Fantasillion/azuser IAM.ps1

## azuser IAM.ps1
# Connect and choose subscription
# connect-AzAccounts

# Initialize azusers as an array
$azusers = @()

# Get all resource groups
$resourceGroups = Get-AzResourceGroup

# Get all resources
$resources = Get-AzResource

# Initialize progress counter
$totalElements = $resourceGroups.Count + $resources.Count + 1
$progressCounter = 0

# Loop through each resource group
foreach ($rg in $resourceGroups) {
    # Update progress
    $progressCounter++
    Write-Progress -Activity "Step 1 of 3 - Scanning Resource Groups - Elements scanned" -Status "$progressCounter of $totalElements" -PercentComplete (($progressCounter / $totalElements) * 100)

    # Store the resource group name in a variable
    $rgName = $rg.ResourceGroupName

    # Get AzRoleAssignment for each Resource Group
    $azRoleAssignments = Get-AzRoleAssignment -Scope $rg.ResourceId

    # Filter out the inherited role assignments
    $nonInheritedAzRoleAssignments = $azRoleAssignments | Where-Object { $_.Scope -eq $rg.ResourceId }

    # Output all non-inherited AzRoleAssignments for the Resource Group
    $azusers += $nonInheritedAzRoleAssignments | Select-Object DisplayName, RoleAssignmentID, @{Name = "ResourceGroup Name"; Expression = { $rgName }}, Scope, RoleDefinitionName, ObjectType, @{Name = "IAM Role Level"; Expression = { "Resource Group" }}
}

# Loop through each resource
foreach ($res in $resources) {
    # Update progress
    $progressCounter++
    Write-Progress -Activity "Step 2 of 3 - Scanning Resources - Elements scanned" -Status "$progressCounter of $totalElements" -PercentComplete (($progressCounter / $totalElements) * 100)

    # Get AzRoleAssignment for each Resource
    $resourceAzRoleAssignments = Get-AzRoleAssignment -Scope $res.ResourceId

    # Filter out the inherited role assignments
    $nonInheritedResourceAzRoleAssignments = $resourceAzRoleAssignments | Where-Object { $_.Scope -eq $res.ResourceId }

    # Output all non-inherited AzRoleAssignments for the Resource
    $azusers += $nonInheritedResourceAzRoleAssignments | Select-Object DisplayName, RoleAssignmentID, @{Name = "ResourceGroup Name"; Expression = { if ($_.Scope -match '/resourceGroups/') { ($_.Scope -split '/resourceGroups/')[1].Split('/')[0] } else { $null } }}, Scope, RoleDefinitionName, ObjectType, @{Name = "IAM Role Level"; Expression = { "Resource" }}
}

# Get AzRoleAssignment for the subscription
$subscriptionId = (Get-AzContext).Subscription.Id
$subscriptionName = (Get-AzContext).Subscription.Name
$subscriptionAzRoleAssignments = Get-AzRoleAssignment -Scope "/subscriptions/$subscriptionId"

# Filter out the role assignments that are not at the subscription level
$subscriptionLevelAzRoleAssignments = $subscriptionAzRoleAssignments | Where-Object { $_.Scope -eq "/subscriptions/$subscriptionId" }

# Output the AzRoleAssignments for the subscription
$azusers += $subscriptionLevelAzRoleAssignments | Select-Object DisplayName, RoleAssignmentID, @{Name = "ResourceGroup Name"; Expression = { "N/A" }}, Scope, RoleDefinitionName, ObjectType, @{Name = "IAM Role Level"; Expression = { "Subscription" }}

# Update progress
$progressCounter++
Write-Progress -Activity "Step 3 of 3 - Scanning Subscription - Elements scanned" -Status "$progressCounter of $totalElements" -PercentComplete 100

# Output the results to a grid view
$azusers | Out-GridView

# Output the results to a CSV file
$azusers | Export-Csv -Path "c:\temp\Azure$subscriptionNameUserlist$(Get-Date -Format 'yyyyMMddHHmmss').csv" -NoTypeInformation -Encoding ISO-8859-1
	# Connect and choose subscription
	# connect-AzAccounts

