers/Microsoft.Compute/virtualMachines/myVMName/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01

Example request:

One of the nice things about the CLI command az role assignment list instead of the REST API is that it returns some extra values including principalName and roleDefinitionName which are the human readable versions of principalId and roleDefinitionId respectively.

Once we have the response in Postman, we can search for the roleDefinitionId we are interested in such as the ID for Owner. Within that block, we can search for the principalId which we can use to get the name of the user.

Extra values returned when using the CLI command az role assignment list can be easier to work with.

The REST API will return roleDefinitionId and principalId which we can use to identify the role we are interested in and look up the user who has that role.

There are a variety of methods for getting the roleDefinitionId and principalId. For example, you can find the roleDefinitionId of the role you are interested in within the portal by going to your resource > Access control (IAM) > Roles > then click on View under Details for the role name you are interested in (Owner) > JSON > id. A similar approach can be used for getting principalId by clicking on a user.