Today’s blog post is a little bit different. I have a couple of examples of how you can use PowerShell snippets and simple commandlets to get or set role assignmnets in your Azure Subscriptions.
PowerShell examples for managing Azure Role assignments
List all role assignments in a subscription
Get-AzRoleAssignment -Scope /subscriptions/{subscriptionId}
Get all role assignments for a specific Resource Group
$resourceGroupName = "myResourceGroup"
Get-AzRoleAssignment -ResourceGroupName $resourceGroupName
Get all role assignments for a specific user
$principalName = "user@azureis.fun"
Get-AzRoleAssignment -SignInName $principalName | Select-Object -ExpandProperty RoleDefinitionName
Add a role assignment to a user
$principalName = "user@azureis.fun"
$roleName = "Contributor"
$scope = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}"
New-AzRoleAssignment -SignInName $principalName -RoleDefinitionName $roleName -Scope $scope
Remove a role assignment for a user
$principalName = "user@azureis.fun"
$scope = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}"
Remove-AzRoleAssignment -SignInName $principalName -Scope $scope
Remove all role assignments for a specific user
$principalName = "user@azureis.fun"
Get-AzRoleAssignment -SignInName $principalName | Remove-AzRoleAssignment
List all built-in roles
Get-AzRoleDefinition | Where-Object { $_.IsCustom -eq $false }
List all custom roles
Get-AzRoleDefinition | Where-Object { $_.IsCustom -eq $true }
Create a custom role
$roleName = "CustomRole"
$roleDescription = "This is a custom role."
$actions = "Microsoft.Storage/storageAccounts/write"
$scope = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}"
New-AzRoleDefinition -Name $roleName -Description $roleDescription -Actions $actions -AssignableScopes $scope
Update a custom role
$roleName = "CustomRole"
$actionsToAdd = "Microsoft.Storage/storageAccounts/read"
$actionsToRemove = "Microsoft.Storage/storageAccounts/write"
$role = Get-AzRoleDefinition -Name $roleName
$role.Actions.Remove($actionsToRemove)
$role.Actions.Add($actionsToAdd)
Set-AzRoleDefinition -Role $role
Delete a custom role
$roleName = "CustomRole"
Remove-AzRoleDefinition -Name $roleName
List all users or groups assigned to a specific role
$roleName = "Contributor"
Get-AzRoleAssignment -RoleDefinitionName $roleName | Select-Object -ExpandProperty SignInName
List all permissions granted by a specific role
$roleName = "Contributor"
$roleDefinition = Get-AzRoleDefinition -Name $roleName
$roleDefinition.Actions
List all resource groups that a user has access to
$principalName = "user@azureis.fun"
Get-AzRoleAssignment -SignInName $principalName | Select-Object -ExpandProperty Scope | Get-AzResourceGroup
Create a role assignment for a service principal
$servicePrincipalId = "servicePrincipalId"
$roleName = "Contributor"
$scope = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}"
New-AzRoleAssignment -ServicePrincipalName $servicePrincipalId -RoleDefinitionName $roleName -Scope $scope
PowerShell script to manage Azure Role Assignments
And now there is a script that combines some of these examples into one usable function:
I hope this was useful. Let me know if you liked the format of this blog and if you want me to include more of these examples.
Vukasin Terzic