How can I use REST API to retrieve role assignment details, including the name of users and service principals from Microsoft purview account?

Brishti Basu 0 Reputation points
2023-11-14T11:35:08.57+00:00

So, I'm trying to get the role assignments from Microsoft purview using the following REST API:

api_endpoint = f"https://{pv_account_name}.purview.azure.com/policystore/metadataroles"

With this I am able to obtain the ids, and role name but I am unable to obtain the names of users, service principals, etc. I am writing a python script to get the data, but I have hit a wall. I am unsure how to go about it as this is my first time trying this.

How do I get the role assignments like data curators, collection admins and the name of the users and service principals.

I tried writing a python script like the following code:

import requests
import json

# Replace these with your actual values
pv_account_name = "purview"
api_version = "2021-07-01"

# Azure AD credentials
client_id = "b" 
client_secret = "L"
tenant_id = "e"
resource = "https://purview.azure.net"

# Construct the token request URL
token_url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/token"

# Set up the token request parameters
token_params = {
    "client_id": client_id,
    "client_secret": client_secret,
    "grant_type": "client_credentials",
    "resource": resource
}

# Make the token request to get an access token
token_response = requests.post(token_url, data=token_params)

# Check the token response status
if token_response.status_code == 200:
    token_data = token_response.json()
    access_token = token_data.get("access_token")

    # Construct the API endpoint for role assignments
    api_endpoint = f"https://{pv_account_name}.purview.azure.com/policystore/metadataroles"


    # Set up headers with the access token
    headers = {
        "Authorization": f"Bearer {access_token}",
        "Content-Type": "application/json",
    }

    # Set up parameters for the request
    params = {
        "api-version": api_version,
        # Add any additional parameters as needed
    }

    # Make the GET request to retrieve role assignments
    response = requests.get(api_endpoint, headers=headers, params=params)

    # Check the response status
    if response.status_code == 200:
        role_assignments = response.json()

        # Initialize a list to store role assignments with user or service principal information
        role_assignments_with_names = []

        # Function to retrieve user or service principal information
        def get_user_info(unique_identifier):
            # Make a request to the Azure AD Graph API to retrieve user or service principal info
            user_info_endpoint = f"https://graph.microsoft.com/v1.0/users/{unique_identifier}"
            user_info_response = requests.get(user_info_endpoint, headers=headers)

            if user_info_response.status_code == 200:
                user_info = user_info_response.json()
                return user_info

        for assignment in role_assignments.get("values", []):
            unique_identifier = assignment.get("principalId")

            if unique_identifier:
                user_info = get_user_info(unique_identifier)

                if user_info:
                    # Combine role assignment and user info
                    role_assignment_with_name = {
                        "role_assignment": assignment,
                        "user_info": user_info,
                    }
                    role_assignments_with_names.append(role_assignment_with_name)

        # Now, role_assignments_with_names contains role assignments with user or service principal info
        print(role_assignments_with_names)

    else:
        print(f"Error: {response.status_code}")
        print(response.text)

else:
    print(f"Error: {token_response.status_code}")
    print(token_response.text)

This return an empty set.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
809 questions
Microsoft Purview
Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
1,165 questions
{count} votes

1 answer

Sort by: Most helpful
  1. PRADEEPCHEEKATLA-MSFT 89,466 Reputation points Microsoft Employee
    2023-12-01T06:40:58.06+00:00

    @Brishti Basu - Sorry for the late response - the public documentation for policies and roles is at

    https://learn.microsoft.com/en-us/purview/tutorial-metadata-policy-collections-apis  

    The roles and groups are under the properties "principal.microsoft.id" and "principal.microsoft.groups".

    Hope this helps. Do let us know if you any further queries.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.