Created
January 30, 2018 15:47
-
-
Save delorgedj/3b25af0e1ccd5d4e19ba1bc5a0a0013a to your computer and use it in GitHub Desktop.
Add Multiple Users to Azure ARM Resource Group RBAC Role
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
################## RBAC ROLES SCRIPT ############################ | |
# | |
#Author DJD 4/11/2017 ### | |
################################################################ | |
# | |
##Login to Azure ARM | |
##This script gathers information about Azure ARM REsources | |
$azureAccountName ="username@.onmicrosoft.com" | |
$azurePassword = ConvertTo-SecureString "passwordhere" -AsPlainText -Force | |
$psCred = New-Object System.Management.Automation.PSCredential($azureAccountName, $azurePassword) | |
Add-AzureRmAccount -Credential $psCred | |
##Switch Subscriptions and set subscriptions | |
Set-AzureRmContext -SubscriptionName "subscriptionname" | |
Register-AzureRmResourceProvider -ProviderNamespace "Microsoft.RecoveryServices" | |
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.sql | |
############ List all Azure Ad Groups with Object ID and output to a csv file for further use ######## | |
Connect-AzureAD -Credential $psCred | |
Get-AzureADGroup | Export-Csv -Path "c:\Temp\EHM-AzureGroupdata.csv" | |
############ LIst all Current Roles ############ | |
Get-AzureRmRoleDefinition | FT Name, Description | |
########## List Actions of Roles #################### | |
Get-AzureRmRoleDefinition Contributor | FL Actions, NotActions ## Command #### | |
(Get-AzureRmRoleDefinition "Virtual Machine Contributor").Actions #### Role to get actions from #### | |
########## Get Users who have access to a Role ############## | |
Get-AzureRmRoleAssignment -ResourceGroupName P-RGE-ADDC | FL DisplayName, RoleDefinitionName, Scope ### Must replace RG #### | |
############## List Roles Assigned to a user ############### | |
Get-AzureRmRoleAssignment -SignInName v-daviddelorge@eaglehm.com | FL DisplayName, RoleDefinitionName, Scope | |
#### This Script expnads the properties to groups as well ############# | |
Get-AzureRmRoleAssignment -SignInName v-daviddelorge@eaglehm.com -ExpandPrincipalGroups | FL DisplayName, RoleDefinitionName, Scope | |
################# Script to Grant access ################## | |
################ To assign a role, you need to identify both the object (user, group, or application) and the scope/ plus the Object ID ###### | |
############# TO Get Object ID for an Azure Group ###### | |
Get-AzureRmADGroup -SearchString "TLR-BurnsData" | |
##### List all applications Role assignments for all Service Principals ######### | |
# Get all service principals, and for each one, get all the app role assignments, | |
# resolving the app role ID to it's display name. | |
Get-AzureADServicePrincipal | % { | |
# Build a hash table of the service principal's app roles. The 0-Guid is | |
# used in an app role assignment to indicate that the principal is assigned | |
# to the default app role (or rather, no app role). | |
$appRoles = @{ "$([Guid]::Empty.ToString())" = "(default)" } | |
$_.AppRoles | % { $appRoles[$_.Id] = $_.DisplayName } | |
# Get the app role assignments for this app, and add a field for the app role name | |
Get-AzureADServiceAppRoleAssignment -ObjectId ($_.ObjectId) | Select ResourceDisplayName, PrincipalDisplayName, Id | % { $_ | Add-Member "AppRoleDisplayName" $appRoles[$_.Id] -Passthru | |
} | |
} | |
##### TO get specific Object ID for an Azure Principle or Application ###### | |
Get-AzureRmADServicePrincipal -SearchString "ServiceNow - PROD" | |
## COpy ID## | |
####################################################################### | |
####################################################################### | |
### ASSIGN A ROLE TO AN APPLICATION AT SUB SCOPE ###################### | |
New-AzureRmRoleAssignment -ObjectId 028804df-dfcf-4fa9-886e-89d18bc99673 -RoleDefinitionName Contributor -Scope /subscriptions/a06a5db5-fbde-49a1-a9f0-bf20012db699 | |
####### Assign a role to a user at the resource group scope ############ | |
New-AzureRmRoleAssignment -SignInName v-daviddelorge@eaglehm.com -RoleDefinitionName "Virtual Machine Contributor" -ResourceGroupName D-RGE-AzureB2C | |
############## Use CSV File, to add multiple Users to a REsource Group ############ | |
$Users = import-csv C:\Temp\Users.csv | |
$Users | ForEach-Object { New-AzureRmRoleAssignment -SignInName $_.Username -RoleDefinitionName "Virtual Machine Contributor" -ResourceGroupName D-RGE-AzureB2C } | |
################# Assign a role to a group at the resource scope ############### | |
New-AzureRmRoleAssignment -ObjectId <object id> -RoleDefinitionName <role name in quotes> -ResourceName <resource name> -ResourceType <resource type>` | |
-ParentResource <parent resource> -ResourceGroupName <resource group name> | |
###################### Remove Access ##################### | |
Remove-AzureRmRoleAssignment -ObjectId <object id> -RoleDefinitionName <role name> -Scope <scope such as subscription id> | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment