Posts Manage Azure Role Assignments Like a Pro with PowerShell
Post
Cancel

Manage Azure Role Assignments Like a Pro with PowerShell

Azure Governance Future Trends and Predictions - AzureIs.Fun

Today’s blog post is a little bit different. I have a couple of examples of how you can use PowerShell snippets and simple commandlets to get or set role assignmnets in your Azure Subscriptions.

PowerShell examples for managing Azure Role assignments

List all role assignments in a subscription

Get-AzRoleAssignment -Scope /subscriptions/{subscriptionId}

Get all role assignments for a specific Resource Group

$resourceGroupName = "myResourceGroup"
Get-AzRoleAssignment -ResourceGroupName $resourceGroupName

Get all role assignments for a specific user

$principalName = "user@azureis.fun"
Get-AzRoleAssignment -SignInName $principalName | Select-Object -ExpandProperty RoleDefinitionName

Add a role assignment to a user

$principalName = "user@azureis.fun"
$roleName = "Contributor"
$scope = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}"
New-AzRoleAssignment -SignInName $principalName -RoleDefinitionName $roleName -Scope $scope

Remove a role assignment for a user

$principalName = "user@azureis.fun"
$scope = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}"
Remove-AzRoleAssignment -SignInName $principalName -Scope $scope

Remove all role assignments for a specific user

$principalName = "user@azureis.fun"
Get-AzRoleAssignment -SignInName $principalName | Remove-AzRoleAssignment

List all built-in roles

Get-AzRoleDefinition | Where-Object { $_.IsCustom -eq $false }

List all custom roles

Get-AzRoleDefinition | Where-Object { $_.IsCustom -eq $true }

Create a custom role

$roleName = "CustomRole"
$roleDescription = "This is a custom role."
$actions = "Microsoft.Storage/storageAccounts/write"
$scope = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}"
New-AzRoleDefinition -Name $roleName -Description $roleDescription -Actions $actions -AssignableScopes $scope

Update a custom role

$roleName = "CustomRole"
$actionsToAdd = "Microsoft.Storage/storageAccounts/read"
$actionsToRemove = "Microsoft.Storage/storageAccounts/write"
$role = Get-AzRoleDefinition -Name $roleName
$role.Actions.Remove($actionsToRemove)
$role.Actions.Add($actionsToAdd)
Set-AzRoleDefinition -Role $role

Delete a custom role

$roleName = "CustomRole"
Remove-AzRoleDefinition -Name $roleName

List all users or groups assigned to a specific role

$roleName = "Contributor"
Get-AzRoleAssignment -RoleDefinitionName $roleName | Select-Object -ExpandProperty SignInName

List all permissions granted by a specific role

$roleName = "Contributor"
$roleDefinition = Get-AzRoleDefinition -Name $roleName
$roleDefinition.Actions

List all resource groups that a user has access to

$principalName = "user@azureis.fun"
Get-AzRoleAssignment -SignInName $principalName | Select-Object -ExpandProperty Scope | Get-AzResourceGroup

Create a role assignment for a service principal

$servicePrincipalId = "servicePrincipalId"
$roleName = "Contributor"
$scope = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}"
New-AzRoleAssignment -ServicePrincipalName $servicePrincipalId -RoleDefinitionName $roleName -Scope $scope

PowerShell script to manage Azure Role Assignments

And now there is a script that combines some of these examples into one usable function:

I hope this was useful. Let me know if you liked the format of this blog and if you want me to include more of these examples.

Vukasin Terzic

Updated Mar 15, 2023 2023-03-16T05:04:26+01:00
This post is licensed under CC BY 4.0