- Permanently delete a Key Vault in Azure using PowerShell - Fri, Feb 4 2022
- Restore Azure Files with PowerShell - Fri, Jan 28 2022
- Bulk restore deleted Azure AD users - Wed, Dec 29 2021
Managing role definitions ^
Almost every day we keep hearing of new developments and features coming in Azure. With this, it is getting more important to maintain services in an isolated and secure manner. Azure has a very wide range of services that several different teams at companies consume. At a company, it is critical to separate roles and permissions and assign correct permissions to correct teams so that each team can only access the resources they are responsible for.
Each role in Azure consists of a number of role actions that are like permission sets. You can customize these permission sets if you need to create any custom roles. In such cases, you can pick up required actions and place them in a custom role definition that you can then assign to a specific user, group, or application.
First, let's take a look at all available roles in Azure. Roles in Azure are called "role definitions." You can list them with this command:
GetAzureRmRoleDefinition | ft name
Role definitions represent Azure roles
There are currently 62 roles available in Azure, but Microsoft will no doubt add new roles as they roll out new services in the future.
Each role consists of several actions, which basically represent the permission sets over certain services. For example, the Network Contributor role contains several actions like Microsoft.Network/*. This one basically entails every possible action in the Microsoft.Network resource provider. So if we grant a user the Network Contributor role, the user will be able to take any actions in specified network resources.
So to see all actions available in a specific Azure role, we should execute the following:
(Get-AzureRmRoleDefinition "Network Contributor").actions
The actions in a role definition are permission sets used to grant access to objects
As seen above, the Network Contributor role has seven actions defined in it. Let's look at another example for the Virtual Machine Contributor role and see what actions it contains.
(Get-AzureRmRoleDefinition "Virtual Machine Contributor").actions
Virtual Machine Contributor role actions
The Virtual Machine Contributor role has a number of actions available. You may have noticed that both the Network Contributor and Virtual Machine Contributor roles have some common actions defined in their action lists. That's because virtual machine administrators may need to manage network-related resources such as network interface cards, load balancers, and so on, which might be associated with a certain virtual machine.
Managing role assignments ^
It is also important for admins to check who has access on resources such as a subscription or a resource group. To view current permissions on all resources to which a user has access, use the following line:
Get-AzureRmRoleAssignment -SignInName "username@domain.com"
In case we'd like to list the permissions of a group a specific user is a member of on all resources, we need to use the following:
Get-AzureRmRoleAssignment -SignInName "username@domain.com" -ExpandPrincipalGroups
A user's permissions on a resource inherited from a group
ObjectType simply shows whether the object is a user, group, or application.
If we want to list permissions on a specific resource, we can narrow down the result by specifying the scope using this command:
Get-AzureRmRoleAssignment -scope "/subscriptions/f0675ec9-480d-4c2a-982a-ed97983af390" | select displayname
All objects that have permissions over a specific subscription
This command lists all objects including users, groups, and applications that have permissions on a specific resource. In this scenario it is a subscription.
Managing custom roles ^
Besides listing roles and permissions in Azure, it is also very important for admins to be able to grant users or groups the necessary roles on certain resources. To be able to assign a role to a group, first we need to get the group's ObjectID using the command below:
Get-AzureRmADGroup -SearchString "Sales (Sample Group)"
Getting a group's ObjectID
We can now assign a role to this group using the ObjectID of the group, the role definition required, and the scope. In this scenario we will assign the Virtual Machine Contributor role to the Sales group over the subscription with a subscription ID of f0675ec9-480d-4c2a-982a-ed97983af390.
New-AzureRmRoleAssignment -ObjectId "74b007ea-ab34-4209-981e-c538200fe251" ‑RoleDefinitionName "Virtual Machine Contributor" -Scope "/subscriptions/f0675ec9-480d-4c2a-982a-ed97983af390"
Creating a custom role and assigning it to a group
Of course, we can grant users and applications specific permissions in exactly the same way we used above.
To remove a role from a specific user, group, or application:
Remove-AzureRmRoleAssignment -ObjectId "74b007ea-ab34-4209-981e-c538200fe251" -RoleDefinitionName "Virtual Machine Contributor" -Scope "/subscriptions/f0675ec9-480d-4c2a-982a-ed97983af390"
Removing a custom role
As you can see, there are hundreds of different scenarios when it comes to managing roles and permissions in Azure.
Creating a role-based access control report ^
Lastly, let's create a report in detail showing all the permissions assigned to users, groups, and applications throughout a subscription.
Subscribe to 4sysops newsletter!
$result=@()
$result+="displayname,objecttype,roledefinitionname,actions"
Get-AzureRmRoleAssignment -scope "/subscriptions/f0675ec9-480d-4c2a-982a-ed97983af390" | foreach{
$displayname=$_.DisplayName
$objecttype=$_.ObjectType
$roledefinitionname=$_.RoleDefinitionName
$actions=(Get-AzureRmRoleDefinition -Name $_.roledefinitionname).actions
$result+="$displayname,$objecttype,$roledefinitionname,$actions"
}
$result | out-file c:\filename.csv
Reporting Azure roles assigned to the objects
In this article, we've had a look at Azure roles and how we can easily manage role assignment tasks for Azure resources.
