Loading…

READY TO ROCK?

Quick Tip: Getting Role Assignments on all Azure resources using Powershell

gsjutlaAzure, Beginnner, Powershell, Security

Here is a quick Powershell tip to get a list of role assignments on all resources across multiple subscriptions and tenants. The single script exports role assignments into a CSV file that can be later filtered with Microsoft Excel. Checking permissions on resources through portal may be a time consuming process hence this script can be really handy. 

#Get a list of all subscriptions and tenants that are visible to the current user/scope
$subscriptions = Get-azSubscription

#Initialize an empty Array. This is the array where we will accumulate all role assignments
$assignments = @()

#Process each subscription in the subscriptions array
foreach($subscription in $subscriptions){
  
  #Set context to the subscription and display a message on screen
  $null = Set-azcontext $subscription.SubscriptionId -Tenant $subscription.TenantId
  Write-host ("=== [{3}/{4}] Subscription: '{0}', Subscription ID: '{1}', Tenant ID: '{2}' ===`n" -f `
                    $subscription.Name, $subscription.SubscriptionId, $subscription.TenantID, $subscriptions.IndexOf($subscription), $subscriptions.count )
  
  #Get a list of resources in the current subscription context/scop
  $resources = Get-azresource
  
  #Process each resource in the resources variable
  foreach($resource in $resources){
    #Display on the screen which resource we are processing, its index in the list of resources to indicate how many resources have been processed
    write-host ("`t`t[{1}/{2}] Checking assignments on resource name '{0}', Resource Type: '{3}'" -f `
                    $resource.ResourceName, $resources.IndexOf($resource), $resources.Count, $resource.ResourceType)

    #Get the Role assignment, add additional columns like Resource Name, Resource Group Name, Resource Type, Location, Subscription etc
    # This is to ensure we have enough information in the output to create CSV filters later
    #Accumulate the output to the assignments array
    $assignments += (Get-AzRoleAssignment -Scope $resource.id | Select * , @{label="ResourceName";e={$resource.ResourceName}},`
                                                                           @{label="ResourceGroupName";e={$resource.ResourceGroupName}},`
                                                                           @{label="ResourceType";e={$resource.ResourceType}},`
                                                                           @{label="ResourceID";e={$resource.ResourceID}},`
                                                                           @{label="Location";e={$resource.Location}},`
                                                                           @{label="Subscription";e={$Subscription.Name}},`
                                                                           @{label="SubscriptionID";e={$Subscription.SubscriptionId}},`
                                                                           @{label="TenantID";e={$Subscription.TenantId}})
 }
}

#Export the Assignments into a CSV File
$assignments | Export-CSV -Path ( `
                                    Join-path -path "." `
                                              -childpath ("\resourcereport-{0}.csv" `
                                              -f (Get-Date `
                                                    -Format "yyyyMMddhhmmss").tostring())`
                                 ) -NoTypeInformation