This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 56.00000000000001%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
I Use a PowerShell 7 Script to Validate Resource Group and its JSON contents DisplayName, ObjectID and Role Definition Name. My Script will use Parallel block to loop through the subscriptions and validate RG First and then foreach Role Definition it has to valid it first and then checks the given ObjectID is a valid SPN or Group or User.
Currently I'm using normal forEach-Object but it's taking too long to validate. I need a simple solution.
Note: Repo has Different Folders with Subscription Names in each folder consists of RG names as JSON files.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Are you asking about error handling or collecting errors?
Using the example below, you'll create a variable you can reference as $BadStuff that will either be scalar (if there's only one error reported) or an array (if multiple errors are reported). Note that in this example, "errors" are only "exceptions". If your scriptblock "handles" the error and doesn't die, but merely sends the results of any errors in the success stream, there won't be any "errors" to handle.
$results = <collection> |
ForEach-Object -Parallel {<code-that-does-the-work>} -ErrorVariable BadStuff
P.S. The missing "$" in the -ErrorVariable value isn't a mistake.
I'm talking about on how to collect and display the errors @Rich Matheisen
Then follow that little bit of code. The $BadStuff (or whatever you name it) will contain the Error Objects.
For above attached script, some time it gives me Fake Resource Group does not exist error, sometimes I'm getting desired error. But never a stable output. It's so Inconsistent regarding the errors display.
is this the Functionality of Parallel or the limitations of its usage. Please let me know.
What is the purpose of the variable $errorfindings (declared on line #9)? I don't see where it's referenced in any context except when it's being loaded with a value.
You have it declared at the "local" level (pretty much the same as if you created it using a scope of "script (e.g., $Script:errorfindings). There is only one variable by that name, accessible to all code in the script and any functions you may add to the code.
BUT, you're using a ForEach-Object with the "-Parallel" switch. Now you have multiple occurrences of the scriptblock running -- all of which use the same variable.
There are other problem areas lurking in your code. For example:
# validate resource groups
$pos = $_.Name.IndexOf(".json")
$resourceGroup = $_.Name.Substring(0, $pos)
You have the $ErrorActionPreference set to "Stop" but you don't check the $pos result to see if it's -1 before you use it. And you haven't enclosed the code in a Try/Catch block, either. You then go on to use the (possibly empty) $resourceGroup in the Get-AzResourceGroup cmdlet and when loading the $errorfindings variable.
A bit further on you use the Get-AzRoleDefinition cmdlet without -EA SilentlyContinue (keep in mind the default error action is set to "stop").
I don't have the means to run your code, though.
@Rich Matheisen Sorry for the confusion, I attached a wrong file. Attached a new one. RBAC_Parallel.txt
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 83%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENJ%3C/text%3E%3C/svg%3E)
Hi Ramakrishna Abhijeet P,
Thank you for posting in the Q&A Forums.
The following is a sample script showing how to use ForEach-Object -Parallel to parallelize your validation tasks. This script assumes that you have a directory structure that contains JSON files, each containing a DisplayName, ObjectID, and role definition name.
# Ensure you have the necessary modules
Import-Module Az
# Define the base directory containing subscription folders
$baseDir = "C:\Path\To\Your\Repo"
# Get all subscription folders
$subscriptionFolders = Get-ChildItem -Path $baseDir -Directory
# Function to validate a resource group
function Validate-ResourceGroup {
param (
[string]$resourceGroupPath
)
# Read the JSON content from the file
$jsonContent = Get-Content -Path $resourceGroupPath -Raw | ConvertFrom-Json
$displayName = $jsonContent.DisplayName
$objectId = $jsonContent.ObjectID
$roleDefinitionName = $jsonContent.RoleDefinitionName
# Validate DisplayName, ObjectID, and RoleDefinitionName
$isValidDisplayName = $true # Replace with actual validation logic
$isValidObjectId = $true # Replace with actual validation logic
$isValidRoleDefinition = $true # Replace with actual validation logic
# Output the validation result
[PSCustomObject]@{
DisplayName = $displayName
ObjectID = $objectId
RoleDefinitionName = $roleDefinitionName
IsValidDisplayName = $isValidDisplayName
IsValidObjectId = $isValidObjectId
IsValidRoleDefinition = $isValidRoleDefinition
}
}
# Process each subscription folder in parallel
$subscriptionFolders | ForEach-Object -Parallel {
param ($baseDir)
$subscriptionName = $_.Name
$resourceGroupFiles = Get-ChildItem -Path "$baseDir\$subscriptionName" -Filter *.json
# Process each resource group file in the subscription folder
$resourceGroupFiles | ForEach-Object {
$result = Validate-ResourceGroup -resourceGroupPath $_.FullName
Write-Output $result
}
} -ArgumentList $baseDir -ThrottleLimit 4 | Export-Csv -Path "ValidationResults.csv" -NoTypeInformation
The above is the content of the code, you can according to the comments to make changes for your environment.
