Azure has many different predefined access roles that allow administrators to manage Azure services flexibly in terms of security and segregation of duties. In this post, I'll walk you through how to manage Azure role-based access control (RBAC) using PowerShell.

Managing role definitions ^

Almost every day we keep hearing of new developments and features coming in Azure. With this, it is getting more important to maintain services in an isolated and secure manner. Azure has a very wide range of services that several different teams at companies consume. At a company, it is critical to separate roles and permissions and assign correct permissions to correct teams so that each team can only access the resources they are responsible for.

Each role in Azure consists of a number of role actions that are like permission sets. You can customize these permission sets if you need to create any custom roles. In such cases, you can pick up required actions and place them in a custom role definition that you can then assign to a specific user, group, or application.

First, let's take a look at all available roles in Azure. Roles in Azure are called "role definitions." You can list them with this command:

GetAzureRmRoleDefinition | ft name
Role definitions represent Azure roles

Role definitions represent Azure roles

There are currently 62 roles available in Azure, but Microsoft will no doubt add new roles as they roll out new services in the future.

Each role consists of several actions, which basically represent the permission sets over certain services. For example, the Network Contributor role contains several actions like Microsoft.Network/*. This one basically entails every possible action in the Microsoft.Network resource provider. So if we grant a user the Network Contributor role, the user will be able to take any actions in specified network resources.

So to see all actions available in a specific Azure role, we should execute the following:

(Get-AzureRmRoleDefinition "Network Contributor").actions

The actions in a role definition are permission sets used to grant access to objects

As seen above, the Network Contributor role has seven actions defined in it. Let's look at another example for the Virtual Machine Contributor role and see what actions it contains.

(Get-AzureRmRoleDefinition "Virtual Machine Contributor").actions
Virtual Machine Contributor role actions

Virtual Machine Contributor role actions

The Virtual Machine Contributor role has a number of actions available. You may have noticed that both the Network Contributor and Virtual Machine Contributor roles have some common actions defined in their action lists. That's because virtual machine administrators may need to manage network-related resources such as network interface cards, load balancers, and so on, which might be associated with a certain virtual machine.

Managing role assignments ^

It is also important for admins to check who has access on resources such as a subscription or a resource group. To view current permissions on all resources to which a user has access, use the following line:

Get-AzureRmRoleAssignment -SignInName "username@domain.com"

In case we'd like to list the permissions of a group a specific user is a member of on all resources, we need to use the following:

Get-AzureRmRoleAssignment -SignInName "username@domain.com" -ExpandPrincipalGroups
A user's permissions on a resource inherited from a group

A user's permissions on a resource inherited from a group

ObjectType simply shows whether the object is a user, group, or application.

If we want to list permissions on a specific resource, we can narrow down the result by specifying the scope using this command:

Get-AzureRmRoleAssignment -scope "/subscriptions/f0675ec9-480d-4c2a-982a-ed97983af390" | select displayname
All objects that have permissions over a specific subscription

All objects that have permissions over a specific subscription

This command lists all objects including users, groups, and applications that have permissions on a specific resource. In this scenario it is a subscription.

Managing custom roles ^

Besides listing roles and permissions in Azure, it is also very important for admins to be able to grant users or groups the necessary roles on certain resources. To be able to assign a role to a group, first we need to get the group's ObjectID using the command below:

Get-AzureRmADGroup -SearchString "Sales (Sample Group)"
Getting a group's ObjectID

Getting a group's ObjectID

We can now assign a role to this group using the ObjectID of the group, the role definition required, and the scope. In this scenario we will assign the Virtual Machine Contributor role to the Sales group over the subscription with a subscription ID of f0675ec9-480d-4c2a-982a-ed97983af390.

New-AzureRmRoleAssignment -ObjectId "74b007ea-ab34-4209-981e-c538200fe251" ‑RoleDefinitionName "Virtual Machine Contributor" -Scope "/subscriptions/f0675ec9-480d-4c2a-982a-ed97983af390"
Creating a custom role and assigning it to a group

Creating a custom role and assigning it to a group

Of course, we can grant users and applications specific permissions in exactly the same way we used above.

To remove a role from a specific user, group, or application:

Remove-AzureRmRoleAssignment -ObjectId "74b007ea-ab34-4209-981e-c538200fe251" -RoleDefinitionName "Virtual Machine Contributor" -Scope "/subscriptions/f0675ec9-480d-4c2a-982a-ed97983af390"
Removing a custom role

Removing a custom role

As you can see, there are hundreds of different scenarios when it comes to managing roles and permissions in Azure.

Creating a role-based access control report ^

Lastly, let's create a report in detail showing all the permissions assigned to users, groups, and applications throughout a subscription.

Subscribe to 4sysops newsletter!

$result=@()
$result+="displayname,objecttype,roledefinitionname,actions"

Get-AzureRmRoleAssignment -scope "/subscriptions/f0675ec9-480d-4c2a-982a-ed97983af390" | foreach{

$displayname=$_.DisplayName
$objecttype=$_.ObjectType
$roledefinitionname=$_.RoleDefinitionName
$actions=(Get-AzureRmRoleDefinition -Name $_.roledefinitionname).actions
$result+="$displayname,$objecttype,$roledefinitionname,$actions"
}
$result | out-file c:\filename.csv
Reporting Azure roles assigned to the objects

Reporting Azure roles assigned to the objects

In this article, we've had a look at Azure roles and how we can easily manage role assignment tasks for Azure resources.

