@Seenuvasan, Venkatanathan , thank you for providing additional information regarding this question earlier.
To Summarize, you have "Azure Automation Account" with System Assigned Identity enabled and some roles assigned at Subscription level as available in the question. When running a runbook script (PowerShell) with get-azRoleAssignment
, you are unable to get any DisplayName or SignInName as the output for the role assignments.
Note that, apart from the role assignment at subscription level, you also need to assign Directory readers role to this Identity in Azure Active Directory to allow it to read basic directory information. For it, follow the steps below:
1. In Azure Portal, seach for "Azure Active Directory" --> Roles and administrators
2. Search for "Directory readers" role --> "+ Add assignments" --> Search with Azure Automation Account name and assign.
Also, for your reference, I'm providing the script used to test this scenario as below with relevant comments:
# Ensures you do not inherit an AzContext in your runbook
Disable-AzContextAutosave -Scope Process
# Connect to Azure with system-assigned managed identity
$AzureContext = (Connect-AzAccount -Identity).context
# set and store context for a subscription.
$AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext
$roleAssignments = get-azRoleAssignment
write-output "total count: $($roleAssignments.Count)"
foreach ($roleAssignment in $roleAssignments)
{
write-output $roleAssignment
Write-Output "----------------------------------------"
}
Please let me know if you have any questions.
---
Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.