HI Baki,
Your script is fantastic, I need an extra column detailed with the Group name the each user belongs to.
Thanks,
K. Hasan
Thanks for ur script. How to list all the rbac for all the subscriptions as I am an admin for the enterprise azure. Can you pls advise.
Hi,
How can we automate the user access provisioning on resources using some service account, We are working on it but not able to figure it out.
Thanks in advance……
Naveen Daka
I want to copy contributor role and create custom role with (all permissions of custom role without delete operation).
When I try to (get-azurermroledefinition “Contributor”).actions it will not display any output.. however its working for other roles.. is there any syntax error?
And what’s the command to copy role
Hi Hasan,
The following code would allow you to add group membership information if the object type is “user”.
$result=@()
$groups=(Get-AzureRmADUser | select id).id.guid
$result+=”displayname,objecttype,roledefinitionname,actions,groups”
Get-AzureRmRoleAssignment -scope “/subscriptions/SUBSCTIPTIONID” | foreach{
$displayname=$_.DisplayName
$objecttype=$_.ObjectType
if($objecttype -eq “user”){
$objectid=$_.objectid
$groups=(Get-AzureADUserMembership -ObjectId $objectid).objectid.guid
}
$roledefinitionname=$_.RoleDefinitionName
$actions=(Get-AzureRmRoleDefinition -Name $_.roledefinitionname).actions
$result+=”$displayname,$objecttype,$roledefinitionname,$actions,$groups”
}
$result | out-file c:\filename.csv
Hi Ramesh,
this is what you are looking for
$result=@()
$result+=”displayname,objecttype,roledefinitionname,actions”
$subscriptions=(get-azurermsubscription).SubscriptionId
foreach($subscriptionid in $subscriptions){
Get-AzureRmRoleAssignment -scope “/subscriptions/$subscriptionid” | foreach{
$displayname=$_.DisplayName
$objecttype=$_.ObjectType
$roledefinitionname=$_.RoleDefinitionName
$actions=(Get-AzureRmRoleDefinition -Name $_.roledefinitionname).actions
$result+=”$displayname,$objecttype,$roledefinitionname,$actions”
}
}
$result | out-file c:\filename.csv
Hi Naveen,
Can you please elaborate what you need to achieve?
thx
Onur
Hi RamaKrishna,
that’s because Contributor role has all actions BUT the actions listen in the property named “NOTaction”
so, think of it as it has all the actions except the ones listed in “Notactions”
(get-azurermroledefinition “Contributor”) | select -ExpandProperty actions
(get-azurermroledefinition “Contributor”) | select -ExpandProperty notactions
thx
Onur
Hello Onur,
Thanks for the script to list all RBAC resources within a subscription works well . How can i add resource group as well in the report.
$result=@() $result+="displayname,objecttype,roledefinitionname,actions" Get-AzureRmRoleAssignment -scope "/subscriptions/f0675ec9-480d-4c2a-982a-ed97983af390" | foreach{ $displayname=$_.DisplayName $objecttype=$_.ObjectType $roledefinitionname=$_.RoleDefinitionName $actions=(Get-AzureRmRoleDefinition -Name $_.roledefinitionname).actions $result+="$displayname,$objecttype,$roledefinitionname,$actions" } $result | out-file c:\filename.csvIs there a way to list the displayname and the resources to which they have access and what level access.This would help do a security audit about who has access to which resource and as what role. For example:
DisplayName,ObjectType,RoleDefinitionName,Actions,ResourceName,ResourceType,ResourceGroupName,SubscriptionId
Okan Aslaner,User,Contributor,*,WIN000950,Microsoft.Compute/virtualMachines,Test-rg, f0675ec9-480d-4c2a-982a-ed97983af390
Hi Baki,
Is there any way we can assign permissions per service? Example, if i want to assign a role for a specific user to have access only to either DataBricks/ADLSV2 like that.
Dear Venkat, you may create custom role with permissions defined in 'Microsoft.Databricks' section of document https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations.
Then assign that role to user.
Hi Swapnil,
Thank you for the reply.
Sure i will try to create a custom role using the link provided by you.
But i'm looking for some help in creating a powershell script to make this role assignment in an automated way via Azure DevOps.
If any one can help me in creating a script or a sample script where we can use these things will really help me.
Thanks & Regards,
Venkat.
$role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()
$role.Name = 'custom access role'
$role.Description = 'custom role.'
$role.IsCustom = $true
$perms = 'Microsoft.Network/networkInterfaces/read','Microsoft.Compute/virtualMachines/read'
$role.Actions = $perms
$subs = '/subscriptions/hjhjhjhjhjhjhjhjh'
$role.AssignableScopes = $subs
New-AzRoleDefinition -Role $role
here is an example for creating custom role
$role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()$role.Name = ‘custom access role’$role.Description = ‘custom role.’$role.IsCustom = $true$perms = ‘Microsoft.Network/networkInterfaces/read’,’Microsoft.Compute/virtualMachines/read’$role.Actions = $perms$subs = ‘/subscriptions/hjhjhjhjhjhjhjhjh’$role.AssignableScopes = $subsNew-AzRoleDefinition -Role $role
How to identify custom RBACs roles any example script