	# Initialize azusers as an array
	$azusers = @()

	# Get all resource groups
	$resourceGroups = Get-AzResourceGroup

	# Get all resources
	$resources = Get-AzResource

	# Initialize progress counter
	$totalElements = $resourceGroups.Count + $resources.Count + 1
	$progressCounter = 0

	# Loop through each resource group
	foreach ($rg in $resourceGroups) {
	# Update progress
	$progressCounter++
	Write-Progress -Activity "Step 1 of 3 - Scanning Resource Groups - Elements scanned" -Status "$progressCounter of $totalElements" -PercentComplete (($progressCounter / $totalElements) * 100)

	# Store the resource group name in a variable
	$rgName = $rg.ResourceGroupName

	# Get AzRoleAssignment for each Resource Group
	$azRoleAssignments = Get-AzRoleAssignment -Scope $rg.ResourceId

	# Filter out the inherited role assignments
	$nonInheritedAzRoleAssignments = $azRoleAssignments \| Where-Object { $_.Scope -eq $rg.ResourceId }

	# Output all non-inherited AzRoleAssignments for the Resource Group
	$azusers += $nonInheritedAzRoleAssignments \| Select-Object DisplayName, RoleAssignmentID, @{Name = "ResourceGroup Name"; Expression = { $rgName }}, Scope, RoleDefinitionName, ObjectType, @{Name = "IAM Role Level"; Expression = { "Resource Group" }}
	}

	# Loop through each resource
	foreach ($res in $resources) {
	# Update progress
	$progressCounter++
	Write-Progress -Activity "Step 2 of 3 - Scanning Resources - Elements scanned" -Status "$progressCounter of $totalElements" -PercentComplete (($progressCounter / $totalElements) * 100)

	# Get AzRoleAssignment for each Resource
	$resourceAzRoleAssignments = Get-AzRoleAssignment -Scope $res.ResourceId

	# Filter out the inherited role assignments
	$nonInheritedResourceAzRoleAssignments = $resourceAzRoleAssignments \| Where-Object { $_.Scope -eq $res.ResourceId }

	# Output all non-inherited AzRoleAssignments for the Resource
	$azusers += $nonInheritedResourceAzRoleAssignments \| Select-Object DisplayName, RoleAssignmentID, @{Name = "ResourceGroup Name"; Expression = { if ($_.Scope -match '/resourceGroups/') { ($_.Scope -split '/resourceGroups/')[1].Split('/')[0] } else { $null } }}, Scope, RoleDefinitionName, ObjectType, @{Name = "IAM Role Level"; Expression = { "Resource" }}
	}

	# Get AzRoleAssignment for the subscription
	$subscriptionId = (Get-AzContext).Subscription.Id
	$subscriptionName = (Get-AzContext).Subscription.Name
	$subscriptionAzRoleAssignments = Get-AzRoleAssignment -Scope "/subscriptions/$subscriptionId"

	# Filter out the role assignments that are not at the subscription level
	$subscriptionLevelAzRoleAssignments = $subscriptionAzRoleAssignments \| Where-Object { $_.Scope -eq "/subscriptions/$subscriptionId" }

	# Output the AzRoleAssignments for the subscription
	$azusers += $subscriptionLevelAzRoleAssignments \| Select-Object DisplayName, RoleAssignmentID, @{Name = "ResourceGroup Name"; Expression = { "N/A" }}, Scope, RoleDefinitionName, ObjectType, @{Name = "IAM Role Level"; Expression = { "Subscription" }}

	# Update progress
	$progressCounter++
	Write-Progress -Activity "Step 3 of 3 - Scanning Subscription - Elements scanned" -Status "$progressCounter of $totalElements" -PercentComplete 100

	# Output the results to a grid view
	$azusers \| Out-GridView

	# Output the results to a CSV file
	$azusers \| Export-Csv -Path "c:\temp\Azure$subscriptionNameUserlist$(Get-Date -Format 'yyyyMMddHHmmss').csv" -NoTypeInformation -Encoding ISO-8859-1