+3
16 Comments
  1. HI Baki,
    Your script is fantastic, I need an extra column detailed with the Group name the each user belongs to.
    Thanks,
    K. Hasan

    +2

  2. Ramesh Thangaraj 3 years ago

    Thanks for ur script. How to list all the rbac for all the subscriptions as I am an admin for the enterprise azure. Can you pls advise.

    0

  3. Naveen 3 years ago

    Hi,

    How can we automate the user access provisioning on resources using some service account, We are working on it but not able to figure it out.

    Thanks in advance......

    Naveen Daka

    0

  4. I want to copy contributor role and create custom role with (all permissions of custom role without delete operation).

    When I try to (get-azurermroledefinition "Contributor").actions  it will not display any output.. however its working for other roles.. is there any syntax error?

    And what's the command to copy role

     

    0

  5. Author

    Hi Hasan,

    The following code would allow you to add group membership information if the object type is "user".

    $result=@()
    $groups=(Get-AzureRmADUser | select id).id.guid
    $result+="displayname,objecttype,roledefinitionname,actions,groups"

    Get-AzureRmRoleAssignment -scope "/subscriptions/SUBSCTIPTIONID" | foreach{

    $displayname=$_.DisplayName
    $objecttype=$_.ObjectType
    if($objecttype -eq "user"){
    $objectid=$_.objectid
    $groups=(Get-AzureADUserMembership -ObjectId $objectid).objectid.guid
    }
    $roledefinitionname=$_.RoleDefinitionName
    $actions=(Get-AzureRmRoleDefinition -Name $_.roledefinitionname).actions
    $result+="$displayname,$objecttype,$roledefinitionname,$actions,$groups"
    }
    $result | out-file c:\filename.csv

    +1
    avatar
  6. Author

    Hi Ramesh,

    this is what you are looking for

    $result=@()
    $result+="displayname,objecttype,roledefinitionname,actions"

    $subscriptions=(get-azurermsubscription).SubscriptionId

    foreach($subscriptionid in $subscriptions){

    Get-AzureRmRoleAssignment -scope "/subscriptions/$subscriptionid" | foreach{

    $displayname=$_.DisplayName
    $objecttype=$_.ObjectType
    $roledefinitionname=$_.RoleDefinitionName
    $actions=(Get-AzureRmRoleDefinition -Name $_.roledefinitionname).actions
    $result+="$displayname,$objecttype,$roledefinitionname,$actions"
    }

    }

    $result | out-file c:\filename.csv

    +1
    avatar
  7. Author

    Hi Naveen,

    Can you please elaborate what you need to achieve?

    thx

    Onur

    0

  8. Author

    Hi RamaKrishna,

    that's because Contributor role has all actions BUT the actions listen in the property named "NOTaction"

    so, think of it as it has all the actions except the ones listed in "Notactions"

    (get-azurermroledefinition "Contributor") | select -ExpandProperty actions
    (get-azurermroledefinition "Contributor") | select -ExpandProperty notactions

    thx

    Onur

    0

  9. Hello Onur,

    Thanks for the script to list all RBAC resources within a subscription works well . How can i add resource group as well in the report.

    $result=@()
    $result+="displayname,objecttype,roledefinitionname,actions"
    
    Get-AzureRmRoleAssignment -scope "/subscriptions/f0675ec9-480d-4c2a-982a-ed97983af390" | foreach{
    
    $displayname=$_.DisplayName
    $objecttype=$_.ObjectType
    $roledefinitionname=$_.RoleDefinitionName
    $actions=(Get-AzureRmRoleDefinition -Name $_.roledefinitionname).actions
    $result+="$displayname,$objecttype,$roledefinitionname,$actions"
    }
    $result | out-file c:\filename.csv
    0

  10. Okan Aslaner 2 years ago

    Is there a way to list the displayname and the resources to which they have access and what level access.This would help do a security audit about who has access to which resource and as what role.  For example:

    DisplayName,ObjectType,RoleDefinitionName,Actions,ResourceName,ResourceType,ResourceGroupName,SubscriptionId

    Okan Aslaner,User,Contributor,*,WIN000950,Microsoft.Compute/virtualMachines,Test-rg, f0675ec9-480d-4c2a-982a-ed97983af390

    0

  11. venkat 2 years ago

    Hi Baki,

    Is there any way we can assign permissions per service? Example, if i want to assign a role for a specific user to have access only to either DataBricks/ADLSV2 like that.

    0

  12. venkat 2 years ago

    Hi Swapnil,

    Thank you for the reply.

    Sure i will try to create a custom role using the link provided by you.

    But i'm looking for some help in creating a powershell script to make this role assignment in an automated way via Azure DevOps.

    If any one can help me in creating a script or a sample script where we can use these things will really help me.

    Thanks & Regards,

    Venkat.

    0

  13. $role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()
    $role.Name = 'custom access role'
    $role.Description = 'custom role.'
    $role.IsCustom = $true
    $perms = 'Microsoft.Network/networkInterfaces/read','Microsoft.Compute/virtualMachines/read'
    $role.Actions = $perms
    $subs = '/subscriptions/hjhjhjhjhjhjhjhjh'
    $role.AssignableScopes = $subs
    New-AzRoleDefinition -Role $role

    0

  14. here is an example for creating custom role

    $role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()$role.Name = 'custom access role'$role.Description = 'custom role.'$role.IsCustom = $true$perms = 'Microsoft.Network/networkInterfaces/read','Microsoft.Compute/virtualMachines/read'$role.Actions = $perms$subs = '/subscriptions/hjhjhjhjhjhjhjhjh'$role.AssignableScopes = $subsNew-AzRoleDefinition -Role $role

    0

  15. sudhakar 1 year ago

    How to identify custom RBACs  roles any  example  script

    0

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account