Role Assignments - List For Scope

List all role assignments that apply to a scope.

GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments?$filter={$filter}&api-version=2022-04-01&tenantId={tenantId}&$skipToken={$skipToken}

URI Parameters

Name In Required Type Description
scope
path True
  • string

The scope of the operation or resource. Valid scopes are: subscription (format: '/subscriptions/{subscriptionId}'), resource group (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}', or resource (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/[{parentResourcePath}/]{resourceType}/{resourceName}'

api-version
query True
  • string

The API version to use for this operation.

$filter
query
  • string

The filter to apply on the operation. Use $filter=atScope() to return all role assignments at or above the scope. Use $filter=principalId eq {id} to return all role assignments at, above or below the scope for the specified principal.

$skipToken
query
  • string

The skipToken to apply on the operation. Use $skipToken={skiptoken} to return paged role assignments following the skipToken passed. Only supported on provider level calls.

tenantId
query
  • string

Tenant ID for cross-tenant request

Responses

Name Type Description
200 OK

Returns an array of role assignments.

Other Status Codes

Error response describing why the operation failed.

Permissions

To call this API, you must be assigned a role that has the following permissions. For more information, see Azure built-in roles.

Microsoft.Authorization/roleAssignments/read

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

List role assignments for scope

Sample Request

GET https://management.azure.com/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01

Sample Response

{
  "value": [
    {
      "properties": {
        "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/0b5fe924-9a61-425c-96af-cfe6e287ca2d",
        "principalId": "ce2ce14e-85d7-4629-bdbc-454d0519d987",
        "principalType": "User",
        "scope": "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2"
      },
      "id": "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/providers/Microsoft.Authorization/roleAssignments/b0f43c54-e787-4862-89b1-a653fa9cf747",
      "type": "Microsoft.Authorization/roleAssignments",
      "name": "b0f43c54-e787-4862-89b1-a653fa9cf747"
    }
  ]
}

Definitions

ErrorAdditionalInfo

The resource management error additional info.

ErrorDetail

The error detail.

ErrorResponse

Error response

PrincipalType

The principal type of the assigned principal ID.

RoleAssignment

Role Assignments

RoleAssignmentListResult

Role assignment list operation result.

ErrorAdditionalInfo

The resource management error additional info.

Name Type Description
info
  • object

The additional info.

type
  • string

The additional info type.

ErrorDetail

The error detail.

Name Type Description
additionalInfo

The error additional info.

code
  • string

The error code.

details

The error details.

message
  • string

The error message.

target
  • string

The error target.

ErrorResponse

Error response

Name Type Description
error

The error object.

PrincipalType

The principal type of the assigned principal ID.

Name Type Description
Device
  • string
ForeignGroup
  • string
Group
  • string
ServicePrincipal
  • string
User
  • string

RoleAssignment

Role Assignments

Name Type Default Value Description
id
  • string

The role assignment ID.

name
  • string

The role assignment name.

properties.condition
  • string

The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container'

properties.conditionVersion
  • string

Version of the condition. Currently the only accepted value is '2.0'

properties.createdBy
  • string

Id of the user who created the assignment

properties.createdOn
  • string

Time it was created

properties.delegatedManagedIdentityResourceId
  • string

Id of the delegated managed identity resource

properties.description
  • string

Description of role assignment

properties.principalId
  • string

The principal ID.

properties.principalType User

The principal type of the assigned principal ID.

properties.roleDefinitionId
  • string

The role definition ID.

properties.scope
  • string

The role assignment scope.

properties.updatedBy
  • string

Id of the user who updated the assignment

properties.updatedOn
  • string

Time it was updated

type
  • string

The role assignment type.

RoleAssignmentListResult

Role assignment list operation result.

Name Type Description
nextLink
  • string

The skipToken to use for getting the next set of results.

value

Role assignment list.