Extraction of IAM roles in Azure via script

Question

Extraction of IAM roles in Azure via script

Tristano,G,Giuseppe,JBP12 R 111

Hello All,

is there a way to get all Azure IAM role assignment with also the details of the groups?

I explain better: if I go to the Azure portal and click download role assignment I get a list of users and groups with the pertaining role.

I would like to have in the same file the users contained in the group.

Could you please advise

giuseppe

Raja Pothuraju 43,660 Reputation points Microsoft External Staff Moderator

2024-10-17T15:30:37.3733333+00:00

Hello @Tristano,G,Giuseppe,JBP12 R,

Thank you for posting your query on Microsoft Q&A.

I am currently looking into this and will provide further updates after testing it in my tenant.

Thanks,
Raja Pothuraju.
Tristano,G,Giuseppe,JBP12 R 111 Reputation points

2024-10-17T15:32:35.67+00:00

Thank you very much indeed

giuseppe
Raja Pothuraju 43,660 Reputation points Microsoft External Staff Moderator

2024-10-17T15:57:23.4533333+00:00

Hello @Tristano,G,Giuseppe,JBP12 R,

Thank you for your quick response.

After reviewing this, I wanted to confirm whether you are referring to Azure IAM role assignments or Entra role assignments.

Below is a screenshot showing Azure IAM role assignments at the subscription level.

Waiting for your response.

Thanks,
Raja Pothuraju.
Tristano,G,Giuseppe,JBP12 R 111 Reputation points

2024-10-17T16:36:37.3566667+00:00

Hello Mr Raja Pothuraji,

yes IAM roles. As you know if you click download to csv file you get a CSV with the following columns

Hope you can see the columns. Anyhow if you have for instance

name giuseppe type giuseppe's_group role owner scope this resources condition None

I would like to see which users belong to giuseppe's_group

Thank you

giuseppe

Raja Pothuraju 43,660 Microsoft External Staff Moderator

Hello @Tristano,G,Giuseppe,JBP12 R,

Thank you for sharing the detailed information about the request.

Since this is more related to Azure IAM role assignments, I am re-tagging this thread for better visibility to the relevant service and removing the Entra ID tag.

Additionally, I would like to share a PowerShell script provided by one of your internal AI engine tool:

# Log in to Azure
Connect-AzAccount

# Get all role assignments
$roleAssignments = Get-AzRoleAssignment

# Initialize an array to hold the results
$results = @()

foreach ($assignment in $roleAssignments) {
    $group = $null
    $users = @()

    # Check if the assigned principal is a group
    if ($assignment.PrincipalType -eq 'Group') {
        # Get the group details
        $group = Get-AzADGroup -ObjectId $assignment.PrincipalId
        # Get members of the group
        $users = Get-AzADGroupMember -GroupObjectId $group.Id | Select-Object DisplayName, UserPrincipalName
    }

    # Create a custom object for each assignment
    $result = [PSCustomObject]@{
        RoleDefinitionName = $assignment.RoleDefinitionName
        PrincipalType      = $assignment.PrincipalType
        PrincipalName      = if ($group) { $group.DisplayName } else { $assignment.PrincipalId }
        Users              = if ($users) { $users.DisplayName -join '; ' } else { '' }
    }

    # Add result to the array
    $results += $result
}

# Export to CSV
$results | Export-Csv -Path 'RoleAssignmentsWithGroupMembers.csv' -NoTypeInformation

Note: This is an AI-generated script I obtained, but it still needs to be tested to ensure it provides the desired results.

Thanks,
Raja Pothuraju.

Answer accepted by question author

0 additional answers

Your answer

Raja Pothuraju 43,660 Reputation points Microsoft External Staff Moderator

2024-10-17T15:30:37.3733333+00:00

Hello @Tristano,G,Giuseppe,JBP12 R,

Thank you for posting your query on Microsoft Q&A.

I am currently looking into this and will provide further updates after testing it in my tenant.

Thanks,
Raja Pothuraju.
Tristano,G,Giuseppe,JBP12 R 111 Reputation points

2024-10-17T15:32:35.67+00:00

Thank you very much indeed

giuseppe
Raja Pothuraju 43,660 Reputation points Microsoft External Staff Moderator

2024-10-17T15:57:23.4533333+00:00

Hello @Tristano,G,Giuseppe,JBP12 R,

Thank you for your quick response.

After reviewing this, I wanted to confirm whether you are referring to Azure IAM role assignments or Entra role assignments.

Below is a screenshot showing Azure IAM role assignments at the subscription level.

Waiting for your response.

Thanks,
Raja Pothuraju.
Tristano,G,Giuseppe,JBP12 R 111 Reputation points

2024-10-17T16:36:37.3566667+00:00

Hello Mr Raja Pothuraji,

yes IAM roles. As you know if you click download to csv file you get a CSV with the following columns

Hope you can see the columns. Anyhow if you have for instance

name giuseppe type giuseppe's_group role owner scope this resources condition None

I would like to see which users belong to giuseppe's_group

Thank you

giuseppe
Raja Pothuraju 43,660 Reputation points Microsoft External Staff Moderator

2024-10-17T17:07:37.7433333+00:00

Hello @Tristano,G,Giuseppe,JBP12 R,

Thank you for sharing the detailed information about the request.

