Get-AzKeyVaultRoleAssignment
Get or list role assignments of a managed HSM. Use respective parameters to list assignments to a specific user or a role definition.
Syntax
Get-AzKeyVaultRoleAssignment
[-HsmName] <String>
[-Scope <String>]
[-RoleDefinitionName <String>]
[-RoleDefinitionId <String>]
[-ObjectId <String>]
[-SignInName <String>]
[-ApplicationId <String>]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Get-AzKeyVaultRoleAssignment
[-HsmName] <String>
[-Scope <String>]
-RoleAssignmentName <String>
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Description
Use the Get-AzKeyVaultRoleAssignment command to list all role assignments that are effective on a scope.
Without any parameters, this command returns all the role assignments made under the managed HSM.
This list can be filtered using filtering parameters for principal, role and scope.
The subject of the assignment must be specified.
To specify a user, use SignInName or Microsoft Entra ObjectId parameters.
To specify a security group, use Microsoft Entra ObjectId parameter.
And to specify a Microsoft Entra application, use ApplicationId or ObjectId parameters.
The role that is being assigned must be specified using the RoleDefinitionName or RoleDefinitionId parameter.
The scope at which access is being granted may be specified. It defaults to "/".
The cmdlet may call below Microsoft Graph API according to input parameters:
- GET /directoryObjects/{id}
- GET /users/{id}
- GET /servicePrincipals/{id}
- GET /groups/{id}
Examples
Example 1
Get-AzKeyVaultRoleAssignment -HsmName myHsm
RoleDefinitionName DisplayName ObjectType Scope
------------------ ----------- ---------- -----
Managed HSM Administrator User 1 (user1@microsoft.com) User /
Managed HSM Crypto Auditor User 2 (user2@microsoft.com) User /keys
Managed HSM Backup User 2 (user2@microsoft.com) User /
Managed HSM Administrator User 2 (user2@microsoft.com) User /This example lists all role assignments of "myHsm" on all the scope.
Example 2
Get-AzKeyVaultRoleAssignment -HsmName myHsm -SignInName user1@microsoft.com -Scope "/keys"
RoleDefinitionName DisplayName ObjectType Scope
------------------ ----------- ---------- -----
Managed HSM Crypto Auditor User 1 (user1@microsoft.com) User /keys
Managed HSM Backup User 1 (user1@microsoft.com) User /keysThis example lists all role assignments of "myHsm" on "/keys" scope and filters the result by user sign-in name.
Parameters
-ApplicationId
The app SPN.
| Type: | String |
| Aliases: | SPN, ServicePrincipalName |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with Azure.
| Type: | IAzureContextContainer |
| Aliases: | AzContext, AzureRmContext, AzureCredential |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-HsmName
Name of the HSM.
| Type: | String |
| Position: | 1 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ObjectId
The user or group object id.
| Type: | String |
| Aliases: | Id, PrincipalId |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-RoleAssignmentName
Name of the role assignment.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-RoleDefinitionId
Role Id the principal is assigned to.
| Type: | String |
| Aliases: | RoleId |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-RoleDefinitionName
Name of the RBAC role to assign the principal with.
| Type: | String |
| Aliases: | RoleName |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Scope
Scope at which the role assignment or definition applies to, e.g., '/' or '/keys' or '/keys/{keyName}'. '/' is used when omitted.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SignInName
The user SignInName.
| Type: | String |
| Aliases: | Email, UserPrincipalName |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
None
Outputs
Azure PowerShell