Best regards
NeuviJ
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
@Neuvi Jiang
If there's an Error in Session 1, I need to write-out the error as well as I need the other parallel sessions to continue the execution until it validates all the Object IDs in a given Resource Group (If exists). I need to run this in Azure Devops Build Pipeline, so that if there's a error I need to stop making the Artifact.
Using the last file you posted, I went through the code and made some changes.
Also, because you're collecting the output from the Foreach-Object -Parallel in $allErrors there's no need for anything to be thread-safe -- a simple array is all that's necessary.
param(
[CmdletBinding()]
$dirName = 'C:\Infrastructure\Azure-RBAC-Exceptions',
$environment = 'DEV'
)
Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop"
$InformationPreference = "Continue"
# Get all the subscription folders for the given environment
$Subscriptionfolders = Get-ChildItem -Path $dirName -Directory
if ($environment -eq 'DEV') {
$subscriptions = $Subscriptionfolders | Where-Object { $_.Name -like "AGDEV_*" -and $_.Name -notlike "*IAM*" }
}
else {
$subscriptions = $Subscriptionfolders | Where-Object { $_.Name -like "AG_*" -and $_.Name -notlike "*IAM*" }
}
# Validate each subscription in parallel
[array]$allErrors = $subscriptions |
ForEach-Object -ThrottleLimit 4 -Parallel {
[array]$localErrors = @()
$SubscriptionName = $_.Name
$subscriptionFolder = Join-Path -Path $using:dirName -ChildPath $SubscriptionName
# what should happen if this fails?
if (-NOT (Select-AzSubscription -Subscription $SubscriptionName -Verbose) ){ # should this use the -Current switch?
$localErrors += "Subscription '$SubscriptionNam' does not exist"
}
else{
foreach ($resourceGroupFile in (Get-ChildItem -Path $subscriptionFolder -File) ) {
$resourceGroup = $resourceGroupFile.BaseName
try {
Get-AzResourceGroup -Name $resourceGroup -ErrorAction Stop | Out-Null
}
catch {
$localErrors += "Resource group '$resourceGroup' does not exist."
}
$roleAssignments = Get-Content -Path $resourceGroupFile.FullName | ConvertFrom-Json
foreach ($roleAssignment in $roleAssignments) {
try {
Get-AzRoleDefinition -Name $roleAssignment.RoleDefinitionName | Out-Null`
}
catch {
$localErrors += "Role definition '$($roleAssignment.RoleDefinitionName)' does not exist."
# continue
}
$ADObject = $null
try {
$ADObject = Get-AzADServicePrincipal -ObjectId $roleAssignment.ObjectId -ErrorAction Stop
}
catch {
try {
$ADObject = Get-AzADGroup -ObjectId $roleAssignment.ObjectId -ErrorAction Stop
}
catch {
try {
$ADObject = Get-AzADUser -ObjectId $roleAssignment.ObjectId -ErrorAction Stop
}
catch {
$localErrors += "Object ID '$($roleAssignment.ObjectId)' for '$($roleAssignment.DisplayName)' does not exist in Active Directory."
continue
}
}
}
if ($ADObject -and $ADObject.DisplayName -ne $roleAssignment.DisplayName) {
$localErrors += "Display name mismatch for Object ID '$($roleAssignment.ObjectId)': expected '$($roleAssignment.DisplayName)', found '$($ADObject.DisplayName)'."
}
}
}
}
}
return $localErrors # what do you want returned? An array or the array's contents?
# why is any of the code below necessary?
# the $allErrors variable should contain all the errors (or all the arrays of errors)
# Add all errors to the concurrent bag
$allErrors | ForEach-Object { $errorFindings.Add($_) }
if ($errorFindings.Count -gt 0) {
$errorFindings | ForEach-Object { Write-Error $_ }
}
The reason why we're using Parallel is to speed up the process of validation. We have a working script which does the job perfectly, but it lacks speed. But when using try & catch blocks this parallel is also taking same amount of time. Is there a work around? @Rich Matheisen
The creation and tear-down of each run space in which each of the parallel threads run adds a considerable amount of time.
Parallel processing usually works to its best advantage when the bulk of time is spent waiting for something to happen (open/reading/writing/closing files, waiting for database queries to complete). A task, under those circumstances, that takes, say, five minutes and runs ten times might run in six minutes vs. the 50 minutes it would take if run serially. A task that runs in, say, 10msec, and runs ten times, when run in parallel might take several seconds to complete vs. the 100ms when run serially. Computationally intense tasks run in parallel only make sense if they have unfettered access to a core for each thread.
I'm assuming you're running your code on a machine with at least four cores, given the threshold value in that code. And that four cores are available 100% of the time for you code to execute. It that's not true, your code is probably waiting for an available processor -- which also adds to its elapsed run time.
The use of Try/Catch also adds to the time it takes to run. Each try/catch requires set-up and teardown.
When you give vague goals, like "it lacks speed" without measuring where the slow bits of code are, you'll have a hard time optimizing any code.
Also, keep in mind that PowerShell is a shell, not a compiler. There's little opportunity for code optimization. To see that difference, try generating all permutations of a set of ten integers! It might take six or seven seconds in C#, but PowerShell might take five, or more, minutes!