Since this is more related to Azure IAM role assignments, I am re-tagging this thread for better visibility to the relevant service and removing the Entra ID tag.

Additionally, I would like to share a PowerShell script provided by one of your internal AI engine tool:

# Log in to Azure Connect-AzAccount # Get all role assignments $roleAssignments = Get-AzRoleAssignment # Initialize an array to hold the results $results = @() foreach ($assignment in $roleAssignments) { $group = $null $users = @() # Check if the assigned principal is a group if ($assignment.PrincipalType -eq 'Group') { # Get the group details $group = Get-AzADGroup -ObjectId $assignment.PrincipalId # Get members of the group $users = Get-AzADGroupMember -GroupObjectId $group.Id | Select-Object DisplayName, UserPrincipalName } # Create a custom object for each assignment $result = [PSCustomObject]@{ RoleDefinitionName = $assignment.RoleDefinitionName PrincipalType = $assignment.PrincipalType PrincipalName = if ($group) { $group.DisplayName } else { $assignment.PrincipalId } Users = if ($users) { $users.DisplayName -join '; ' } else { '' } } # Add result to the array $results += $result } # Export to CSV $results | Export-Csv -Path 'RoleAssignmentsWithGroupMembers.csv' -NoTypeInformation

Note: This is an AI-generated script I obtained, but it still needs to be tested to ensure it provides the desired results.

Thanks,
Raja Pothuraju.

Answer 1

@Tristano,G,Giuseppe,JBP12 R Thanks for your patience on this.

You can leverage the below PowerShell scripts to pull the role definitions under a particular subscription of type group and followed by users inside those groups.

If you want to pull the user under a specific group, use the below script.

Connect-AzAccount 

#Set a particular subscription as context to run below role assignment cmdlet
Set-AzContext -SubscriptionId "<SubscriptionId>"

# Log in to AzureAD
Connect-AzureAD

 # Get all role assignments 
$roleAssignments = Get-AzRoleAssignment -ObjectId "<GroupObjectId>"

# Get all users under the AD Group
Get-AzADGroupMember -GroupObjectId $roleAssignments.ObjectId

If you want to pull for all group and their memberships use the below.

# Log in to Azure
Connect-AzAccount

#Set a particular subscription as context to run below role assignment cmdlet
Set-AzContext -SubscriptionId "<SubscriptionId>"

# Log in to AzureAD
Connect-AzureAD

$roleAssignments = Get-AzRoleAssignment | Where-Object ObjectType -EQ "Group"

$output = foreach($assignment in $roleAssignments){
     $users= Get-AzADGroupMember -GroupObjectId $assignment.ObjectId | Select-Object DisplayName, UserPrincipalName
     foreach($user in $users){
         $roleDefinitionName = (Get-AzRoleDefinition -Id $assignment.RoleDefinitionId).Name
         $groupName = (Get-AzADGroup -ObjectId $assignment.ObjectId).DisplayName
         [PSCustomObject]@{
             RoleDefinitionName = $roleDefinitionName
             GroupName = $groupName
             Users = $user.DisplayName
             Upn =$user.UserPrincipalName
         }
     }
}
$output | Export-Csv -Path "C:\Output.csv" -NoTypeInformation

Here is the sample screen shot output of above script for your reference:

enter image description here

Note: I have tested the above script in my local machine, and it is working fine. I would suggest you make changes based on your requirement and test it accordingly.

Hope this helps, let me know if you have any further questions on this.

Please accept as "Yes" if the answer is helpful so that it can help others in the community.

Tristano,G,Giuseppe,JBP12 R 111 Reputation points

2024-10-18T11:43:41.2966667+00:00

@VenkateshDodda-MSFT

Thank you very much indeed for your help.

The second script is exactly what I need.

I ran

Log in to Azure Connect-AzAccount

Set a particular subscription as context to run below role assignment cmdlet

Set-AzContext -SubscriptionId "<SubscriptionId>"

Log in to AzureAD Connect-AzureAD

$roleAssignments = Get-AzRoleAssignment | Where-Object ObjectType -EQ "Group"

then I put in a powershell file the rest of your suggestion. Run it but unfortunately Output.csv is empty.

Any idea?

Thank you and best regards

giuseppe
VenkateshDodda-MSFT 25,241 Reputation points Microsoft Employee Moderator

2024-10-18T13:11:10.25+00:00

Tristano,G,Giuseppe,JBP12 R Thanks for your follow-up question, I have re-ran the script in my local machine and I can see csv is getting created successfully as shown in below screenshot.

In the above screenshot I had comment the "set-azcontext" cmdlet in the above screenshot since I had the ran the script on a particular subscription.

Note : Please change the file path in "-path" parameter in export-csv cmdlet based on your local machine drives.
Tristano,G,Giuseppe,JBP12 R 111 Reputation points

2024-10-18T16:12:38.2533333+00:00

Thank you.

It is working perfectly. My fault.

Thank you for your precious help.

giuseppe

Share via

Extraction of IAM roles in Azure via script

Log in to Azure Connect-AzAccount

Log in to AzureAD Connect-AzureAD

0 additional answers

Your answer