Get-AzRoleDefinition
Lists all Azure RBAC roles that are available for assignment.
Syntax
RoleDefinitionNameParameterSet (Default)
Get-AzRoleDefinition
[[-Name] <String>]
[-Scope <String>]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
RoleDefinitionIdParameterSet
Get-AzRoleDefinition
-Id <Guid>
[-Scope <String>]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
RoleDefinitionCustomParameterSet
Get-AzRoleDefinition
[-Scope <String>]
[-Custom]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
Description
Use the Get-AzRoleDefinition command with a particular role name to view its details. To inspect individual operations that a role grants access to, review the Permissions property of the role. Each permission entry contains Actions, NotActions, DataActions, NotDataActions, and optionally Condition and ConditionVersion properties. Roles with Attribute-Based Access Control (ABAC) conditions will have the Condition and ConditionVersion set on the appropriate permission entry.
Examples
Example 1: Get a role definition by name
Get-AzRoleDefinition -Name Reader
Retrieves the Reader role definition with all its permissions.
Example 2: List all RBAC role definitions
Get-AzRoleDefinition
Lists all Azure RBAC role definitions available in the current scope.
Example 3: Access Actions from a role definition
$roleDef = Get-AzRoleDefinition -Name "Virtual Machine Contributor"
$roleDef.Permissions[0].Actions
Retrieves the actions from the first permission entry of a role definition.
Example 4: Get all permissions including conditions
$roleDef = Get-AzRoleDefinition -Name "Key Vault Data Access Administrator"
foreach ($permission in $roleDef.Permissions) {
Write-Host "Actions: $($permission.Actions -join ', ')"
Write-Host "DataActions: $($permission.DataActions -join ', ')"
if ($permission.Condition) {
Write-Host "Condition: $($permission.Condition)"
Write-Host "ConditionVersion: $($permission.ConditionVersion)"
}
}
Iterates through all permission entries and displays actions and any ABAC conditions. Key Vault Data Access Administrator is a built-in role that carries a real ABAC condition on one of its permission entries, so the if ($permission.Condition) branch actually fires.
Parameters
-Custom
If specified, only displays the custom created roles in the directory.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
RoleDefinitionCustomParameterSet
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | False |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with azure
Parameter properties
| Type: | IAzureContextContainer |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | AzContext, AzureRmContext, AzureCredential |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-Id
Role definition Id.
Parameter properties
| Type: | Guid |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
RoleDefinitionIdParameterSet
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | False |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
-Name
Role definition name. For e.g. Reader, Contributor, Virtual Machine Contributor.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
RoleDefinitionNameParameterSet
| Position: | 0 |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
-Scope
Role definition scope.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | True |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-SkipClientSideScopeValidation
If specified, skip client side scope validation.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Inputs
String
Guid
SwitchParameter
Outputs
PSRoleDefinition
Notes
Keywords: azure, azurerm, arm, resource, management, manager, resource, group, template, deployment
