/Get-AzureRoleAssignments.ps1
Created Apr 12, 2019
Script to report on all role assignments to a subscription or optionally to look for a named users role assignments.
| Connect-AzureRmAccount | |
| $Logfile = "C:\Temp\RoleAssignmentsLog.csv" | |
| If (Test-Path $Logfile) { | |
| Clear-Content -Path $Logfile | |
| } | |
| $Subscription1 = "<SubscriptionGUID>" | |
| $Subscription2 = "<SubscriptionGUID>" | |
| Add-Content $Logfile "RG/Subscription,RoleDefinitionName,DisplayName,SignInName,ObjectType" | |
| #Do first subscription top level | |
| Set-AzureRmContext -Subscription $Subscription1 | |
| $S1SubscriptionRoles = $NULL | |
| $S1SubscriptionRoles = Get-AzureRmRoleAssignment | |
| ForEach ($S1Role in $S1SubscriptionRoles) { | |
| $RoleInfo = $NULL | |
| [String]$RoleInfo = $Subscription1 + "," + $S1Role.RoleDefinitionName + "," + $S1Role.DisplayName + "," + $S1Role.SignInName + "," + $S1Role.ObjectType | |
| Add-Content $Logfile $RoleInfo | |
| } | |
| #Then do each RG in the first Subscription: | |
| $S1RGs = $NULL | |
| $S1RGs = Get-AzureRmResourceGroup | |
| ForEach ($RG in $S1RGs) { | |
| $Role = $NULL | |
| $Roles = $NULL | |
| $RoleInfo = $NULL | |
| $RGName = $NULL | |
| $RGName = $RG.ResourceGroupName | |
| $Roles = Get-AzureRmRoleAssignment -ResourceGroupName $RGName #-SignInName "Jon@oholics.onmicrosoft.com" | |
| ForEach ($Role in $Roles) { | |
| [String]$RoleInfo = $RGName + "," + $Role.RoleDefinitionName + "," + $Role.DisplayName + "," + $Role.SignInName + "," + $Role.ObjectType | |
| Add-Content $Logfile $RoleInfo | |
| } | |
| } | |
| #Then the second Subscription top level: | |
| Set-AzureRmContext -Subscription $Subscription2 | |
| $S2SubscriptionRoles = $NULL | |
| $S2SubscriptionRoles = Get-AzureRmRoleAssignment | |
| ForEach ($S2Role in $S2SubscriptionRoles) { | |
| $RoleInfo = $NULL | |
| [String]$RoleInfo = $Subscription2 + "," + $S2Role.RoleDefinitionName + "," + $S2Role.DisplayName + "," + $S2Role.SignInName + "," + $S2Role.ObjectType | |
| Add-Content $Logfile $RoleInfo | |
| } | |
| Add-Content $Logfile $RoleInfo | |
| #Then do each RG in the second subscription: | |
| $S2RGs = $NULL | |
| $S2RGs = Get-AzureRmResourceGroup | |
| ForEach ($RG in $S2RGs) { | |
| $Role = $NULL | |
| $Roles = $NULL | |
| $RoleInfo = $NULL | |
| $RGName = $NULL | |
| $RGName = $RG.ResourceGroupName | |
| $Roles = Get-AzureRmRoleAssignment -ResourceGroupName $RGName #-SignInName "Jon@oholics.onmicrosoft.com" | |
| ForEach ($Role in $Roles) { | |
| [String]$RoleInfo = $RGName + "," + $Role.RoleDefinitionName + "," + $Role.DisplayName + "," + $Role.SignInName + "," + $Role.ObjectType | |
| Add-Content $Logfile $RoleInfo | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment